diff options
| author | Henning Brauer <henning@cvs.openbsd.org> | 2004-05-04 18:49:53 +0000 |
|---|---|---|
| committer | Henning Brauer <henning@cvs.openbsd.org> | 2004-05-04 18:49:53 +0000 |
| commit | e4eb2e0942f4c750f53fdb8dd20520468d871f2f (patch) | |
| tree | 0f01f9952e2e9810d44d245e34482c104cf4c856 | |
| parent | e681abe1ff982d8c9eb18c001273785293da4eb2 (diff) | |
prevent the len params from overflowing, catched by & ok canacar
| -rw-r--r-- | sbin/dhclient/privsep.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/sbin/dhclient/privsep.c b/sbin/dhclient/privsep.c index 6cd447ef614..66c93318873 100644 --- a/sbin/dhclient/privsep.c +++ b/sbin/dhclient/privsep.c @@ -114,7 +114,7 @@ dispatch_imsg(int fd) error("corrupted message received"); buf_read(fd, &medium_len, sizeof(medium_len)); if (hdr.len < medium_len + sizeof(size_t) + sizeof(hdr) - + sizeof(size_t)) + + sizeof(size_t) || medium_len == UINT_MAX) error("corrupted message received"); if (medium_len > 0) { if ((medium = calloc(1, medium_len + 1)) == NULL) @@ -124,7 +124,8 @@ dispatch_imsg(int fd) medium = NULL; buf_read(fd, &reason_len, sizeof(reason_len)); - if (hdr.len < medium_len + reason_len + sizeof(hdr)) + if (hdr.len < medium_len + reason_len + sizeof(hdr) || + reason_len == UINT_MAX) error("corrupted message received"); if (reason_len > 0) { if ((reason = calloc(1, reason_len + 1)) == NULL) @@ -145,7 +146,7 @@ dispatch_imsg(int fd) buf_read(fd, &filename_len, sizeof(filename_len)); totlen += filename_len + sizeof(size_t); - if (hdr.len < totlen) + if (hdr.len < totlen || filename_len == UINT_MAX) error("corrupted message received"); if (filename_len > 0) { if ((filename = calloc(1, filename_len + 1)) == NULL) @@ -156,7 +157,7 @@ dispatch_imsg(int fd) buf_read(fd, &servername_len, sizeof(servername_len)); totlen += servername_len + sizeof(size_t); - if (hdr.len < totlen) + if (hdr.len < totlen || servername_len == UINT_MAX) error("corrupted message received"); if (servername_len > 0) { if ((servername = @@ -168,7 +169,7 @@ dispatch_imsg(int fd) buf_read(fd, &prefix_len, sizeof(prefix_len)); totlen += prefix_len; - if (hdr.len < totlen) + if (hdr.len < totlen || prefix_len == UINT_MAX) error("corrupted message received"); if (prefix_len > 0) { if ((prefix = calloc(1, prefix_len + 1)) == NULL) @@ -186,7 +187,7 @@ dispatch_imsg(int fd) lease.options[i].len = optlen; if (optlen > 0) { totlen += optlen; - if (hdr.len < totlen) + if (hdr.len < totlen || optlen == UINT_MAX) error("corrupted message received"); lease.options[i].data = calloc(1, optlen + 1); |