Bug 86971 - adcli: technically wrong length checks in binary parsers
Summary: adcli: technically wrong length checks in binary parsers
Status: RESOLVED FIXED
Alias: None
Product: realmd
Classification: Unclassified
Component: adcli (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Stef Walter
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-03 12:39 UTC by Florian Weimer
Modified: 2015-12-07 09:00 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:

Attachments
Fix for the buffer length checks (2.07 KB, patch)
2015-12-02 17:13 UTC, Sumit Bose 		Details | Splinter Review
View All

Description Florian Weimer 2014-12-03 12:39:50 UTC 
library/addisco.c has several comparison like the check in this function:

static unsigned short
get_16 (unsigned char **p,
        unsigned char *end)
{
	unsigned short val;
	if ((*p) + 2 > end)
		return 0;
	val = ns_get16 (*p);
	(*p) += 2;
	return val;
}

The problem is that a pointer that points after the element after the last element in the buffer is invalid.  Depending on how this function is call, a smart compiler could optimize away such checks.

The comparison should be written like this:

	if (end - (*p) < 2)
Comment 1 Sumit Bose 2015-12-02 17:13:53 UTC 
Created attachment 120278 [details] [review]
Fix for the buffer length checks

Please consider this patch as a fix for the ticket,
Comment 2 Stef Walter 2015-12-07 09:00:36 UTC 
Thanks! Merged into git master.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.