Re: [OE-core] [PATCH] openssh: fix potential signed overflow in pointer arithmatic

Sun, 16 Jun 2019 22:59:53 -0700 

On 6/17/19 10:17 AM, Hongxu Jia wrote:

Pointer arithmatic results in implementation defined signed integer
type, so that 'd - dst’ in strlcat may trigger signed overflow if
pointer ‘d’ is near 0x7fffffff in 32 bits system. In case of ompilation
by gcc or clang with -ftrapv option, the overflow would generate
program abort.

Signed-off-by: hguo3 <heng....@windriver.com>
Signed-off-by: Hongxu Jia <hongxu....@windriver.com>
---
  ...ial-signed-overflow-in-pointer-arithmatic.patch | 26 ++++++++++++++++------
  1 file changed, 19 insertions(+), 7 deletions(-)

diff --git 
a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
 
b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
index 7e043a2..20036da 100644
--- 
a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
+++ 
b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
@@ -11,14 +11,17 @@ would lead to program abort.
  Upstream-Status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608]


BTW, I've submitted the V2 fix to above upstream site

//Hongxu



  Signed-off-by: Yuanjie Huang <yuanjie.hu...@windriver.com>
+
+Complete the fix
+Signed-off-by: Hongxu Jia <hongxu....@windriver.com>
  ---
- openbsd-compat/strlcat.c | 8 ++++++--
- openbsd-compat/strlcpy.c | 8 ++++++--
- openbsd-compat/strnlen.c | 8 ++++++--
- 3 files changed, 18 insertions(+), 6 deletions(-)
+ openbsd-compat/strlcat.c | 10 +++++++---
+ openbsd-compat/strlcpy.c |  8 ++++++--
+ openbsd-compat/strnlen.c |  8 ++++++--
+ 3 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c 
-index bcc1b61..e758ebf 100644
+index bcc1b61..124e1e3 100644
  --- a/openbsd-compat/strlcat.c
  +++ b/openbsd-compat/strlcat.c
  @@ -23,6 +23,7 @@
@@ -29,6 +32,15 @@ index bcc1b61..e758ebf 100644
/* 
    * Appends src to string dst of size siz (unlike strncat, siz is the
+@@ -42,7 +43,7 @@ strlcat(char *dst, const char *src, size_t siz)
+       /* Find the end of dst and adjust bytes left but don't go past end */
+       while (n-- != 0 && *d != '\0')
+               d++;
+-      dlen = d - dst;
++      dlen = (uintptr_t)d - (uintptr_t)dst;
+       n = siz - dlen;
+
+       if (n == 0)
  @@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz)
                s++;
        }
@@ -70,7 +82,7 @@ index b4b1b60..b06f374 100644
#endif /* !HAVE_STRLCPY */ 
  diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c
-index 93d5155..9b8de5d 100644
+index 7ad3573..7040f1f 100644
  --- a/openbsd-compat/strnlen.c
  +++ b/openbsd-compat/strnlen.c
  @@ -23,6 +23,7 @@
@@ -95,5 +107,5 @@ index 93d5155..9b8de5d 100644
   }
   #endif
  --
-1.9.1
+2.17.1



--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Reply via email to