| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20131112185214.GA29913@amd64.fatal.se>
Date: Tue, 12 Nov 2013 19:52:14 +0100
From: Andreas Henriksson <andreas@...al.se>
To: stephen@...workplumber.org
Cc: netdev@...r.kernel.org
Subject: [PATCH iproute2] ss: avoid passing negative numbers to malloc
Example:
$ ss state established \( sport = :4060 or sport = :4061 or sport = :4062 or sport = :4063 or sport = :4064 or sport = :4065 or sport = :4066 or sport = :4067 \) > /dev/null
Aborted
In the example above ssfilter_bytecompile(...) will return (int)136.
char l1 = 136; means -120 which will result in a negative number
being passed to malloc at misc/ss.c:913.
Simply declare l1 and l2 as intergers to avoid the char overflow.
This is one of the issues originally reported in http://bugs.debian.org/511720
Reported-by: Andreas Schuldei <andreas@...ian.org>
Signed-off-by: Andreas Henriksson <andreas@...al.se>
---
misc/ss.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/misc/ss.c b/misc/ss.c
index c0369f1..db3a3a4 100644
--- a/misc/ss.c
+++ b/misc/ss.c
@@ -907,7 +907,8 @@ static int ssfilter_bytecompile(struct ssfilter *f, char **bytecode)
}
case SSF_OR:
{
- char *a1, *a2, *a, l1, l2;
+ char *a1, *a2, *a;
+ int l1, l2;
l1 = ssfilter_bytecompile(f->pred, &a1);
l2 = ssfilter_bytecompile(f->post, &a2);
if (!(a = malloc(l1+l2+4))) abort();
--
1.8.4.3
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists