-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Patch 0001: Fix missing varargs cleanup

The CHECK() macro may cause execution to skip down to the cleanup
tag. If this happens, it would mean that we never called va_end()
on "backup".

This patch reorganizes the code slightly to ensure that va_end()
is always called.


Patch 0002: Fix potential out-of-bounds write

If there are exactly LD_MAX_SPLITS entries resulting from this
split, the mandatory trailing NULL entry will be written to one
entry past the end of the static arrayof LD_MAX_SPLITS size.


- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0jhegACgkQeiVVYja6o6PGlwCgnO1jSmW1VhO3kJh3C818655M
DaEAoK5b0f4VLiRkkKgMaJnGrjRoHv9+
=XJeu
-----END PGP SIGNATURE-----
From 4cc3a923c1e26ac4c286afd47df1d823920ef56b Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgall...@redhat.com>
Date: Tue, 4 Jan 2011 15:28:46 -0500
Subject: [PATCH 1/2] Fix missing varargs cleanup

The CHECK() macro may cause execution to skip down to the cleanup
tag. If this happens, it would mean that we never called va_end()
on "backup".

This patch reorganizes the code slightly to ensure that va_end()
is always called.
---
 src/str.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/str.c b/src/str.c
index b975aac7ba8c1028a71ac499dfe39530aba4e61f..611ae2028ec06d2e8e9e270eb6a6e0eaa37adcae 100644
--- a/src/str.c
+++ b/src/str.c
@@ -431,16 +431,16 @@ str_vsprintf(ld_string_t *dest, const char *format, va_list ap)
 		CHECK(str_alloc(dest, len));
 		len = vsnprintf(dest->data, dest->allocated, format, backup);
 	}
-	va_end(backup);
 
 	if (len < 0) {
 		result = ISC_R_FAILURE;
 		goto cleanup;
 	}
 
-	return ISC_R_SUCCESS;
+	result = ISC_R_SUCCESS;
 
 cleanup:
+	va_end(backup);
 	return result;
 }
 
-- 
1.7.3.4

From 93d709e47444ba38c314b4cece980a829c4f23b9 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgall...@redhat.com>
Date: Tue, 4 Jan 2011 15:33:02 -0500
Subject: [PATCH 2/2] Fix potential out-of-bounds write

If there are exactly LD_MAX_SPLITS entries resulting from this
split, the mandatory trailing NULL entry will be written to one
entry past the end of the static arrayof LD_MAX_SPLITS size.
---
 src/str.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/str.c b/src/str.c
index 611ae2028ec06d2e8e9e270eb6a6e0eaa37adcae..56faa12dce3c7c7bde59d947b69907b9f63d315d 100644
--- a/src/str.c
+++ b/src/str.c
@@ -570,7 +570,7 @@ str_split(const ld_string_t *src, const char delimiter, ld_split_t *split)
 	current_pos = 0;
 	save = 1;
 	for (unsigned int i = 0;
-	     i < split->allocated && current_pos < LD_MAX_SPLITS;
+	     i < split->allocated && current_pos < LD_MAX_SPLITS - 1;
 	     i++) {
 		if (save && split->data[i] != '\0') {
 			split->splits[current_pos] = split->data + i;
-- 
1.7.3.4

Attachment: 0001-Fix-missing-varargs-cleanup.patch.sig
Description: PGP signature

Attachment: 0002-Fix-potential-out-of-bounds-write.patch.sig
Description: PGP signature

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to