blob: 06c49c519d86e76a1f8f4b8c51c883287d743a4b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
#
# glibc-2.2.5 "xdr_array" fix
# (Category - Essential security fix)
# (Source - glibc cvs glibc-2-2-branch)
#
# There is an integer overflow present in the xdr_array() function
# distributed as part of the Sun Microsystems XDR library. This
# overflow has been shown to lead to remotely exploitable buffer
# overflows in multiple applications, leading to the execution of
# arbitrary code. Although the library was originally distributed by
# Sun Microsystems, multiple vendors have included the vulnerable code
# in their own implementations.
#
# http://www.cert.org/advisories/CA-2002-25.html
# http://www.zipworld.com.au/%7Egschafer/patches/glibc-2.2.5.xdr_array.patch.gz
#
diff -uNr glibc-2.2.5.orig/sunrpc/xdr_array.c glibc-2.2.5/sunrpc/xdr_array.c
--- glibc-2.2.5.orig/sunrpc/xdr_array.c 2001-08-17 14:48:31.000000000 +1000
+++ glibc-2.2.5/sunrpc/xdr_array.c 2002-08-06 14:14:59.000000000 +1000
@@ -45,6 +45,7 @@
#include <rpc/types.h>
#include <rpc/xdr.h>
#include <libintl.h>
+#include <limits.h>
#ifdef USE_IN_LIBIO
# include <wchar.h>
@@ -81,7 +82,11 @@
return FALSE;
}
c = *sizep;
- if ((c > maxsize) && (xdrs->x_op != XDR_FREE))
+ /*
+ * XXX: Let the overflow possibly happen with XDR_FREE because mem_free()
+ * doesn't actually use its second argument anyway.
+ */
+ if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE))
{
return FALSE;
}
|
