Author: baggins Date: Tue May 8 11:51:12 2007 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- Check for buffer overflow in xdr_string.
---- Files affected:
SOURCES:
libtirpc-xdr_string.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/libtirpc-xdr_string.patch
diff -u /dev/null SOURCES/libtirpc-xdr_string.patch:1.1
--- /dev/null Tue May 8 13:51:12 2007
+++ SOURCES/libtirpc-xdr_string.patch Tue May 8 13:51:07 2007
@@ -0,0 +1,37 @@
+diff --git a/src/xdr.c b/src/xdr.c
+index 764c30f..292723b 100644
+--- a/src/xdr.c
++++ b/src/xdr.c
+@@ -669,6 +669,8 @@ xdr_string(xdrs, cpp, maxsize)
+ }
+ /* FALLTHROUGH */
+ case XDR_ENCODE:
++ if (sp == NULL)
++ return FALSE;
+ size = strlen(sp);
+ break;
+ case XDR_DECODE:
+@@ -681,6 +683,13 @@ xdr_string(xdrs, cpp, maxsize)
+ return (FALSE);
+ }
+ nodesize = size + 1;
++ if (nodesize == 0) {
++ /* This means an overflow. It a bug in the caller which
++ * provided a too large maxsize but nevertheless catch it
++ * here.
++ */
++ return FALSE;
++ }
+
+ /*
+ * now deal with the actual bytes
+@@ -688,9 +697,6 @@ xdr_string(xdrs, cpp, maxsize)
+ switch (xdrs->x_op) {
+
+ case XDR_DECODE:
+- if (nodesize == 0) {
+- return (TRUE);
+- }
+ if (sp == NULL)
+ *cpp = sp = mem_alloc(nodesize);
+ if (sp == NULL) {
================================================================
_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
