From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andreas Henriksson Subject: Bug#511720: [PATCH iproute2] ss: avoid passing negative numbers to malloc Date: Tue, 12 Nov 2013 19:52:14 +0100 Message-ID: <20131112185214.GA29913@amd64.fatal.se> Reply-To: Andreas Henriksson , 511720@bugs.debian.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: netdev@vger.kernel.org To: stephen@networkplumber.org Return-path: Resent-Message-ID: Content-Disposition: inline List-URL: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Id: netdev.vger.kernel.org Example: $ ss state established \( sport = :4060 or sport = :4061 or sport = :4062 or sport = :4063 or sport = :4064 or sport = :4065 or sport = :4066 or sport = :4067 \) > /dev/null Aborted In the example above ssfilter_bytecompile(...) will return (int)136. char l1 = 136; means -120 which will result in a negative number being passed to malloc at misc/ss.c:913. Simply declare l1 and l2 as intergers to avoid the char overflow. This is one of the issues originally reported in http://bugs.debian.org/511720 Reported-by: Andreas Schuldei Signed-off-by: Andreas Henriksson --- misc/ss.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/misc/ss.c b/misc/ss.c index c0369f1..db3a3a4 100644 --- a/misc/ss.c +++ b/misc/ss.c @@ -907,7 +907,8 @@ static int ssfilter_bytecompile(struct ssfilter *f, char **bytecode) } case SSF_OR: { - char *a1, *a2, *a, l1, l2; + char *a1, *a2, *a; + int l1, l2; l1 = ssfilter_bytecompile(f->pred, &a1); l2 = ssfilter_bytecompile(f->post, &a2); if (!(a = malloc(l1+l2+4))) abort(); -- 1.8.4.3