shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-10-28 03:25:31 +03:00
Code

sd-bus: check for potential integer overflow in KDBUS_ITEM_FOREACH()

Browse Source 
For large values of item->size, the 'part' pointer can wrap around,
which results in an illegal pointer, but currently passes the for-loop
condition.
This commit is contained in:
Daniel Mack 2014-03-08 14:18:48 +01:00
parent 2a781fc9bd
commit b629d09842
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/libsystemd/sd-bus/bus-kernel.h
View File

@ -31,7 +31,8 @@
#define KDBUS_ITEM_FOREACH(part, head, first) \
for (part = (head)->first; \
(uint8_t *)(part) < (uint8_t *)(head) + (head)->size; \
((uint8_t *)(part) < (uint8_t *)(head) + (head)->size) && \
((uint8_t *) part >= (uint8_t *) head); \
part = KDBUS_ITEM_NEXT(part))
#define KDBUS_ITEM_HEADER_SIZE offsetof(struct kdbus_item, data)