Apply integer overflow security fix for "CERT Advisory CA-2002-25 Integer

Overflow In XDR Library" http://www.cert.org/advisories/CA-2002-25.html Patch from Solar Designer <solar@openwall.com>.
author: Eric Andersen <andersen@codepoet.org> 2002-08-07 09:07:10 +0000
committer: Eric Andersen <andersen@codepoet.org> 2002-08-07 09:07:10 +0000
commit: 9d4e5cf3b7947853b6cc7d52a5c2599b18afc5e5 (patch)
tree: 7b2aa3a27cd6ca6060d0bc003161455e780fbcd4 /libc/inet
parent: 9fe81b755894fc982714657c53d1cb4be59bc161 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/libc/inet/rpc/xdr_array.c b/libc/inet/rpc/xdr_array.c
index 406876b32..e1cfaa6a0 100644
--- a/libc/inet/rpc/xdr_array.c
+++ b/libc/inet/rpc/xdr_array.c
@@ -48,6 +48,7 @@ static char sccsid[] = "@(#)xdr_array.c 1.10 87/08/11 Copyr 1984 Sun Micro";
 #include <string.h>
 #include <rpc/types.h>
 #include <rpc/xdr.h>
+#include <limits.h>
 
 #ifdef USE_IN_LIBIO
 # include <wchar.h>
@@ -84,7 +85,11 @@ xdr_array (xdrs, addrp, sizep, maxsize, elsize, elproc)
       return FALSE;
     }
   c = *sizep;
-  if ((c > maxsize) && (xdrs->x_op != XDR_FREE))
+  /*
+   * XXX: Let the overflow possibly happen with XDR_FREE because mem_free()
+   * doesn't actually use its second argument anyway.
+   */
+  if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE))
     {
       return FALSE;
     }
author	Eric Andersen <andersen@codepoet.org>	2002-08-07 09:07:10 +0000
committer	Eric Andersen <andersen@codepoet.org>	2002-08-07 09:07:10 +0000
commit	9d4e5cf3b7947853b6cc7d52a5c2599b18afc5e5 (patch)
tree	7b2aa3a27cd6ca6060d0bc003161455e780fbcd4 /libc/inet
parent	9fe81b755894fc982714657c53d1cb4be59bc161 (diff)