[OE-core] [PATCH] openssh: fix potential signed overflow in pointer arithmatic

Mon Jun 17 05:59:35 UTC 2019

On 6/17/19 10:17 AM, Hongxu Jia wrote:
> Pointer arithmatic results in implementation defined signed integer
> type, so that 'd - dst’ in strlcat may trigger signed overflow if
> pointer ‘d’ is near 0x7fffffff in 32 bits system. In case of ompilation
> by gcc or clang with -ftrapv option, the overflow would generate
> program abort.
>
> Signed-off-by: hguo3 <heng.guo at windriver.com>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
> ---
>   ...ial-signed-overflow-in-pointer-arithmatic.patch | 26 ++++++++++++++++------
>   1 file changed, 19 insertions(+), 7 deletions(-)
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
> index 7e043a2..20036da 100644
> --- a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
> +++ b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
> @@ -11,14 +11,17 @@ would lead to program abort.
>   Upstream-Status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608]
>   

BTW, I've submitted the V2 fix to above upstream site

//Hongxu


>   Signed-off-by: Yuanjie Huang <yuanjie.huang at windriver.com>
> +
> +Complete the fix
> +Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>   ---
> - openbsd-compat/strlcat.c | 8 ++++++--
> - openbsd-compat/strlcpy.c | 8 ++++++--
> - openbsd-compat/strnlen.c | 8 ++++++--
> - 3 files changed, 18 insertions(+), 6 deletions(-)
> + openbsd-compat/strlcat.c | 10 +++++++---
> + openbsd-compat/strlcpy.c |  8 ++++++--
> + openbsd-compat/strnlen.c |  8 ++++++--
> + 3 files changed, 19 insertions(+), 7 deletions(-)
>   
>   diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
> -index bcc1b61..e758ebf 100644
> +index bcc1b61..124e1e3 100644
>   --- a/openbsd-compat/strlcat.c
>   +++ b/openbsd-compat/strlcat.c
>   @@ -23,6 +23,7 @@
> @@ -29,6 +32,15 @@ index bcc1b61..e758ebf 100644
>    
>    /*
>     * Appends src to string dst of size siz (unlike strncat, siz is the
> +@@ -42,7 +43,7 @@ strlcat(char *dst, const char *src, size_t siz)
> + 	/* Find the end of dst and adjust bytes left but don't go past end */
> + 	while (n-- != 0 && *d != '\0')
> + 		d++;
> +-	dlen = d - dst;
> ++	dlen = (uintptr_t)d - (uintptr_t)dst;
> + 	n = siz - dlen;
> +
> + 	if (n == 0)
>   @@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz)
>    		s++;
>    	}
> @@ -70,7 +82,7 @@ index b4b1b60..b06f374 100644
>    
>    #endif /* !HAVE_STRLCPY */
>   diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c
> -index 93d5155..9b8de5d 100644
> +index 7ad3573..7040f1f 100644
>   --- a/openbsd-compat/strnlen.c
>   +++ b/openbsd-compat/strnlen.c
>   @@ -23,6 +23,7 @@
> @@ -95,5 +107,5 @@ index 93d5155..9b8de5d 100644
>    }
>    #endif
>   --
> -1.9.1
> +2.17.1
>