------------------------------------------------------------------------
r5168 | andersen | 2002-08-07 04:07:10 -0500 (Wed, 07 Aug 2002) | 4 lines
Changed paths:
   M /trunk/uClibc/libc/inet/rpc/xdr_array.c

Apply integer overflow security fix for "CERT Advisory CA-2002-25 Integer
Overflow In XDR Library" http://www.cert.org/advisories/CA-2002-25.html
Patch from Solar Designer <solar@openwall.com>.

 ------------------------------------------------------------------------
Index: libc/inet/rpc/xdr_array.c
===================================================================
--- libc/inet/rpc/xdr_array.c	(revision 5167)
+++ libc/inet/rpc/xdr_array.c	(revision 5168)
@@ -48,6 +48,7 @@
 #include <string.h>
 #include <rpc/types.h>
 #include <rpc/xdr.h>
+#include <limits.h>
 
 #ifdef USE_IN_LIBIO
 # include <wchar.h>
@@ -84,7 +85,11 @@
       return FALSE;
     }
   c = *sizep;
-  if ((c > maxsize) && (xdrs->x_op != XDR_FREE))
+  /*
+   * XXX: Let the overflow possibly happen with XDR_FREE because mem_free()
+   * doesn't actually use its second argument anyway.
+   */
+  if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE))
     {
       return FALSE;
     }