From: Oliver Kurth Date: Fri, 15 Sep 2017 18:23:46 +0000 (-0700) Subject: The check for overflow in StrUtil_SafeStrcat needs work. X-Git-Tag: stable-10.2.0~144 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=324bec1a2057ceb7d37469709ed2b8db2ca6348e;p=thirdparty%2Fopen-vm-tools.git The check for overflow in StrUtil_SafeStrcat needs work. Might as well avoid protential overflow while also checking for "insane" string lengths. --- diff --git a/open-vm-tools/lib/misc/strutil.c b/open-vm-tools/lib/misc/strutil.c index e4a0ed5ef..2bbccd8b6 100644 --- a/open-vm-tools/lib/misc/strutil.c +++ b/open-vm-tools/lib/misc/strutil.c @@ -26,8 +26,10 @@ #include #include #include -#if !defined(_WIN32) +#if defined(_WIN32) #include /* For strncasecmp */ +#else +#include #endif #include "vmware.h" #include "strutil.h" @@ -36,6 +38,10 @@ #include "vm_ctype.h" #include "util.h" +#ifndef SIZE_MAX /* SIZE_MAX is new in C99 */ +#define SIZE_MAX ((size_t) -1) +#endif + /* *----------------------------------------------------------------------------- @@ -1140,15 +1146,21 @@ StrUtil_SafeDynBufPrintf(DynBuf *b, // IN/OUT */ void -StrUtil_SafeStrcat(char **prefix, // IN/OUT - const char *str) // IN +StrUtil_SafeStrcat(char **prefix, // IN/OUT: + const char *str) // IN: { char *tmp; - size_t plen = *prefix != NULL ? strlen(*prefix) : 0; + size_t plen = (*prefix == NULL) ? 0 : strlen(*prefix); size_t slen = strlen(str); - /* Check for overflow */ - VERIFY((size_t)-1 - plen > slen + 1); + /* + * If we're manipulating strings that are anywhere near max(size_t)/2 in + * length we're doing something very wrong. Avoid potential overflow by + * checking for "insane" operations. Prevent the problem before it gets + * started. + */ + + VERIFY((plen < (SIZE_MAX/2)) && (slen < (SIZE_MAX/2))); tmp = Util_SafeRealloc(*prefix, plen + slen + 1 /* NUL */);