[systemd-commits] src/libsystemd
Daniel Mack
zonque at kemper.freedesktop.org
Sat Mar 8 05:20:20 PST 2014
src/libsystemd/sd-bus/bus-kernel.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
New commits:
commit b629d0984206ad855cc0cb7e6a376c919f7bf366
Author: Daniel Mack <zonque at gmail.com>
Date: Sat Mar 8 14:18:48 2014 +0100
sd-bus: check for potential integer overflow in KDBUS_ITEM_FOREACH()
For large values of item->size, the 'part' pointer can wrap around,
which results in an illegal pointer, but currently passes the for-loop
condition.
diff --git a/src/libsystemd/sd-bus/bus-kernel.h b/src/libsystemd/sd-bus/bus-kernel.h
index c4722cb..a1e9691 100644
--- a/src/libsystemd/sd-bus/bus-kernel.h
+++ b/src/libsystemd/sd-bus/bus-kernel.h
@@ -31,7 +31,8 @@
#define KDBUS_ITEM_FOREACH(part, head, first) \
for (part = (head)->first; \
- (uint8_t *)(part) < (uint8_t *)(head) + (head)->size; \
+ ((uint8_t *)(part) < (uint8_t *)(head) + (head)->size) && \
+ ((uint8_t *) part >= (uint8_t *) head); \
part = KDBUS_ITEM_NEXT(part))
#define KDBUS_ITEM_HEADER_SIZE offsetof(struct kdbus_item, data)
More information about the systemd-commits
mailing list