From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Wed, 4 Feb 2026 17:01:30 +0000 (+0100)
Subject: dmesg: Fix short memory allocation with 32 bit
X-Git-Tag: v2.43-devel~94^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c673579bb1e327286fd7c3afb727680c5749cddc;p=thirdparty%2Futil-linux.git

dmesg: Fix short memory allocation with 32 bit

The buffer size can be specified as 32 bit unsigned int with command
line argument. In read_syslog_buffer, the allocation is increased by 8
bytes. This means that an unsigned integer overflow could occur, leading
to less amount of memory allocated than expected.

Please note that this does not lead to a security issue, just an incomplete
message.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---

diff --git a/sys-utils/dmesg.c b/sys-utils/dmesg.c
index 8af67476c..a0786da2b 100644
--- a/sys-utils/dmesg.c
+++ b/sys-utils/dmesg.c
@@ -1787,6 +1787,9 @@ int main(int argc, char *argv[])
 					_("invalid buffer size argument"));
 			if (ctl.bufsize < 4096)
 				ctl.bufsize = 4096;
+			if (ctl.bufsize > SIZE_MAX - 8)
+				errx(EXIT_FAILURE, "%s: '%s'",
+						_("invalid buffer size argument"), optarg);
 			break;
 		case 'T':
 			include_time_fmt(&ctl, DMESG_TIMEFTM_CTIME);