[26496] in bugtraq
Re: FreeBSD Security Advisory FreeBSD-SA-02:34.rpc
daemon@ATHENA.MIT.EDU (Adam Sampson)
Thu Aug 1 18:24:09 2002
To: Bugtraq <bugtraq@securityfocus.com>
From: Adam Sampson <azz@gnu.org>
Date: 01 Aug 2002 09:31:10 +0100
In-Reply-To: <200208010246.g712k65w003328@freefall.freebsd.org>
Message-ID: <y2avg6vq8tt.fsf@cartman.at.fivegeeks.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
The FreeBSD patch says:
> c = *sizep;
> - if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) {
> + if ((c > maxsize && UINT_MAX/elsize < c) &&
> + (xdrs->x_op != XDR_FREE)) {
> return (FALSE);
> }
Is this fix correct? Previously, xdr_array would return false if the
count of items passed in was larger than the maximum; now it only
returns false if it's both larger than the maximum _and_ larger than
the amount that can be safely calculated. In the event that *sizep >
maxsize but *sizep <= UINT_MAX/elsize, the return (FALSE) will never
be hit, whereas it would be in the original version of the
code. Shouldn't the first && be ||?
It looks like glibc, dietlibc and uClibc carry xdr_array code derived
from the same source, so they might require similar fixes.
--
Adam Sampson <azz@gnu.org> <URL:http://azz.us-lot.org/>
