[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: security-related gcc bug

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: security-related gcc bug
From: Howard Chu <hyc@symas.com>
Date: Tue, 08 Apr 2008 01:38:09 -0700
Cc: OpenLDAP Devel <openldap-devel@openldap.org>, Michael StrÃder <michael@stroeder.com>
In-reply-to: <hbf.20080408wyi3@bombur.uio.no>
References: <47F9D652.2030408@stroeder.com> <hbf.20080407a3wg@bombur.uio.no> <47FAD755.1050009@symas.com> <hbf.20080408wyi3@bombur.uio.no>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9b5pre) Gecko/2008030700 SeaMonkey/2.0a1pre

Hallvard B Furuseth wrote:

Howard Chu writes:

	char buf[MYSIZE];
	ber_len_t len;		/* length of current buffer content */
	struct berval *in;	/* passed in, to be moved into buf */

You just test:
	if ( in->bv_len>  MYSIZE || in->bv_len + len>  MYSIZE )
		return FAIL;


Except that in->bv_len + len can wrap around:-) In this case, use
if ( in->bv_len>  MYSIZE - len ) since len will be<= MYSIZE.

No. You missed the point. The first part of the if will catch an outsized in->bv_len. There is never wraparound on any real world buffer sizes. E.g. in a 32 bit platform you cannot have a 2GB data buffer because there's no address space left for the code or stack. Likewise for 64 bit.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: security-related gcc bug
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- security-related gcc bug
  - From: Michael Ströder <michael@stroeder.com>
- Re: security-related gcc bug
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: security-related gcc bug
  - From: Howard Chu <hyc@symas.com>
- Re: security-related gcc bug
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: security-related gcc bug
Next by Date: Re: security-related gcc bug
Index(es):
- Chronological
- Thread