libtirpc/libtirpc-0.1.7-xdr_bufferoverlow.patch

46 lines
1.0 KiB
Diff
Raw Normal View History

commit 30431c6d846eab1bc6b7a3a91a7894f3acf2680f
Author: Steve Dickson <steved@redhat.com>
Date: Thu Apr 26 14:42:16 2007 -0400
Check for buffer overflow in xdr_string.
Signed-off-by: Steve Dickson <steved@redhat.com>
diff --git a/src/xdr.c b/src/xdr.c
index 764c30f..292723b 100644
--- a/src/xdr.c
+++ b/src/xdr.c
@@ -669,6 +669,8 @@ xdr_string(xdrs, cpp, maxsize)
}
/* FALLTHROUGH */
case XDR_ENCODE:
+ if (sp == NULL)
+ return FALSE;
size = strlen(sp);
break;
case XDR_DECODE:
@@ -681,6 +683,13 @@ xdr_string(xdrs, cpp, maxsize)
return (FALSE);
}
nodesize = size + 1;
+ if (nodesize == 0) {
+ /* This means an overflow. It a bug in the caller which
+ * provided a too large maxsize but nevertheless catch it
+ * here.
+ */
+ return FALSE;
+ }
/*
* now deal with the actual bytes
@@ -688,9 +697,6 @@ xdr_string(xdrs, cpp, maxsize)
switch (xdrs->x_op) {
case XDR_DECODE:
- if (nodesize == 0) {
- return (TRUE);
- }
if (sp == NULL)
*cpp = sp = mem_alloc(nodesize);
if (sp == NULL) {