Bugzilla – Attachment 2867 Details for
Bug 2608
Signed overflow in openbsd-compat/strlcpy.c
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed fix.
0001-Fix-potential-signed-overflow-in-pointer-arithmatic.patch (text/plain), 2.79 KB, created by
Yuanjie Huang
on 2016-08-24 13:59:34 AEST
(
hide
)
Description:
proposed fix.
Filename:
MIME Type:
Creator:
Yuanjie Huang
Created:
2016-08-24 13:59:34 AEST
Size:
2.79 KB
patch
obsolete
>From 86bcdac6cb1f3830680ad220e596b926e5fe906c Mon Sep 17 00:00:00 2001 >From: Yuanjie Huang <yuanjie.huang@windriver.com> >Date: Wed, 24 Aug 2016 03:15:43 +0000 >Subject: [PATCH] Fix potential signed overflow in pointer arithmatic > >Pointer arithmatic results in implementation defined signed integer >type, so that 's - src' in strlcpy and others may trigger signed overflow. >In case of compilation by gcc or clang with -ftrapv option, the overflow >would lead to program abort. > >Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> >--- > openbsd-compat/strlcat.c | 8 ++++++-- > openbsd-compat/strlcpy.c | 8 ++++++-- > openbsd-compat/strnlen.c | 8 ++++++-- > 3 files changed, 18 insertions(+), 6 deletions(-) > >diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c >index bcc1b61..e758ebf 100644 >--- a/openbsd-compat/strlcat.c >+++ b/openbsd-compat/strlcat.c >@@ -23,6 +23,7 @@ > > #include <sys/types.h> > #include <string.h> >+#include <stdint.h> > > /* > * Appends src to string dst of size siz (unlike strncat, siz is the >@@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz) > s++; > } > *d = '\0'; >- >- return(dlen + (s - src)); /* count does not include NUL */ >+ /* >+ * Cast pointers to unsigned type before calculation, to avoid signed >+ * overflow when the string ends where the MSB has changed. >+ */ >+ return (dlen + ((uintptr_t)s - (uintptr_t)src)); /* count does not include NUL */ > } > > #endif /* !HAVE_STRLCAT */ >diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c >index b4b1b60..b06f374 100644 >--- a/openbsd-compat/strlcpy.c >+++ b/openbsd-compat/strlcpy.c >@@ -23,6 +23,7 @@ > > #include <sys/types.h> > #include <string.h> >+#include <stdint.h> > > /* > * Copy src to string dst of size siz. At most siz-1 characters >@@ -51,8 +52,11 @@ strlcpy(char *dst, const char *src, size_t siz) > while (*s++) > ; > } >- >- return(s - src - 1); /* count does not include NUL */ >+ /* >+ * Cast pointers to unsigned type before calculation, to avoid signed >+ * overflow when the string ends where the MSB has changed. >+ */ >+ return ((uintptr_t)s - (uintptr_t)src - 1); /* count does not include NUL */ > } > > #endif /* !HAVE_STRLCPY */ >diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c >index 93d5155..9b8de5d 100644 >--- a/openbsd-compat/strnlen.c >+++ b/openbsd-compat/strnlen.c >@@ -23,6 +23,7 @@ > #include <sys/types.h> > > #include <string.h> >+#include <stdint.h> > > size_t > strnlen(const char *str, size_t maxlen) >@@ -31,7 +32,10 @@ strnlen(const char *str, size_t maxlen) > > for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--) > ; >- >- return (size_t)(cp - str); >+ /* >+ * Cast pointers to unsigned type before calculation, to avoid signed >+ * overflow when the string ends where the MSB has changed. >+ */ >+ return (size_t)((uintptr_t)cp - (uintptr_t)str); > } > #endif >-- >1.9.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2867">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2608
:
2866
| 2867 |
3293