Please sign in to comment.
Prevent integer overflow on 64-bit architectures when receiving 4GB m…
…essages In several places in proto.c, the sizes of portions of incoming messages were stored in variables of type int or unsigned int instead of size_t. If a message arrives with very large sizes (for example unsigned int datalen = UINT_MAX), then constructions like malloc(datalen+1) will turn into malloc(0), which on some architectures returns a non-NULL pointer, but UINT_MAX bytes will get written to that pointer. Ensure all calls to malloc or realloc cannot integer overflow like this. Thanks to Markus Vervier of X41 D-Sec GmbH <email@example.com> for the report. Signed-off-by: Ian Goldberg <firstname.lastname@example.org> Signed-off-by: David Goulet <email@example.com>
- Loading branch information...