* [PATCH] simple_strtoul: prevent integer overflows
@ 2011-05-05 5:54 Mansour Moufid
2011-05-05 7:26 ` Alexey Dobriyan
0 siblings, 1 reply; 2+ messages in thread
From: Mansour Moufid @ 2011-05-05 5:54 UTC (permalink / raw)
To: torvalds; +Cc: linux-kernel
From: Mansour Moufid <mansourmoufid@gmail.com>
This patch prevents integer overflows in the functions
`simple_strtoull' and `simple_strtoul', in the file lib/vsprintf.c.
This applies to stable version 2.6.38.5.
I'm aware of the kstrto* functions, but simple_strto* are still used
in some network-exposed code (netfilter).
Signed-off-by: Mansour Moufid <mansourmoufid@gmail.com>
---
--- vsprintf.c.orig 2011-05-04 22:00:07.000000000 -0400
+++ vsprintf.c 2011-05-04 22:27:45.000000000 -0400
@@ -63,11 +63,20 @@ unsigned long long simple_strtoull(const
cp += 2;
while (isxdigit(*cp)) {
- unsigned int value;
+ unsigned int value = 0;
- value = isdigit(*cp) ? *cp - '0' : TOLOWER(*cp) - 'a' + 10;
+ if (isdigit(*cp))
+ value = *cp - '0';
+ else if (isalpha(*cp))
+ value = TOLOWER(*cp) - 'a' + 10;
+ else
+ break;
if (value >= base)
break;
+ if (result > (ULLONG_MAX - value) / base) {
+ result = ULLONG_MAX;
+ break;
+ }
result = result * base + value;
cp++;
}
@@ -86,7 +95,12 @@ EXPORT_SYMBOL(simple_strtoull);
*/
unsigned long simple_strtoul(const char *cp, char **endp, unsigned int base)
{
- return simple_strtoull(cp, endp, base);
+ unsigned long long result = simple_strtoull(cp, endp, base);
+
+ if (result <= ULONG_MAX)
+ return result;
+
+ return ULONG_MAX;
}
EXPORT_SYMBOL(simple_strtoul);
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] simple_strtoul: prevent integer overflows
2011-05-05 5:54 [PATCH] simple_strtoul: prevent integer overflows Mansour Moufid
@ 2011-05-05 7:26 ` Alexey Dobriyan
0 siblings, 0 replies; 2+ messages in thread
From: Alexey Dobriyan @ 2011-05-05 7:26 UTC (permalink / raw)
To: Mansour Moufid; +Cc: torvalds, linux-kernel
On Thu, May 05, 2011 at 01:54:41AM -0400, Mansour Moufid wrote:
> This patch prevents integer overflows in the functions
> `simple_strtoull' and `simple_strtoul', in the file lib/vsprintf.c.
> This applies to stable version 2.6.38.5.
>
> I'm aware of the kstrto* functions, but simple_strto* are still used
> in some network-exposed code (netfilter).
These changes break end pointer management at least
for simple_strtoul().
> --- vsprintf.c.orig
> +++ vsprintf.c
> @@ -63,11 +63,20 @@ unsigned long long simple_strtoull(const
> cp += 2;
>
> while (isxdigit(*cp)) {
> - unsigned int value;
> + unsigned int value = 0;
>
> - value = isdigit(*cp) ? *cp - '0' : TOLOWER(*cp) - 'a' + 10;
> + if (isdigit(*cp))
> + value = *cp - '0';
> + else if (isalpha(*cp))
> + value = TOLOWER(*cp) - 'a' + 10;
> + else
> + break;
> if (value >= base)
> break;
> + if (result > (ULLONG_MAX - value) / base) {
> + result = ULLONG_MAX;
> + break;
> + }
> result = result * base + value;
> cp++;
> }
> @@ -86,7 +95,12 @@ EXPORT_SYMBOL(simple_strtoull);
> */
> unsigned long simple_strtoul(const char *cp, char **endp, unsigned int base)
> {
> - return simple_strtoull(cp, endp, base);
> + unsigned long long result = simple_strtoull(cp, endp, base);
> +
> + if (result <= ULONG_MAX)
> + return result;
> +
> + return ULONG_MAX;
> }
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-05-05 7:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-05-05 5:54 [PATCH] simple_strtoul: prevent integer overflows Mansour Moufid
2011-05-05 7:26 ` Alexey Dobriyan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox