summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBret Lambert <blambert@cvs.openbsd.org>2014-10-12 13:08:48 +0000
committerBret Lambert <blambert@cvs.openbsd.org>2014-10-12 13:08:48 +0000
commit095bcf0481525cc49263baf5ccdc0a9a41dc44da (patch)
tree3f55d62a6ef241823391041ebbcecbab9fb5c493
parent3acb7307ddb1fb4cfa1d2789f52299e231d0aab1 (diff)
Remove possibility of mutiplicative integer overflow by not multiplying.
Instead of the widespread-but-overflow-prone while (newlen < wanted) { newlen *= 2; } idiom, just realloc() for the space requested by the caller and check for additive overflow. Also change type of 'newlen' variable from int to size_t to avoid overflows there. Pointed out by deraadt@ ok reyk@
-rw-r--r--usr.sbin/relayd/agentx.c10
-rw-r--r--usr.sbin/snmpd/agentx.c10
2 files changed, 10 insertions, 10 deletions
diff --git a/usr.sbin/relayd/agentx.c b/usr.sbin/relayd/agentx.c
index 645ab66c1f4..2a5d7b4378f 100644
--- a/usr.sbin/relayd/agentx.c
+++ b/usr.sbin/relayd/agentx.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: agentx.c,v 1.5 2014/04/20 16:07:10 reyk Exp $ */
+/* $OpenBSD: agentx.c,v 1.6 2014/10/12 13:08:47 blambert Exp $ */
/*
* Copyright (c) 2013,2014 Bret Stephen Lambert <blambert@openbsd.org>
*
@@ -479,14 +479,14 @@ int
snmp_agentx_buffercheck(struct agentx_pdu *pdu, size_t len)
{
uint8_t *newptr;
- int newlen;
+ size_t newlen;
if (pdu->buflen - pdu->datalen >= len)
return (0);
- newlen = pdu->buflen;
- while (newlen - pdu->datalen < len)
- newlen *= 2;
+ newlen = pdu->buflen + len;
+ if (newlen < pdu->buflen || newlen < len)
+ return (-1);
if ((newptr = realloc(pdu->buffer, newlen)) == NULL)
return (-1);
diff --git a/usr.sbin/snmpd/agentx.c b/usr.sbin/snmpd/agentx.c
index 645ab66c1f4..2a5d7b4378f 100644
--- a/usr.sbin/snmpd/agentx.c
+++ b/usr.sbin/snmpd/agentx.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: agentx.c,v 1.5 2014/04/20 16:07:10 reyk Exp $ */
+/* $OpenBSD: agentx.c,v 1.6 2014/10/12 13:08:47 blambert Exp $ */
/*
* Copyright (c) 2013,2014 Bret Stephen Lambert <blambert@openbsd.org>
*
@@ -479,14 +479,14 @@ int
snmp_agentx_buffercheck(struct agentx_pdu *pdu, size_t len)
{
uint8_t *newptr;
- int newlen;
+ size_t newlen;
if (pdu->buflen - pdu->datalen >= len)
return (0);
- newlen = pdu->buflen;
- while (newlen - pdu->datalen < len)
- newlen *= 2;
+ newlen = pdu->buflen + len;
+ if (newlen < pdu->buflen || newlen < len)
+ return (-1);
if ((newptr = realloc(pdu->buffer, newlen)) == NULL)
return (-1);