mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-30 13:58:05 +00:00
Code Issues Releases Wiki Activity

Fix fuzzing errors

Browse Source 
We should be checking for integer overflow, rather than checking if size is 0.

Additionally, we should set errno to ENOMEM when this overflow happens.

Finally, the most efficient implementation of the round-up-to-2 algorithm involves the clz intrinsic.
This commit is contained in:
Rose 2023-07-03 22:03:39 -04:00
parent 9266966ab9
commit 732110428e
3 changed files with 21 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
lib/util/parseln.c
View File

@ -23,10 +23,11 @@
#include <config.h>
#include <ctype.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#ifdef HAVE_STDBOOL_H
# include <stdbool.h>
#else
@ -91,9 +92,20 @@ sudo_parseln_v2(char **bufp, size_t *bufsizep, unsigned int *lineno, FILE *fp, i
if (*bufp == NULL || total + len >= *bufsizep) {
void *newbuf;
const size_t newsize = sudo_pow2_roundup(total + len + 1);
const size_t size = total + len + 1;
const size_t newsize = sudo_pow2_roundup(size);
if (newsize == 0 || (newbuf = realloc(*bufp, newsize)) == NULL) {
if (newsize < size) {
/* overflow */
errno = ENOMEM;
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"unable to allocate memory");
len = -1;
total = 0;
break;
}
if ((newbuf = realloc(*bufp, newsize)) == NULL) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"unable to allocate memory");
len = -1;

12
lib/util/roundup.c
View File

@ -47,14 +47,10 @@ sudo_pow2_roundup_v2(size_t len)
{
if (len < 64)
return 64;
len--;
len |= len >> 1;
len |= len >> 2;
len |= len >> 4;
len |= len >> 8;
len |= len >> 16;
#ifdef __LP64__
len |= len >> 32;
return 1 << (64 - __builtin_clzl(len - 1));
#else
return 1 << (32 - __builtin_clz(len - 1));
#endif
return ++len;
}

2
logsrvd/logsrvd_journal.c
View File

@ -270,11 +270,13 @@ journal_seek(struct timespec *target, struct connection_closure *closure)
bufsize = sudo_pow2_roundup(msg_len);
if (bufsize < msg_len) {
/* overflow */
errno = ENOMEM;
closure->errstr = _("unable to allocate memory");
break;
}
free(buf);
if ((buf = malloc(bufsize)) == NULL) {
errno = ENOMEM;
closure->errstr = _("unable to allocate memory");
break;
}