diff options
author | Daniel Mack <zonque@gmail.com> | 2014-03-08 14:18:48 +0100 |
---|---|---|
committer | Daniel Mack <zonque@gmail.com> | 2014-03-08 14:18:48 +0100 |
commit | b629d0984206ad855cc0cb7e6a376c919f7bf366 (patch) | |
tree | 0df3316c68ea670e6efbfc8f19186907a17f39b7 | |
parent | 2a781fc9bd33982c81e5ff75974a442a33d4f167 (diff) |
sd-bus: check for potential integer overflow in KDBUS_ITEM_FOREACH()
For large values of item->size, the 'part' pointer can wrap around,
which results in an illegal pointer, but currently passes the for-loop
condition.
-rw-r--r-- | src/libsystemd/sd-bus/bus-kernel.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/libsystemd/sd-bus/bus-kernel.h b/src/libsystemd/sd-bus/bus-kernel.h index c4722cbac6..a1e9691f1d 100644 --- a/src/libsystemd/sd-bus/bus-kernel.h +++ b/src/libsystemd/sd-bus/bus-kernel.h @@ -31,7 +31,8 @@ #define KDBUS_ITEM_FOREACH(part, head, first) \ for (part = (head)->first; \ - (uint8_t *)(part) < (uint8_t *)(head) + (head)->size; \ + ((uint8_t *)(part) < (uint8_t *)(head) + (head)->size) && \ + ((uint8_t *) part >= (uint8_t *) head); \ part = KDBUS_ITEM_NEXT(part)) #define KDBUS_ITEM_HEADER_SIZE offsetof(struct kdbus_item, data) |