summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorHongxu Jia <hongxu.jia@windriver.com>2019-06-16 22:17:41 -0400
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-06-18 11:23:48 +0100
commit57588174445781f0c1ca83faa4680612d728ff64 (patch)
tree5f49a21feec330854bbe173d823ea73e38c78f46 /meta
parent27d60c5a812774f0e5c43161e5b514c4aebdf301 (diff)
downloadpoky-57588174445781f0c1ca83faa4680612d728ff64.tar.gz
openssh: fix potential signed overflow in pointer arithmatic
Pointer arithmatic results in implementation defined signed integer type, so that 'd - dst’ in strlcat may trigger signed overflow if pointer ‘d’ is near 0x7fffffff in 32 bits system. In case of ompilation by gcc or clang with -ftrapv option, the overflow would generate program abort. (From OE-Core rev: 1c4b8d797c76a08ebd1658066e9d32972b6abe58) Signed-off-by: hguo3 <heng.guo@windriver.com> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch26
1 files changed, 19 insertions, 7 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
index 7e043a2db1..20036da931 100644
--- a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
+++ b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
@@ -11,14 +11,17 @@ would lead to program abort.
11Upstream-Status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608] 11Upstream-Status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608]
12 12
13Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> 13Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
14
15Complete the fix
16Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
14--- 17---
15 openbsd-compat/strlcat.c | 8 ++++++-- 18 openbsd-compat/strlcat.c | 10 +++++++---
16 openbsd-compat/strlcpy.c | 8 ++++++-- 19 openbsd-compat/strlcpy.c | 8 ++++++--
17 openbsd-compat/strnlen.c | 8 ++++++-- 20 openbsd-compat/strnlen.c | 8 ++++++--
18 3 files changed, 18 insertions(+), 6 deletions(-) 21 3 files changed, 19 insertions(+), 7 deletions(-)
19 22
20diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c 23diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
21index bcc1b61..e758ebf 100644 24index bcc1b61..124e1e3 100644
22--- a/openbsd-compat/strlcat.c 25--- a/openbsd-compat/strlcat.c
23+++ b/openbsd-compat/strlcat.c 26+++ b/openbsd-compat/strlcat.c
24@@ -23,6 +23,7 @@ 27@@ -23,6 +23,7 @@
@@ -29,6 +32,15 @@ index bcc1b61..e758ebf 100644
29 32
30 /* 33 /*
31 * Appends src to string dst of size siz (unlike strncat, siz is the 34 * Appends src to string dst of size siz (unlike strncat, siz is the
35@@ -42,7 +43,7 @@ strlcat(char *dst, const char *src, size_t siz)
36 /* Find the end of dst and adjust bytes left but don't go past end */
37 while (n-- != 0 && *d != '\0')
38 d++;
39- dlen = d - dst;
40+ dlen = (uintptr_t)d - (uintptr_t)dst;
41 n = siz - dlen;
42
43 if (n == 0)
32@@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz) 44@@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz)
33 s++; 45 s++;
34 } 46 }
@@ -70,7 +82,7 @@ index b4b1b60..b06f374 100644
70 82
71 #endif /* !HAVE_STRLCPY */ 83 #endif /* !HAVE_STRLCPY */
72diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c 84diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c
73index 93d5155..9b8de5d 100644 85index 7ad3573..7040f1f 100644
74--- a/openbsd-compat/strnlen.c 86--- a/openbsd-compat/strnlen.c
75+++ b/openbsd-compat/strnlen.c 87+++ b/openbsd-compat/strnlen.c
76@@ -23,6 +23,7 @@ 88@@ -23,6 +23,7 @@
@@ -95,5 +107,5 @@ index 93d5155..9b8de5d 100644
95 } 107 }
96 #endif 108 #endif
97-- 109--
981.9.1 1102.17.1
99 111