sssd/0002-Add-overflow-check-to-SAFEALIGN_COPY_-_CHECK-macros.patch

33 lines
1.1 KiB
Diff

From bfac6031ab075834183c9f18b28363d11b99e44a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 7 Dec 2010 17:01:04 +0100
Subject: Add overflow check to SAFEALIGN_COPY_*_CHECK macros
CVE-2010-4341
bnc#660481
diff --git a/src/util/util.h b/src/util/util.h
index 7c35550..50c5fe2 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -207,12 +207,14 @@ safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter)
SAFEALIGN_SET_VALUE(dest, value, uint16_t, pctr)
#define SAFEALIGN_COPY_UINT32_CHECK(dest, src, len, pctr) do { \
- if ((*(pctr) + sizeof(uint32_t)) > (len)) return EINVAL; \
+ if ((*(pctr) + sizeof(uint32_t)) > (len) || \
+ SIZE_T_OVERFLOW(*(pctr), sizeof(uint32_t))) return EINVAL; \
safealign_memcpy(dest, src, sizeof(uint32_t), pctr); \
} while(0)
#define SAFEALIGN_COPY_INT32_CHECK(dest, src, len, pctr) do { \
- if ((*(pctr) + sizeof(int32_t)) > (len)) return EINVAL; \
+ if ((*(pctr) + sizeof(int32_t)) > (len) || \
+ SIZE_T_OVERFLOW(*(pctr), sizeof(int32_t))) return EINVAL; \
safealign_memcpy(dest, src, sizeof(int32_t), pctr); \
} while(0)
--
1.7.3.2