From: Alexey Dobriyan <adobriyan@gmail.com>
To: Mansour Moufid <mansourmoufid@gmail.com>
Cc: torvalds@linux-foundation.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] simple_strtoul: prevent integer overflows
Date: Thu, 5 May 2011 10:26:19 +0300 [thread overview]
Message-ID: <20110505072619.GA4517@p183> (raw)
In-Reply-To: <BANLkTikXoy+cJV-aj5RVtpLgEQ_Y-3TOSw@mail.gmail.com>
On Thu, May 05, 2011 at 01:54:41AM -0400, Mansour Moufid wrote:
> This patch prevents integer overflows in the functions
> `simple_strtoull' and `simple_strtoul', in the file lib/vsprintf.c.
> This applies to stable version 2.6.38.5.
>
> I'm aware of the kstrto* functions, but simple_strto* are still used
> in some network-exposed code (netfilter).
These changes break end pointer management at least
for simple_strtoul().
> --- vsprintf.c.orig
> +++ vsprintf.c
> @@ -63,11 +63,20 @@ unsigned long long simple_strtoull(const
> cp += 2;
>
> while (isxdigit(*cp)) {
> - unsigned int value;
> + unsigned int value = 0;
>
> - value = isdigit(*cp) ? *cp - '0' : TOLOWER(*cp) - 'a' + 10;
> + if (isdigit(*cp))
> + value = *cp - '0';
> + else if (isalpha(*cp))
> + value = TOLOWER(*cp) - 'a' + 10;
> + else
> + break;
> if (value >= base)
> break;
> + if (result > (ULLONG_MAX - value) / base) {
> + result = ULLONG_MAX;
> + break;
> + }
> result = result * base + value;
> cp++;
> }
> @@ -86,7 +95,12 @@ EXPORT_SYMBOL(simple_strtoull);
> */
> unsigned long simple_strtoul(const char *cp, char **endp, unsigned int base)
> {
> - return simple_strtoull(cp, endp, base);
> + unsigned long long result = simple_strtoull(cp, endp, base);
> +
> + if (result <= ULONG_MAX)
> + return result;
> +
> + return ULONG_MAX;
> }
prev parent reply other threads:[~2011-05-05 7:26 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-05 5:54 [PATCH] simple_strtoul: prevent integer overflows Mansour Moufid
2011-05-05 7:26 ` Alexey Dobriyan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110505072619.GA4517@p183 \
--to=adobriyan@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mansourmoufid@gmail.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.