From: Roy Marples <roy@marples.name>
Date: Wed, 10 Jun 2020 10:16:14 +0000 (+0100)
Subject: Try and guard against impossibly large data.
X-Git-Tag: v9.1.2~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=96f6ea301c981495fd43a0deb722c7423fe505f6;p=thirdparty%2Fdhcpcd.git

Try and guard against impossibly large data.
---

diff --git a/src/dhcpcd.c b/src/dhcpcd.c
index e6ff2766..dc21583b 100644
--- a/src/dhcpcd.c
+++ b/src/dhcpcd.c
@@ -1686,6 +1686,10 @@ dhcpcd_readdump1(void *arg)
 			errno = EINVAL;
 		goto err;
 	}
+	if (ctx->ctl_buflen > SSIZE_MAX) {
+		errno = ENOBUFS;
+		goto err;
+	}
 
 	free(ctx->ctl_buf);
 	ctx->ctl_buf = malloc(ctx->ctl_buflen);
diff --git a/src/privsep-root.c b/src/privsep-root.c
index 00edd8a7..025bde9b 100644
--- a/src/privsep-root.c
+++ b/src/privsep-root.c
@@ -151,10 +151,10 @@ ps_root_mreaderrorcb(void *arg)
 		PSR_ERROR(errno);
 	else if ((size_t)len < sizeof(*psr_error))
 		PSR_ERROR(EINVAL);
-	else if (psr_error->psr_datalen > SSIZE_MAX)
-		PSR_ERROR(ENOBUFS);
 
-	if (psr_error->psr_datalen != 0) {
+	if (psr_error->psr_datalen > SSIZE_MAX)
+		PSR_ERROR(ENOBUFS);
+	else if (psr_error->psr_datalen != 0) {
 		psr_ctx->psr_data = malloc(psr_error->psr_datalen);
 		if (psr_ctx->psr_data == NULL)
 			PSR_ERROR(errno);