[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: security-related gcc bug

Hallvard B Furuseth wrote:
Howard Chu writes:
	char buf[MYSIZE];
	ber_len_t len;		/* length of current buffer content */
	struct berval *in;	/* passed in, to be moved into buf */

You just test:
	if ( in->bv_len>  MYSIZE || in->bv_len + len>  MYSIZE )
		return FAIL;

Except that in->bv_len + len can wrap around:-) In this case, use if ( in->bv_len> MYSIZE - len ) since len will be<= MYSIZE.

No. You missed the point. The first part of the if will catch an outsized in->bv_len. There is never wraparound on any real world buffer sizes. E.g. in a 32 bit platform you cannot have a 2GB data buffer because there's no address space left for the code or stack. Likewise for 64 bit.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/