ab6da53ab5
- Fix integer overflow in _libcap_strdup() (CVE-2023-2603) Resolves: rhbz#2210637 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
19 lines
512 B
Diff
19 lines
512 B
Diff
--- a/libcap/cap_alloc.c 2023-06-26 18:42:42.295817583 +0200
|
|
+++ b/libcap/cap_alloc.c 2023-06-26 18:40:32.485375859 +0200
|
|
@@ -82,7 +82,14 @@
|
|
return NULL;
|
|
}
|
|
|
|
- raw_data = malloc( sizeof(__u32) + strlen(old) + 1 );
|
|
+ size_t len = strlen(old);
|
|
+ if ((len & 0x3fffffff) != len) {
|
|
+ _cap_debug("len is too long for libcap to manage");
|
|
+ errno = EINVAL;
|
|
+ return NULL;
|
|
+ }
|
|
+ len += 1 + sizeof(__u32);
|
|
+ raw_data = calloc(1, len);
|
|
if (raw_data == NULL) {
|
|
errno = ENOMEM;
|
|
return NULL;
|