From 9d4e5cf3b7947853b6cc7d52a5c2599b18afc5e5 Mon Sep 17 00:00:00 2001 From: Eric Andersen Date: Wed, 7 Aug 2002 09:07:10 +0000 Subject: Apply integer overflow security fix for "CERT Advisory CA-2002-25 Integer Overflow In XDR Library" http://www.cert.org/advisories/CA-2002-25.html Patch from Solar Designer . --- libc/inet/rpc/xdr_array.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'libc') diff --git a/libc/inet/rpc/xdr_array.c b/libc/inet/rpc/xdr_array.c index 406876b32..e1cfaa6a0 100644 --- a/libc/inet/rpc/xdr_array.c +++ b/libc/inet/rpc/xdr_array.c @@ -48,6 +48,7 @@ static char sccsid[] = "@(#)xdr_array.c 1.10 87/08/11 Copyr 1984 Sun Micro"; #include #include #include +#include #ifdef USE_IN_LIBIO # include @@ -84,7 +85,11 @@ xdr_array (xdrs, addrp, sizep, maxsize, elsize, elproc) return FALSE; } c = *sizep; - if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) + /* + * XXX: Let the overflow possibly happen with XDR_FREE because mem_free() + * doesn't actually use its second argument anyway. + */ + if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE)) { return FALSE; } -- cgit v1.2.3