]>
Commit | Line | Data |
---|---|---|
a61a21ef MT |
1 | From d37c2b20a4787463d192b32041c3406c2bd91de0 Mon Sep 17 00:00:00 2001 |
2 | From: Arjun Shankar <arjun@redhat.com> | |
3 | Date: Mon, 15 Jan 2024 17:44:45 +0100 | |
4 | Subject: [PATCH 44/44] syslog: Fix integer overflow in __vsyslog_internal | |
5 | (CVE-2023-6780) | |
6 | ||
7 | __vsyslog_internal calculated a buffer size by adding two integers, but | |
8 | did not first check if the addition would overflow. This commit fixes | |
9 | that. | |
10 | ||
11 | Reviewed-by: Carlos O'Donell <carlos@redhat.com> | |
12 | Tested-by: Carlos O'Donell <carlos@redhat.com> | |
13 | (cherry picked from commit ddf542da94caf97ff43cc2875c88749880b7259b) | |
14 | --- | |
15 | misc/syslog.c | 3 ++- | |
16 | 1 file changed, 2 insertions(+), 1 deletion(-) | |
17 | ||
18 | diff --git a/misc/syslog.c b/misc/syslog.c | |
19 | index 53440e47ad..4af87f54fd 100644 | |
20 | --- a/misc/syslog.c | |
21 | +++ b/misc/syslog.c | |
22 | @@ -41,6 +41,7 @@ static char sccsid[] = "@(#)syslog.c 8.4 (Berkeley) 3/18/94"; | |
23 | #include <sys/uio.h> | |
24 | #include <sys/un.h> | |
25 | #include <syslog.h> | |
26 | +#include <limits.h> | |
27 | ||
28 | static int LogType = SOCK_DGRAM; /* type of socket connection */ | |
29 | static int LogFile = -1; /* fd for log */ | |
30 | @@ -219,7 +220,7 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, | |
31 | vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags); | |
32 | va_end (apc); | |
33 | ||
34 | - if (vl < 0) | |
35 | + if (vl < 0 || vl >= INT_MAX - l) | |
36 | goto out; | |
37 | ||
38 | if (vl >= len) | |
39 | -- | |
40 | 2.39.2 | |
41 |