[src/netbsd-1-6]: src/lib/libc/rpc Pull up revision 1.13 (requested by darren...

[lukem <lukem%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/7e4038f0509d
branches:  netbsd-1-6
changeset: 528658:7e4038f0509d
user:      lukem <lukem%NetBSD.org@localhost>
date:      Wed Jul 31 00:30:38 2002 +0000

description:
Pull up revision 1.13 (requested by darrenr in ticket #592):
patch from openbsd to fix bounds checking, eliminating an overflow condition.

diffstat:

 lib/libc/rpc/xdr_array.c |  12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

diffs (50 lines):

diff -r 15c5b8819952 -r 7e4038f0509d lib/libc/rpc/xdr_array.c
--- a/lib/libc/rpc/xdr_array.c  Wed Jul 31 00:26:19 2002 +0000
+++ b/lib/libc/rpc/xdr_array.c  Wed Jul 31 00:30:38 2002 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xdr_array.c,v 1.12 2000/01/22 22:19:18 mycroft Exp $   */
+/*     $NetBSD: xdr_array.c,v 1.12.8.1 2002/07/31 00:30:38 lukem Exp $ */
 
 /*
  * Sun RPC is a product of Sun Microsystems, Inc. and is provided for
@@ -35,7 +35,7 @@
 static char *sccsid = "@(#)xdr_array.c 1.10 87/08/11 Copyr 1984 Sun Micro";
 static char *sccsid = "@(#)xdr_array.c 2.1 88/07/29 4.0 RPCSRC";
 #else
-__RCSID("$NetBSD: xdr_array.c,v 1.12 2000/01/22 22:19:18 mycroft Exp $");
+__RCSID("$NetBSD: xdr_array.c,v 1.12.8.1 2002/07/31 00:30:38 lukem Exp $");
 #endif
 #endif
 
@@ -54,6 +54,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 
 #include <rpc/types.h>
 #include <rpc/xdr.h>
@@ -86,11 +87,12 @@
        u_int nodesize;
 
        /* like strings, arrays are really counted arrays */
-       if (! xdr_u_int(xdrs, sizep)) {
+       if (!xdr_u_int(xdrs, sizep)) {
                return (FALSE);
        }
        c = *sizep;
-       if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) {
+       if ((c > maxsize && UINT_MAX/elsize < c) &&
+           (xdrs->x_op != XDR_FREE)) {
                return (FALSE);
        }
        nodesize = c * elsize;
@@ -160,7 +162,7 @@
 
        elptr = basep;
        for (i = 0; i < nelem; i++) {
-               if (! (*xdr_elem)(xdrs, elptr)) {
+               if (!(*xdr_elem)(xdrs, elptr)) {
                        return(FALSE);
                }
                elptr += elemsize;