Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
libotr
libotr-CVE-2016-2851.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File libotr-CVE-2016-2851.patch of Package libotr
commit ecfd4f468690af6e66b5bf92315972b86071ac1c Author: Ian Goldberg <iang@cs.uwaterloo.ca> Date: Thu Mar 3 13:32:41 2016 +0100 Prevent integer overflow on 64-bit architectures when receiving 4GB messages In several places in proto.c, the sizes of portions of incoming messages were stored in variables of type int or unsigned int instead of size_t. If a message arrives with very large sizes (for example unsigned int datalen = UINT_MAX), then constructions like malloc(datalen+1) will turn into malloc(0), which on some architectures returns a non-NULL pointer, but UINT_MAX bytes will get written to that pointer. Ensure all calls to malloc or realloc cannot integer overflow like this. Thanks to Markus Vervier of X41 D-Sec GmbH <markus.vervier@x41-dsec.de> for the report. Signed-off-by: Ian Goldberg <iang@cs.uwaterloo.ca> Signed-off-by: David Goulet <dgoulet@ev0ke.net> Index: libotr-4.0.0/src/proto.c =================================================================== --- libotr-4.0.0.orig/src/proto.c 2016-03-08 12:03:10.391129286 +0100 +++ libotr-4.0.0/src/proto.c 2016-03-08 12:04:13.201141683 +0100 @@ -716,7 +716,7 @@ gcry_error_t otrl_proto_accept_data(char unsigned int sender_keyid, recipient_keyid; gcry_mpi_t sender_next_y = NULL; unsigned char ctr[8]; - unsigned int datalen, reveallen; + size_t datalen, reveallen; unsigned char *data = NULL; unsigned char *nul = NULL; unsigned char givenmac[20]; @@ -916,7 +916,7 @@ OtrlFragmentResult otrl_proto_fragment_a if (k > 0 && n > 0 && k <= n && start > 0 && end > 0 && start < end) { if (k == 1) { - int fraglen = end - start - 1; + size_t fraglen = end - start - 1; size_t newsize = fraglen + 1; free(context->context_priv->fragment); context->context_priv->fragment = NULL; @@ -937,7 +937,7 @@ OtrlFragmentResult otrl_proto_fragment_a } } else if (n == context->context_priv->fragment_n && k == context->context_priv->fragment_k + 1) { - int fraglen = end - start - 1; + size_t fraglen = end - start - 1; char *newfrag = NULL; size_t newsize = context->context_priv->fragment_len + fraglen + 1; /* Check for overflow */ @@ -989,10 +989,10 @@ gcry_error_t otrl_proto_fragment_create( char ***fragments, ConnContext *context, const char *message) { char *fragdata; - int fragdatalen = 0; + size_t fragdatalen = 0; unsigned short curfrag = 0; - int index = 0; - int msglen = strlen(message); + size_t index = 0; + size_t msglen = strlen(message); /* Should vary by number of msgs */ int headerlen = context->protocol_version == 3 ? 37 : 19; @@ -1006,7 +1006,7 @@ gcry_error_t otrl_proto_fragment_create( int i; char *fragmentmsg; - if (msglen - index < mms - headerlen) { + if (msglen - index < (size_t)(mms - headerlen)) { fragdatalen = msglen - index; } else { fragdatalen = mms - headerlen;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor