upstream commit

Check for integer overflow when parsing times in
convtime().  Reported by nicolas.iooss at m4x.org, ok djm@

Upstream-ID: 35e6a4e98f6fa24df50bfb8ba1307cf70e966f13

diff --git a/misc.c b/misc.c
index 65c9222aa8b0ce3be5e6a37af77b7c6d03696ce8..08fcb38c2c06705c990f9bd1244c615264d9af53 100644 (file)
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.107 2016/11/30 00:28:31 dtucker Exp $ */
+/* $OpenBSD: misc.c,v 1.108 2017/03/14 00:25:03 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2005,2006 Damien Miller.  All rights reserved.
@@ -306,7 +306,7 @@ a2tun(const char *s, int *remote)
 long
 convtime(const char *s)
 {
-       long total, secs;
+       long total, secs, multiplier = 1;
        const char *p;
        char *endp;
 
@@ -333,23 +333,28 @@ convtime(const char *s)
                        break;
                case 'm':
                case 'M':
-                       secs *= MINUTES;
+                       multiplier = MINUTES;
                        break;
                case 'h':
                case 'H':
-                       secs *= HOURS;
+                       multiplier = HOURS;
                        break;
                case 'd':
                case 'D':
-                       secs *= DAYS;
+                       multiplier = DAYS;
                        break;
                case 'w':
                case 'W':
-                       secs *= WEEKS;
+                       multiplier = WEEKS;
                        break;
                default:
                        return -1;
                }
+               if (secs > LONG_MAX / multiplier)
+                       return -1;
+               secs *= multiplier;
+               if  (total > LONG_MAX - secs)
+                       return -1;
                total += secs;
                if (total < 0)
                        return -1;