diff options
author | Eric Andersen <andersen@codepoet.org> | 2002-08-07 09:07:10 +0000 |
---|---|---|
committer | Eric Andersen <andersen@codepoet.org> | 2002-08-07 09:07:10 +0000 |
commit | 9d4e5cf3b7947853b6cc7d52a5c2599b18afc5e5 (patch) | |
tree | 7b2aa3a27cd6ca6060d0bc003161455e780fbcd4 /libc/inet/rpc/xdr_array.c | |
parent | 9fe81b755894fc982714657c53d1cb4be59bc161 (diff) |
Apply integer overflow security fix for "CERT Advisory CA-2002-25 Integer
Overflow In XDR Library" http://www.cert.org/advisories/CA-2002-25.html
Patch from Solar Designer <solar@openwall.com>.
Diffstat (limited to 'libc/inet/rpc/xdr_array.c')
-rw-r--r-- | libc/inet/rpc/xdr_array.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/libc/inet/rpc/xdr_array.c b/libc/inet/rpc/xdr_array.c index 406876b32..e1cfaa6a0 100644 --- a/libc/inet/rpc/xdr_array.c +++ b/libc/inet/rpc/xdr_array.c @@ -48,6 +48,7 @@ static char sccsid[] = "@(#)xdr_array.c 1.10 87/08/11 Copyr 1984 Sun Micro"; #include <string.h> #include <rpc/types.h> #include <rpc/xdr.h> +#include <limits.h> #ifdef USE_IN_LIBIO # include <wchar.h> @@ -84,7 +85,11 @@ xdr_array (xdrs, addrp, sizep, maxsize, elsize, elproc) return FALSE; } c = *sizep; - if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) + /* + * XXX: Let the overflow possibly happen with XDR_FREE because mem_free() + * doesn't actually use its second argument anyway. + */ + if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE)) { return FALSE; } |