From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 12 Oct 2018 16:59:23 +0000 (+0200)
Subject: journal-upload: check for overflow
X-Git-Tag: v240~556^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c504106c356cb6a5d4bb9416ca1c35c5b495f736;p=thirdparty%2Fsystemd.git

journal-upload: check for overflow

CID 1394386
---

diff --git a/src/journal-remote/journal-upload.c b/src/journal-remote/journal-upload.c
index 157ed413b19..621fd620ee2 100644
--- a/src/journal-remote/journal-upload.c
+++ b/src/journal-remote/journal-upload.c
@@ -280,8 +280,7 @@ int start_upload(Uploader *u,
 
 static size_t fd_input_callback(void *buf, size_t size, size_t nmemb, void *userp) {
         Uploader *u = userp;
-
-        ssize_t r;
+        ssize_t n;
 
         assert(u);
         assert(nmemb < SSIZE_MAX / size);
@@ -289,21 +288,22 @@ static size_t fd_input_callback(void *buf, size_t size, size_t nmemb, void *user
         if (u->input < 0)
                 return 0;
 
-        r = read(u->input, buf, size * nmemb);
-        log_debug("%s: allowed %zu, read %zd", __func__, size*nmemb, r);
+        assert(!size_multiply_overflow(size, nmemb));
 
-        if (r > 0)
-                return r;
+        n = read(u->input, buf, size * nmemb);
+        log_debug("%s: allowed %zu, read %zd", __func__, size*nmemb, n);
+        if (n > 0)
+                return n;
 
         u->uploading = false;
-        if (r == 0) {
-                log_debug("Reached EOF");
-                close_fd_input(u);
-                return 0;
-        } else {
+        if (n < 0) {
                 log_error_errno(errno, "Aborting transfer after read error on input: %m.");
                 return CURL_READFUNC_ABORT;
         }
+
+        log_debug("Reached EOF");
+        close_fd_input(u);
+        return 0;
 }
 
 static void close_fd_input(Uploader *u) {