diff options
| author |   blambert <blambert@openbsd.org> | 2014-10-12 13:08:47 +0000 |
|---|---|---|
| committer | blambert <blambert@openbsd.org> | 2014-10-12 13:08:47 +0000 |
| commit | 0b5df6d6a4aaa474dcc0a7059190a813e5a6261f (patch) | |
| tree | 8daea27a6c4afb338b3307fe181c7035cf6bd8ac | |
| parent | document the semantics of operation keywords (diff) | |
| download | wireguard-openbsd-0b5df6d6a4aaa474dcc0a7059190a813e5a6261f.tar.xz wireguard-openbsd-0b5df6d6a4aaa474dcc0a7059190a813e5a6261f.zip | |
Remove possibility of mutiplicative integer overflow by not multiplying.
Instead of the widespread-but-overflow-prone
while (newlen < wanted) { newlen *= 2; }
idiom, just realloc() for the space requested by the caller and check
for additive overflow.
Also change type of 'newlen' variable from int to size_t to avoid
overflows there.
Pointed out by deraadt@
ok reyk@
| -rw-r--r-- | usr.sbin/relayd/agentx.c | 10 | ||||
| -rw-r--r-- | usr.sbin/snmpd/agentx.c | 10 |
2 files changed, 10 insertions, 10 deletions
diff --git a/usr.sbin/relayd/agentx.c b/usr.sbin/relayd/agentx.c index 645ab66c1f4..2a5d7b4378f 100644 --- a/usr.sbin/relayd/agentx.c +++ b/usr.sbin/relayd/agentx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: agentx.c,v 1.5 2014/04/20 16:07:10 reyk Exp $ */ +/* $OpenBSD: agentx.c,v 1.6 2014/10/12 13:08:47 blambert Exp $ */ /* * Copyright (c) 2013,2014 Bret Stephen Lambert <blambert@openbsd.org> * @@ -479,14 +479,14 @@ int snmp_agentx_buffercheck(struct agentx_pdu *pdu, size_t len) { uint8_t *newptr; - int newlen; + size_t newlen; if (pdu->buflen - pdu->datalen >= len) return (0); - newlen = pdu->buflen; - while (newlen - pdu->datalen < len) - newlen *= 2; + newlen = pdu->buflen + len; + if (newlen < pdu->buflen || newlen < len) + return (-1); if ((newptr = realloc(pdu->buffer, newlen)) == NULL) return (-1); diff --git a/usr.sbin/snmpd/agentx.c b/usr.sbin/snmpd/agentx.c index 645ab66c1f4..2a5d7b4378f 100644 --- a/usr.sbin/snmpd/agentx.c +++ b/usr.sbin/snmpd/agentx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: agentx.c,v 1.5 2014/04/20 16:07:10 reyk Exp $ */ +/* $OpenBSD: agentx.c,v 1.6 2014/10/12 13:08:47 blambert Exp $ */ /* * Copyright (c) 2013,2014 Bret Stephen Lambert <blambert@openbsd.org> * @@ -479,14 +479,14 @@ int snmp_agentx_buffercheck(struct agentx_pdu *pdu, size_t len) { uint8_t *newptr; - int newlen; + size_t newlen; if (pdu->buflen - pdu->datalen >= len) return (0); - newlen = pdu->buflen; - while (newlen - pdu->datalen < len) - newlen *= 2; + newlen = pdu->buflen + len; + if (newlen < pdu->buflen || newlen < len) + return (-1); if ((newptr = realloc(pdu->buffer, newlen)) == NULL) return (-1); |