tacit/minix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

prevent integer overflow

Browse Source 
This change adds individual bounds checks for namelen and prefixlen in order to prevent integer overflow (which could cause memory corruption).
This commit is contained in:
Ilja van Sprundel 2019-10-03 15:09:31 +02:00 committed by GitHub
parent 4db99f4012
commit 12bc3e2937
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
minix/lib/libsys/rmib.c
View File

@ -711,7 +711,9 @@ rmib_call(const message * m_in)
*/
/* A zero name length is valid and should always yield EISDIR. */
namelen = m_in->m_mib_lsys_call.name_len;
if (prefixlen + namelen > __arraycount(name))
if (namelen > __arraycount(name) ||
prefixlen > __arraycount(name) ||
prefixlen + namelen > __arraycount(name))
return EINVAL;
if (namelen > 0) {