Possible security hole
jw schultz
jw at pegasys.ws
Tue Oct 7 08:39:14 EST 2003
On Tue, Oct 07, 2003 at 12:59:31AM +0300, Timo Sirainen wrote:
> On Sun, 2003-10-05 at 02:56, Wayne Davison wrote:
> > On Sat, Oct 04, 2003 at 11:38:48PM +0300, Timo Sirainen wrote:
> > > for (i=0; i < (int) s->count;i++) {
> >
> > Yeah, that's pretty bad. Attached is a patch that should fix this and a
> > number of other related problems where the code assumed that size_t
> > would fit into an int.
>
> The main problem wasn't int vs. size_t. malloc() call would have
> overflowed even if i had been size_t.
Wayne was addressing the type inconsistency which you
had brought up as a second point.
> Included a patch that fixes all the potential malloc()/realloc()
> overflows that I found. I'd feel a bit safer with them included :)
Looks mostly OK.
Some nits:
Always put whitespace around operators, "INT_MAX -
4" not "INT_MAX-4".
INT_MAX is probably incorrect. UINT_MAX is closer
but don't count on 32bit ints or that size_t ==
uint32. When on a 64bit system size_t won't wrap on
us so we don't want to impose an arbitrary limit.
If the patch is an attachment use text/plain not
some other mime-type.
--
________________________________________________________________
J.W. Schultz Pegasystems Technologies
email address: jw at pegasys.ws
Remember Cernan and Schmitt
More information about the rsync
mailing list