client_context_read_extra_fields() reads a 64-bit field length v from
the per-unit log-extra-fields file. n = sizeof(uint64_t) + v overflows
when v is near UINT64_MAX, so the "left < n" check is bypassed and the
following memchr() scans v bytes past the buffer. Bound v against the
remaining bytes instead, which cannot overflow.
if (v < 2)
return -EBADMSG;
- n = sizeof(uint64_t) + v;
- if (left < n)
+ /* left >= sizeof(uint64_t) here, so the subtraction is safe and we avoid
+ * overflowing sizeof(uint64_t) + v when v is close to UINT64_MAX. */
+ if (v > left - sizeof(uint64_t))
return -EBADMSG;
+ n = sizeof(uint64_t) + v;
+
field = q + sizeof(uint64_t);
eq = memchr(field, '=', v);