diff options
author | Bret Lambert <blambert@cvs.openbsd.org> | 2014-10-12 13:08:48 +0000 |
---|---|---|
committer | Bret Lambert <blambert@cvs.openbsd.org> | 2014-10-12 13:08:48 +0000 |
commit | 095bcf0481525cc49263baf5ccdc0a9a41dc44da (patch) | |
tree | 3f55d62a6ef241823391041ebbcecbab9fb5c493 | |
parent | 3acb7307ddb1fb4cfa1d2789f52299e231d0aab1 (diff) |
Remove possibility of mutiplicative integer overflow by not multiplying.
Instead of the widespread-but-overflow-prone
while (newlen < wanted) { newlen *= 2; }
idiom, just realloc() for the space requested by the caller and check
for additive overflow.
Also change type of 'newlen' variable from int to size_t to avoid
overflows there.
Pointed out by deraadt@
ok reyk@
-rw-r--r-- | usr.sbin/relayd/agentx.c | 10 | ||||
-rw-r--r-- | usr.sbin/snmpd/agentx.c | 10 |
2 files changed, 10 insertions, 10 deletions
diff --git a/usr.sbin/relayd/agentx.c b/usr.sbin/relayd/agentx.c index 645ab66c1f4..2a5d7b4378f 100644 --- a/usr.sbin/relayd/agentx.c +++ b/usr.sbin/relayd/agentx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: agentx.c,v 1.5 2014/04/20 16:07:10 reyk Exp $ */ +/* $OpenBSD: agentx.c,v 1.6 2014/10/12 13:08:47 blambert Exp $ */ /* * Copyright (c) 2013,2014 Bret Stephen Lambert <blambert@openbsd.org> * @@ -479,14 +479,14 @@ int snmp_agentx_buffercheck(struct agentx_pdu *pdu, size_t len) { uint8_t *newptr; - int newlen; + size_t newlen; if (pdu->buflen - pdu->datalen >= len) return (0); - newlen = pdu->buflen; - while (newlen - pdu->datalen < len) - newlen *= 2; + newlen = pdu->buflen + len; + if (newlen < pdu->buflen || newlen < len) + return (-1); if ((newptr = realloc(pdu->buffer, newlen)) == NULL) return (-1); diff --git a/usr.sbin/snmpd/agentx.c b/usr.sbin/snmpd/agentx.c index 645ab66c1f4..2a5d7b4378f 100644 --- a/usr.sbin/snmpd/agentx.c +++ b/usr.sbin/snmpd/agentx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: agentx.c,v 1.5 2014/04/20 16:07:10 reyk Exp $ */ +/* $OpenBSD: agentx.c,v 1.6 2014/10/12 13:08:47 blambert Exp $ */ /* * Copyright (c) 2013,2014 Bret Stephen Lambert <blambert@openbsd.org> * @@ -479,14 +479,14 @@ int snmp_agentx_buffercheck(struct agentx_pdu *pdu, size_t len) { uint8_t *newptr; - int newlen; + size_t newlen; if (pdu->buflen - pdu->datalen >= len) return (0); - newlen = pdu->buflen; - while (newlen - pdu->datalen < len) - newlen *= 2; + newlen = pdu->buflen + len; + if (newlen < pdu->buflen || newlen < len) + return (-1); if ((newptr = realloc(pdu->buffer, newlen)) == NULL) return (-1); |