Re: FreeBSD Security Advisory FreeBSD-SA-02:34.rpc

[Adam Sampson <azz () gnu org>]

The FreeBSD patch says:

>         c = *sizep;
> -       if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) {
> +       if ((c > maxsize && UINT_MAX/elsize < c) &&
> +           (xdrs->x_op != XDR_FREE)) {
>                 return (FALSE);
>         }

Is this fix correct? Previously, xdr_array would return false if the
count of items passed in was larger than the maximum; now it only
returns false if it's both larger than the maximum _and_ larger than
the amount that can be safely calculated. In the event that *sizep >
maxsize but *sizep <= UINT_MAX/elsize, the return (FALSE) will never
be hit, whereas it would be in the original version of the
code. Shouldn't the first && be ||?

It looks like glibc, dietlibc and uClibc carry xdr_array code derived
from the same source, so they might require similar fixes.

-- 
Adam Sampson <azz () gnu org>                  <URL:http://azz.us-lot.org/>