From 9d4e5cf3b7947853b6cc7d52a5c2599b18afc5e5 Mon Sep 17 00:00:00 2001
From: Eric Andersen <andersen@codepoet.org>
Date: Wed, 7 Aug 2002 09:07:10 +0000
Subject: Apply integer overflow security fix for "CERT Advisory CA-2002-25
 Integer Overflow In XDR Library"
 http://www.cert.org/advisories/CA-2002-25.html Patch from Solar Designer
 <solar@openwall.com>.

---
 libc/inet/rpc/xdr_array.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'libc/inet/rpc')

diff --git a/libc/inet/rpc/xdr_array.c b/libc/inet/rpc/xdr_array.c
index 406876b32..e1cfaa6a0 100644
--- a/libc/inet/rpc/xdr_array.c
+++ b/libc/inet/rpc/xdr_array.c
@@ -48,6 +48,7 @@ static char sccsid[] = "@(#)xdr_array.c 1.10 87/08/11 Copyr 1984 Sun Micro";
 #include <string.h>
 #include <rpc/types.h>
 #include <rpc/xdr.h>
+#include <limits.h>
 
 #ifdef USE_IN_LIBIO
 # include <wchar.h>
@@ -84,7 +85,11 @@ xdr_array (xdrs, addrp, sizep, maxsize, elsize, elproc)
       return FALSE;
     }
   c = *sizep;
-  if ((c > maxsize) && (xdrs->x_op != XDR_FREE))
+  /*
+   * XXX: Let the overflow possibly happen with XDR_FREE because mem_free()
+   * doesn't actually use its second argument anyway.
+   */
+  if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE))
     {
       return FALSE;
     }
-- 
cgit v1.2.3