dmesg: Fix short memory allocation with 32 bit

The buffer size can be specified as 32 bit unsigned int with command
line argument. In read_syslog_buffer, the allocation is increased by 8
bytes. This means that an unsigned integer overflow could occur, leading
to less amount of memory allocated than expected.

Please note that this does not lead to a security issue, just an incomplete
message.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

diff --git a/sys-utils/dmesg.c b/sys-utils/dmesg.c
index 8af67476c9970c3a60742ab70dd38486ef70d990..a0786da2b4c9d5ac2dbafab03ac09790bc773a6c 100644 (file)
--- a/sys-utils/dmesg.c
+++ b/sys-utils/dmesg.c
@@ -1787,6 +1787,9 @@ int main(int argc, char *argv[])
                                        _("invalid buffer size argument"));
                        if (ctl.bufsize < 4096)
                                ctl.bufsize = 4096;
+                       if (ctl.bufsize > SIZE_MAX - 8)
+                               errx(EXIT_FAILURE, "%s: '%s'",
+                                               _("invalid buffer size argument"), optarg);
                        break;
                case 'T':
                        include_time_fmt(&ctl, DMESG_TIMEFTM_CTIME);