From: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
Date: Mon, 6 Apr 2026 21:15:20 +0000 (-0400)
Subject: bits: prevent unsigned integer underflow and long-lived loop
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0c0040b83407d5d9f37959ae2b8a0fa76e504052;p=thirdparty%2Futil-linux.git

bits: prevent unsigned integer underflow and long-lived loop

If 0 is allowed for --width it will culminate to a wraparound
due to an unsigned integer underflow when a size_t for-loop
control variable, namely 'n', is setup. n is the result of
cpuset_nbits(size) - 1, where size is set by cpuset_alloc()
which was called with 0 (width) for the @ncpus parameter that
will make it so that @size remains 0 as the calculated memory
allocation size yields zero as well. Therefore the sum for 'n'
will be -1 that wraps around to UINT_MAX and end creates a
long-lived for loop.

Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
---

diff --git a/text-utils/bits.c b/text-utils/bits.c
index 97a77a82f..dbeaa09b7 100644
--- a/text-utils/bits.c
+++ b/text-utils/bits.c
@@ -17,6 +17,7 @@
 #include <stdbool.h>
 #include <stdint.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 
@@ -283,6 +284,8 @@ int main(int argc, char **argv)
 			/* allow up to 128k masks */
 			width = str2unum_or_err(optarg,
 				10, _("invalid --width"), 128 * 1024);
+			if (width == 0)
+				errx(EXIT_FAILURE, _("invalid --width"));
 			break;
 		case 'V':
 			print_version(EXIT_SUCCESS);