Hi, On Thu, Apr 21, 2016 at 08:51:27AM +0200, Jens wrote: > > This is without a doubt an improvement, but it still leaves an > > opportunity open to achieve a buffer overflow through an integer > > overflow. Consider a tosearch with len 11, and a replacewith with len > > [???] > > Good point. Patch attached.
While this looks totally reasonable, it does not compile... both in
master and release/2.3, both on linux and FreeBSD, I get
libtool: compile: cc -DHAVE_CONFIG_H -I.
-I../../../../openvpn/src/plugins/auth-pam -I../../.. -I../../../include
-I../../../../openvpn/include -g -O2 -MT auth-pam.lo -MD -MP -MF
.deps/auth-pam.Tpo -c ../../../../openvpn/src/plugins/auth-pam/auth-pam.c
-fPIC -DPIC -o .libs/auth-pam.o
../../../../openvpn/src/plugins/auth-pam/auth-pam.c:141:53: error: use of
undeclared identifier 'SIZE_MAX'
bool is_potential_integer_overflow = (templen == SIZE_MAX) || (temple...
... you need to #include <stdint.h> to get that symbol...
Steffan: for the sake of "avoid yet another full loop and a v3", could
you just ACK this change as well?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
