diff options
author | Todd C. Miller <millert@cvs.openbsd.org> | 2024-08-19 15:08:22 +0000 |
---|---|---|
committer | Todd C. Miller <millert@cvs.openbsd.org> | 2024-08-19 15:08:22 +0000 |
commit | dc8d7c4c2a01ef681d67e1284c07f467edc4ac36 (patch) | |
tree | ea39bf74193c75dfe113417eabae724a63ec2a2e /usr.sbin | |
parent | cc866a771915bf1f1f7566f1d4ccae3ca3ef3774 (diff) |
Fix CVE-2024-43688, buffer underflow for very large step values
In get_number(), reject values that are so large that they are
interpreted as negative numbers. In set_range(), step values smaller
than one or larger than the "stop" value are ignored. This prevents
bit_nset() from being called with out-of-range values.
Bug found by Dave G. of Supernetworks.
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/cron/entry.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/usr.sbin/cron/entry.c b/usr.sbin/cron/entry.c index 536085410cc..622e628695e 100644 --- a/usr.sbin/cron/entry.c +++ b/usr.sbin/cron/entry.c @@ -1,4 +1,4 @@ -/* $OpenBSD: entry.c,v 1.59 2023/07/19 21:26:02 millert Exp $ */ +/* $OpenBSD: entry.c,v 1.60 2024/08/19 15:08:21 millert Exp $ */ /* * Copyright 1988,1990,1993,1994 by Paul Vixie @@ -625,7 +625,10 @@ get_number(int *numptr, int low, const char *names[], int ch, FILE *file, /* got a number, check for valid terminator */ if (!strchr(terms, ch)) goto bad; - *numptr = atoi(temp); + i = atoi(temp); + if (i < 0) + goto bad; + *numptr = i; return (ch); } @@ -675,7 +678,7 @@ set_range(bitstr_t *bits, int low, int high, int start, int stop, int step) start -= low; stop -= low; - if (step == 1) { + if (step <= 1 || step > stop) { bit_nset(bits, start, stop); } else { for (i = start; i <= stop; i += step) |