CVS commit: [netbsd-5-1] src/lib/libevent

[Soren Jacobsen]

Module Name:    src
Committed By:   snj
Date:           Wed Feb  4 04:46:21 UTC 2015

Modified Files:
        src/lib/libevent [netbsd-5-1]: buffer.c

Log Message:
Apply patch (requested by spz in ticket 1947):
Fix CVE-2014-6272.


To generate a diff of this commit:
cvs rdiff -u -r1.4.4.1 -r1.4.4.1.2.1 src/lib/libevent/buffer.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/lib/libevent/buffer.c
diff -u src/lib/libevent/buffer.c:1.4.4.1 src/lib/libevent/buffer.c:1.4.4.1.2.1
--- src/lib/libevent/buffer.c:1.4.4.1	Tue Aug  4 18:32:08 2009
+++ src/lib/libevent/buffer.c	Wed Feb  4 04:46:21 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: buffer.c,v 1.4.4.1 2009/08/04 18:32:08 snj Exp $	*/
+/*	$NetBSD: buffer.c,v 1.4.4.1.2.1 2015/02/04 04:46:21 snj Exp $	*/
 /*
  * Copyright (c) 2002, 2003 Niels Provos <pro...@citi.umich.edu>
  * All rights reserved.
@@ -120,7 +120,8 @@ evbuffer_add_vprintf(struct evbuffer *bu
 	va_list aq;
 
 	/* make sure that at least some space is available */
-	evbuffer_expand(buf, 64);
+	if (evbuffer_expand(buf, 64) < 0)
+		return (-1);
 	for (;;) {
 		size_t used = buf->misalign + buf->off;
 		buffer = (char *)buf->buffer + buf->off;
@@ -233,31 +234,47 @@ evbuffer_align(struct evbuffer *buf)
 	buf->misalign = 0;
 }
 
+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t)-1)
+#endif
+
 /* Expands the available space in the event buffer to at least datlen */
 
 int
 evbuffer_expand(struct evbuffer *buf, size_t datlen)
 {
-	size_t need = buf->misalign + buf->off + datlen;
+	size_t used = buf->misalign + buf->off;
+
+	assert(buf->totallen >= used);
 
 	/* If we can fit all the data, then we don't have to do anything */
-	if (buf->totallen >= need)
+	if (buf->totallen - used >= datlen)
 		return (0);
+	/* If we would need to overflow to fit this much data, we can't
+	 * do anything. */
+	if (datlen > SIZE_MAX - buf->off)
+		return (-1);
 
 	/*
 	 * If the misalignment fulfills our data needs, we just force an
 	 * alignment to happen.  Afterwards, we have enough space.
 	 */
-	if (buf->misalign >= datlen) {
+	if (buf->totallen - buf->off >= datlen) {
 		evbuffer_align(buf);
 	} else {
 		void *newbuf;
 		size_t length = buf->totallen;
+		size_t need = buf->off + datlen;
 
 		if (length < 256)
 			length = 256;
-		while (length < need)
-			length <<= 1;
+		if (need < SIZE_MAX / 2) {
+			while (length < need) {
+				length <<= 1;
+			}
+		} else {
+			length = need;
+		}
 
 		if (buf->orig_buffer != buf->buffer)
 			evbuffer_align(buf);
@@ -274,10 +291,10 @@ evbuffer_expand(struct evbuffer *buf, si
 int
 evbuffer_add(struct evbuffer *buf, const void *data, size_t datlen)
 {
-	size_t need = buf->misalign + buf->off + datlen;
+	size_t used = buf->misalign + buf->off;
 	size_t oldoff = buf->off;
 
-	if (buf->totallen < need) {
+	if (buf->totallen - used < datlen) {
 		if (evbuffer_expand(buf, datlen) == -1)
 			return (-1);
 	}