From: Oliver Kurth <okurth@vmware.com>
Date: Fri, 15 Sep 2017 18:23:44 +0000 (-0700)
Subject: lib/misc: StrUtil_SafeStrcat length overflow checking
X-Git-Tag: stable-10.2.0~159
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f68ecb12ebc92592463c0cdcd97f50bc5abb8ea2;p=thirdparty%2Fopen-vm-tools.git

lib/misc: StrUtil_SafeStrcat length overflow checking

The check for overflow in StrUtil_SafeStrcat needs work.

Might as well avoid protential overflow while also checking for
"insane" string lengths.
---

diff --git a/open-vm-tools/lib/misc/strutil.c b/open-vm-tools/lib/misc/strutil.c
index 52d2f5320..b5c616a6a 100644
--- a/open-vm-tools/lib/misc/strutil.c
+++ b/open-vm-tools/lib/misc/strutil.c
@@ -26,6 +26,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <stdint.h>
 #if !defined(_WIN32)
 #include <strings.h> /* For strncasecmp */
 #endif
@@ -1140,15 +1141,21 @@ StrUtil_SafeDynBufPrintf(DynBuf *b,        // IN/OUT
  */
 
 void
-StrUtil_SafeStrcat(char **prefix,    // IN/OUT
-                   const char *str)  // IN
+StrUtil_SafeStrcat(char **prefix,    // IN/OUT:
+                   const char *str)  // IN:
 {
    char *tmp;
-   size_t plen = *prefix != NULL ? strlen(*prefix) : 0;
+   size_t plen = (*prefix == NULL) ? 0 : strlen(*prefix);
    size_t slen = strlen(str);
 
-   /* Check for overflow */
-   VERIFY((size_t)-1 - plen > slen + 1);
+   /*
+    * If we're manipulating strings that are anywhere near max(size_t)/2 in
+    * length we're doing something very wrong. Avoid potential overflow by
+    * checking for "insane" operations. Prevent the problem before it gets
+    * started.
+    */
+
+   VERIFY((plen < (SIZE_MAX/2)) && (slen < (SIZE_MAX/2)));
 
    tmp = Util_SafeRealloc(*prefix, plen + slen + 1 /* NUL */);