diff options
| author |   henning <henning@openbsd.org> | 2004-05-04 18:49:52 +0000 |
|---|---|---|
| committer | henning <henning@openbsd.org> | 2004-05-04 18:49:52 +0000 |
| commit | f85a47c5011a08513f8f782788c863b8aef03240 (patch) | |
| tree | 3f18564b0edee86c2a0cde76419a6dc7e9e1dde5 | |
| parent | sync usage w/ man page (diff) | |
| download | wireguard-openbsd-f85a47c5011a08513f8f782788c863b8aef03240.tar.xz wireguard-openbsd-f85a47c5011a08513f8f782788c863b8aef03240.zip | |
prevent the len params from overflowing, catched by & ok canacar
| -rw-r--r-- | sbin/dhclient/privsep.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/sbin/dhclient/privsep.c b/sbin/dhclient/privsep.c index 6cd447ef614..66c93318873 100644 --- a/sbin/dhclient/privsep.c +++ b/sbin/dhclient/privsep.c @@ -114,7 +114,7 @@ dispatch_imsg(int fd) error("corrupted message received"); buf_read(fd, &medium_len, sizeof(medium_len)); if (hdr.len < medium_len + sizeof(size_t) + sizeof(hdr) - + sizeof(size_t)) + + sizeof(size_t) || medium_len == UINT_MAX) error("corrupted message received"); if (medium_len > 0) { if ((medium = calloc(1, medium_len + 1)) == NULL) @@ -124,7 +124,8 @@ dispatch_imsg(int fd) medium = NULL; buf_read(fd, &reason_len, sizeof(reason_len)); - if (hdr.len < medium_len + reason_len + sizeof(hdr)) + if (hdr.len < medium_len + reason_len + sizeof(hdr) || + reason_len == UINT_MAX) error("corrupted message received"); if (reason_len > 0) { if ((reason = calloc(1, reason_len + 1)) == NULL) @@ -145,7 +146,7 @@ dispatch_imsg(int fd) buf_read(fd, &filename_len, sizeof(filename_len)); totlen += filename_len + sizeof(size_t); - if (hdr.len < totlen) + if (hdr.len < totlen || filename_len == UINT_MAX) error("corrupted message received"); if (filename_len > 0) { if ((filename = calloc(1, filename_len + 1)) == NULL) @@ -156,7 +157,7 @@ dispatch_imsg(int fd) buf_read(fd, &servername_len, sizeof(servername_len)); totlen += servername_len + sizeof(size_t); - if (hdr.len < totlen) + if (hdr.len < totlen || servername_len == UINT_MAX) error("corrupted message received"); if (servername_len > 0) { if ((servername = @@ -168,7 +169,7 @@ dispatch_imsg(int fd) buf_read(fd, &prefix_len, sizeof(prefix_len)); totlen += prefix_len; - if (hdr.len < totlen) + if (hdr.len < totlen || prefix_len == UINT_MAX) error("corrupted message received"); if (prefix_len > 0) { if ((prefix = calloc(1, prefix_len + 1)) == NULL) @@ -186,7 +187,7 @@ dispatch_imsg(int fd) lease.options[i].len = optlen; if (optlen > 0) { totlen += optlen; - if (hdr.len < totlen) + if (hdr.len < totlen || optlen == UINT_MAX) error("corrupted message received"); lease.options[i].data = calloc(1, optlen + 1); |