33 lines
936 B
Diff
33 lines
936 B
Diff
From 6794bf46b1c76c0a424940c97be3576dc2e7e9b1 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Wed, 18 Jun 2025 08:39:02 +0200
|
|
Subject: [PATCH] os: Check for integer overflow on BigRequest length
|
|
|
|
Check for another possible integer overflow once we get a complete xReq
|
|
with BigRequest.
|
|
|
|
Related to CVE-2025-49176
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Suggested-by: Peter Harris <pharris2@rocketsoftware.com>
|
|
---
|
|
os/io.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/os/io.c b/os/io.c
|
|
index e7b76b9cea..167b40a720 100644
|
|
--- a/os/io.c
|
|
+++ b/os/io.c
|
|
@@ -394,6 +394,8 @@ ReadRequestFromClient(ClientPtr client)
|
|
needed = get_big_req_len(request, client);
|
|
}
|
|
client->req_len = needed;
|
|
+ if (needed > MAXINT >> 2)
|
|
+ return -(BadLength);
|
|
needed <<= 2;
|
|
}
|
|
if (gotnow < needed) {
|
|
--
|
|
GitLab
|
|
|