Re: FreeBSD Security Advisory FreeBSD-SA-02:34.rpc

From: Adam Sampson (azzat_private)
Date: Thu Aug 01 2002 - 01:31:10 PDT

Next message: Steven M. Christey: "[Full-Disclosure] Re: it's all about timing"

Previous message: John C. Hennessy: "trillian buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The FreeBSD patch says:

>         c = *sizep;
> -       if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) {
> +       if ((c > maxsize && UINT_MAX/elsize < c) &&
> +           (xdrs->x_op != XDR_FREE)) {
>                 return (FALSE);
>         }

Is this fix correct? Previously, xdr_array would return false if the
count of items passed in was larger than the maximum; now it only
returns false if it's both larger than the maximum _and_ larger than
the amount that can be safely calculated. In the event that *sizep >
maxsize but *sizep <= UINT_MAX/elsize, the return (FALSE) will never
be hit, whereas it would be in the original version of the
code. Shouldn't the first && be ||?

It looks like glibc, dietlibc and uClibc carry xdr_array code derived
from the same source, so they might require similar fixes.

-- 
Adam Sampson <azzat_private>                  <URL:http://azz.us-lot.org/>

Next message: Steven M. Christey: "[Full-Disclosure] Re: it's all about timing"
Previous message: John C. Hennessy: "trillian buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 15:23:47 PDT