Bug 86971

Summary: adcli: technically wrong length checks in binary parsers
Product: realmd Reporter: Florian Weimer <fweimer>
Component: adcliAssignee: Stef Walter <stefw>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium CC: sbose, stefw
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Fix for the buffer length checks

Description Florian Weimer 2014-12-03 12:39:50 UTC 
library/addisco.c has several comparison like the check in this function:

static unsigned short
get_16 (unsigned char **p,
        unsigned char *end)
{
	unsigned short val;
	if ((*p) + 2 > end)
		return 0;
	val = ns_get16 (*p);
	(*p) += 2;
	return val;
}

The problem is that a pointer that points after the element after the last element in the buffer is invalid.  Depending on how this function is call, a smart compiler could optimize away such checks.

The comparison should be written like this:

	if (end - (*p) < 2)
Comment 1 Sumit Bose 2015-12-02 17:13:53 UTC 
Created attachment 120278 [details] [review]
Fix for the buffer length checks

Please consider this patch as a fix for the ticket,
Comment 2 Stef Walter 2015-12-07 09:00:36 UTC 
Thanks! Merged into git master.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.