summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorTodd C. Miller <millert@cvs.openbsd.org>2024-08-19 15:08:22 +0000
committerTodd C. Miller <millert@cvs.openbsd.org>2024-08-19 15:08:22 +0000
commitdc8d7c4c2a01ef681d67e1284c07f467edc4ac36 (patch)
treeea39bf74193c75dfe113417eabae724a63ec2a2e /usr.sbin
parentcc866a771915bf1f1f7566f1d4ccae3ca3ef3774 (diff)
Fix CVE-2024-43688, buffer underflow for very large step values
In get_number(), reject values that are so large that they are interpreted as negative numbers. In set_range(), step values smaller than one or larger than the "stop" value are ignored. This prevents bit_nset() from being called with out-of-range values. Bug found by Dave G. of Supernetworks.
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/cron/entry.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/usr.sbin/cron/entry.c b/usr.sbin/cron/entry.c
index 536085410cc..622e628695e 100644
--- a/usr.sbin/cron/entry.c
+++ b/usr.sbin/cron/entry.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: entry.c,v 1.59 2023/07/19 21:26:02 millert Exp $ */
+/* $OpenBSD: entry.c,v 1.60 2024/08/19 15:08:21 millert Exp $ */
/*
* Copyright 1988,1990,1993,1994 by Paul Vixie
@@ -625,7 +625,10 @@ get_number(int *numptr, int low, const char *names[], int ch, FILE *file,
/* got a number, check for valid terminator */
if (!strchr(terms, ch))
goto bad;
- *numptr = atoi(temp);
+ i = atoi(temp);
+ if (i < 0)
+ goto bad;
+ *numptr = i;
return (ch);
}
@@ -675,7 +678,7 @@ set_range(bitstr_t *bits, int low, int high, int start, int stop, int step)
start -= low;
stop -= low;
- if (step == 1) {
+ if (step <= 1 || step > stop) {
bit_nset(bits, start, stop);
} else {
for (i = start; i <= stop; i += step)