summaryrefslogtreecommitdiff
path: root/libc
diff options
context:
space:
mode:
authorEric Andersen <andersen@codepoet.org>2002-08-07 09:07:10 +0000
committerEric Andersen <andersen@codepoet.org>2002-08-07 09:07:10 +0000
commit9d4e5cf3b7947853b6cc7d52a5c2599b18afc5e5 (patch)
tree7b2aa3a27cd6ca6060d0bc003161455e780fbcd4 /libc
parent9fe81b755894fc982714657c53d1cb4be59bc161 (diff)
Apply integer overflow security fix for "CERT Advisory CA-2002-25 Integer
Overflow In XDR Library" http://www.cert.org/advisories/CA-2002-25.html Patch from Solar Designer <solar@openwall.com>.
Diffstat (limited to 'libc')
-rw-r--r--libc/inet/rpc/xdr_array.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/libc/inet/rpc/xdr_array.c b/libc/inet/rpc/xdr_array.c
index 406876b32..e1cfaa6a0 100644
--- a/libc/inet/rpc/xdr_array.c
+++ b/libc/inet/rpc/xdr_array.c
@@ -48,6 +48,7 @@ static char sccsid[] = "@(#)xdr_array.c 1.10 87/08/11 Copyr 1984 Sun Micro";
#include <string.h>
#include <rpc/types.h>
#include <rpc/xdr.h>
+#include <limits.h>
#ifdef USE_IN_LIBIO
# include <wchar.h>
@@ -84,7 +85,11 @@ xdr_array (xdrs, addrp, sizep, maxsize, elsize, elproc)
return FALSE;
}
c = *sizep;
- if ((c > maxsize) && (xdrs->x_op != XDR_FREE))
+ /*
+ * XXX: Let the overflow possibly happen with XDR_FREE because mem_free()
+ * doesn't actually use its second argument anyway.
+ */
+ if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE))
{
return FALSE;
}