summaryrefslogtreecommitdiff
path: root/src/FSOpenServ.c
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-04-14 09:07:32 -0700
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-04-26 16:49:23 -0700
commit26dc23446c2e7818fdebfb46e101bac4883df07e (patch)
treebab75f1eaf8aba027fbcbf12120d9d669e0d2ee1 /src/FSOpenServ.c
parentf6030dd569094fb29720a4bf54aec784b1edcac5 (diff)
Sign extension issue and integer overflow in FSOpenServer() [CVE-2013-1996]
> altlen = (int) *ad++; <-- if char is 0xff, will sign extend to int (0xffffffff == -1) > alts[i].name = (char *) FSmalloc(altlen + 1); <-- -1 + 1 == 0 > ... > memmove(alts[i].name, ad, altlen); <-- memory corruption Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src/FSOpenServ.c')
-rw-r--r--src/FSOpenServ.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/src/FSOpenServ.c b/src/FSOpenServ.c
index f1a6157..15a657a 100644
--- a/src/FSOpenServ.c
+++ b/src/FSOpenServ.c
@@ -111,10 +111,10 @@ FSOpenServer(const char *server)
char *setup = NULL;
fsConnSetupAccept conn;
char *auth_data = NULL;
- char *alt_data = NULL,
+ unsigned char *alt_data = NULL,
*ad;
AlternateServer *alts = NULL;
- int altlen;
+ unsigned int altlen;
char *vendor_string;
unsigned long setuplength;
@@ -157,7 +157,7 @@ FSOpenServer(const char *server)
setuplength = prefix.alternate_len << 2;
if (setuplength > (SIZE_MAX>>2)
- || (alt_data = (char *)
+ || (alt_data = (unsigned char *)
(setup = FSmalloc(setuplength))) == NULL) {
goto fail;
}
@@ -176,7 +176,7 @@ FSOpenServer(const char *server)
}
for (i = 0; i < prefix.num_alternates; i++) {
alts[i].subset = (Bool) *ad++;
- altlen = (int) *ad++;
+ altlen = (unsigned int) *ad++;
alts[i].name = FSmalloc(altlen + 1);
if (!alts[i].name) {
while (--i) {
generated by cgit v1.2.3 (git 2.39.1) at 2024-04-19 12:29:15 +0000