forked from pool/libtirpc
46 lines
1.0 KiB
Diff
46 lines
1.0 KiB
Diff
commit 30431c6d846eab1bc6b7a3a91a7894f3acf2680f
|
|
Author: Steve Dickson <steved@redhat.com>
|
|
Date: Thu Apr 26 14:42:16 2007 -0400
|
|
|
|
Check for buffer overflow in xdr_string.
|
|
|
|
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
diff --git a/src/xdr.c b/src/xdr.c
|
|
index 764c30f..292723b 100644
|
|
--- a/src/xdr.c
|
|
+++ b/src/xdr.c
|
|
@@ -669,6 +669,8 @@ xdr_string(xdrs, cpp, maxsize)
|
|
}
|
|
/* FALLTHROUGH */
|
|
case XDR_ENCODE:
|
|
+ if (sp == NULL)
|
|
+ return FALSE;
|
|
size = strlen(sp);
|
|
break;
|
|
case XDR_DECODE:
|
|
@@ -681,6 +683,13 @@ xdr_string(xdrs, cpp, maxsize)
|
|
return (FALSE);
|
|
}
|
|
nodesize = size + 1;
|
|
+ if (nodesize == 0) {
|
|
+ /* This means an overflow. It a bug in the caller which
|
|
+ * provided a too large maxsize but nevertheless catch it
|
|
+ * here.
|
|
+ */
|
|
+ return FALSE;
|
|
+ }
|
|
|
|
/*
|
|
* now deal with the actual bytes
|
|
@@ -688,9 +697,6 @@ xdr_string(xdrs, cpp, maxsize)
|
|
switch (xdrs->x_op) {
|
|
|
|
case XDR_DECODE:
|
|
- if (nodesize == 0) {
|
|
- return (TRUE);
|
|
- }
|
|
if (sp == NULL)
|
|
*cpp = sp = mem_alloc(nodesize);
|
|
if (sp == NULL) {
|