Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-6-0]: src/external/bsd/libevent/dist Apply patch (requested by sp...

details:   https://anonhg.NetBSD.org/src/rev/cfcc31fe909d
branches:  netbsd-6-0
changeset: 775042:cfcc31fe909d
user:      snj <snj%NetBSD.org@localhost>
date:      Wed Feb 04 04:40:27 2015 +0000

description:
Apply patch (requested by spz in ticket 1243):
Fix CVE-2014-6272.

diffstat:

 external/bsd/libevent/dist/buffer.c |  35 ++++++++++++++++++++++++++---------
 1 files changed, 26 insertions(+), 9 deletions(-)

diffs (85 lines):

diff -r a767cc3134bd -r cfcc31fe909d external/bsd/libevent/dist/buffer.c
--- a/external/bsd/libevent/dist/buffer.c       Fri Jan 16 16:31:27 2015 +0000
+++ b/external/bsd/libevent/dist/buffer.c       Wed Feb 04 04:40:27 2015 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: buffer.c,v 1.1.1.1 2009/11/02 10:00:52 plunky Exp $    */
+/*     $NetBSD: buffer.c,v 1.1.1.1.14.1 2015/02/04 04:40:27 snj Exp $  */
 /*
  * Copyright (c) 2002, 2003 Niels Provos <provos%citi.umich.edu@localhost>
  * All rights reserved.
@@ -144,7 +144,8 @@
        va_list aq;
 
        /* make sure that at least some space is available */
-       evbuffer_expand(buf, 64);
+       if (evbuffer_expand(buf, 64) < 0)
+               return (-1);
        for (;;) {
                size_t used = buf->misalign + buf->off;
                buffer = (char *)buf->buffer + buf->off;
@@ -260,31 +261,47 @@
        buf->misalign = 0;
 }
 
+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t)-1)
+#endif
+
 /* Expands the available space in the event buffer to at least datlen */
 
 int
 evbuffer_expand(struct evbuffer *buf, size_t datlen)
 {
-       size_t need = buf->misalign + buf->off + datlen;
+       size_t used = buf->misalign + buf->off;
+
+       assert(buf->totallen >= used);
 
        /* If we can fit all the data, then we don't have to do anything */
-       if (buf->totallen >= need)
+       if (buf->totallen - used >= datlen)
                return (0);
+       /* If we would need to overflow to fit this much data, we can't
+        * do anything. */
+       if (datlen > SIZE_MAX - buf->off)
+               return (-1);
 
        /*
         * If the misalignment fulfills our data needs, we just force an
         * alignment to happen.  Afterwards, we have enough space.
         */
-       if (buf->misalign >= datlen) {
+       if (buf->totallen - buf->off >= datlen) {
                evbuffer_align(buf);
        } else {
                void *newbuf;
                size_t length = buf->totallen;
+               size_t need = buf->off + datlen;
 
                if (length < 256)
                        length = 256;
-               while (length < need)
-                       length <<= 1;
+               if (need < SIZE_MAX / 2) {
+                       while (length < need) {
+                               length <<= 1;
+                       }
+               } else {
+                       length = need;
+               }
 
                if (buf->orig_buffer != buf->buffer)
                        evbuffer_align(buf);
@@ -301,10 +318,10 @@
 int
 evbuffer_add(struct evbuffer *buf, const void *data, size_t datlen)
 {
-       size_t need = buf->misalign + buf->off + datlen;
+       size_t used = buf->misalign + buf->off;
        size_t oldoff = buf->off;
 
-       if (buf->totallen < need) {
+       if (buf->totallen - used < datlen) {
                if (evbuffer_expand(buf, datlen) == -1)
                        return (-1);
        }
Home | Main Index | Thread Index | Old Index