Bugtraq mailing list archives
Re: FreeBSD Security Advisory FreeBSD-SA-02:34.rpc
From: Adam Sampson <azz () gnu org>
Date: 01 Aug 2002 09:31:10 +0100
The FreeBSD patch says:
c = *sizep; - if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) { + if ((c > maxsize && UINT_MAX/elsize < c) && + (xdrs->x_op != XDR_FREE)) { return (FALSE); }
Is this fix correct? Previously, xdr_array would return false if the count of items passed in was larger than the maximum; now it only returns false if it's both larger than the maximum _and_ larger than the amount that can be safely calculated. In the event that *sizep > maxsize but *sizep <= UINT_MAX/elsize, the return (FALSE) will never be hit, whereas it would be in the original version of the code. Shouldn't the first && be ||? It looks like glibc, dietlibc and uClibc carry xdr_array code derived from the same source, so they might require similar fixes. -- Adam Sampson <azz () gnu org> <URL:http://azz.us-lot.org/>
Current thread:
- FreeBSD Security Advisory FreeBSD-SA-02:34.rpc FreeBSD Security Advisories (Jul 31)
- Re: FreeBSD Security Advisory FreeBSD-SA-02:34.rpc Adam Sampson (Aug 01)
- Re: FreeBSD Security Advisory FreeBSD-SA-02:34.rpc Casper Dik (Aug 05)
- Re: FreeBSD Security Advisory FreeBSD-SA-02:34.rpc Adam Sampson (Aug 01)