Module Name: src Committed By: snj Date: Wed Feb 4 04:46:21 UTC 2015
Modified Files: src/lib/libevent [netbsd-5-1]: buffer.c Log Message: Apply patch (requested by spz in ticket 1947): Fix CVE-2014-6272. To generate a diff of this commit: cvs rdiff -u -r1.4.4.1 -r1.4.4.1.2.1 src/lib/libevent/buffer.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/lib/libevent/buffer.c diff -u src/lib/libevent/buffer.c:1.4.4.1 src/lib/libevent/buffer.c:1.4.4.1.2.1 --- src/lib/libevent/buffer.c:1.4.4.1 Tue Aug 4 18:32:08 2009 +++ src/lib/libevent/buffer.c Wed Feb 4 04:46:21 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: buffer.c,v 1.4.4.1 2009/08/04 18:32:08 snj Exp $ */ +/* $NetBSD: buffer.c,v 1.4.4.1.2.1 2015/02/04 04:46:21 snj Exp $ */ /* * Copyright (c) 2002, 2003 Niels Provos <pro...@citi.umich.edu> * All rights reserved. @@ -120,7 +120,8 @@ evbuffer_add_vprintf(struct evbuffer *bu va_list aq; /* make sure that at least some space is available */ - evbuffer_expand(buf, 64); + if (evbuffer_expand(buf, 64) < 0) + return (-1); for (;;) { size_t used = buf->misalign + buf->off; buffer = (char *)buf->buffer + buf->off; @@ -233,31 +234,47 @@ evbuffer_align(struct evbuffer *buf) buf->misalign = 0; } +#ifndef SIZE_MAX +#define SIZE_MAX ((size_t)-1) +#endif + /* Expands the available space in the event buffer to at least datlen */ int evbuffer_expand(struct evbuffer *buf, size_t datlen) { - size_t need = buf->misalign + buf->off + datlen; + size_t used = buf->misalign + buf->off; + + assert(buf->totallen >= used); /* If we can fit all the data, then we don't have to do anything */ - if (buf->totallen >= need) + if (buf->totallen - used >= datlen) return (0); + /* If we would need to overflow to fit this much data, we can't + * do anything. */ + if (datlen > SIZE_MAX - buf->off) + return (-1); /* * If the misalignment fulfills our data needs, we just force an * alignment to happen. Afterwards, we have enough space. */ - if (buf->misalign >= datlen) { + if (buf->totallen - buf->off >= datlen) { evbuffer_align(buf); } else { void *newbuf; size_t length = buf->totallen; + size_t need = buf->off + datlen; if (length < 256) length = 256; - while (length < need) - length <<= 1; + if (need < SIZE_MAX / 2) { + while (length < need) { + length <<= 1; + } + } else { + length = need; + } if (buf->orig_buffer != buf->buffer) evbuffer_align(buf); @@ -274,10 +291,10 @@ evbuffer_expand(struct evbuffer *buf, si int evbuffer_add(struct evbuffer *buf, const void *data, size_t datlen) { - size_t need = buf->misalign + buf->off + datlen; + size_t used = buf->misalign + buf->off; size_t oldoff = buf->off; - if (buf->totallen < need) { + if (buf->totallen - used < datlen) { if (evbuffer_expand(buf, datlen) == -1) return (-1); }