- from Debian - possible integer overflow in xdrmem functions (CAN-2003-0028, BTS...

Changed files:
    dietlibc-xdrmem-overflow.patch -> 1.1

diff --git a/dietlibc-xdrmem-overflow.patch b/dietlibc-xdrmem-overflow.patch
new file mode 100644 (file)
index 0000000..2d858b2
--- /dev/null
+++ b/dietlibc-xdrmem-overflow.patch
@@ -0,0 +1,171 @@
+--- dietlibc-0.12.orig/librpc/xdr_mem.c
++++ dietlibc-0.12/librpc/xdr_mem.c
+@@ -48,13 +48,13 @@
+ #include <netinet/in.h>
+ #include <string.h>
+ 
+-static bool_t xdrmem_getlong();
+-static bool_t xdrmem_putlong();
++static bool_t xdrmem_getlong(XDR*, long*);
++static bool_t xdrmem_putlong(XDR*, const long*);
+ static bool_t xdrmem_getbytes();
+ static bool_t xdrmem_putbytes();
+ static unsigned int xdrmem_getpos();
+ static bool_t xdrmem_setpos();
+-static int32_t *xdrmem_inline();
++static int32_t *xdrmem_inline(XDR*, unsigned int);
+ static void xdrmem_destroy();
+ 
+ static struct xdr_ops xdrmem_ops = {
+@@ -94,54 +94,41 @@
+ register XDR *xdrs;
+ long *lp;
+ {
++  if (xdrs->x_handy < 4) return FALSE;
++  xdrs->x_handy -= 4;
+ 
+-      if ((xdrs->x_handy -= sizeof(long)) < 0)
+-              return (FALSE);
+-
+-      *lp = (long) ntohl((unsigned long) (*((long *) (xdrs->x_private))));
+-      xdrs->x_private += sizeof(long);
+-
+-      return (TRUE);
++  *lp = (int32_t) ntohl((*((int32_t *) (xdrs->x_private))));
++  xdrs->x_private += 4;
++  return TRUE;
+ }
+ 
+-static bool_t xdrmem_putlong(xdrs, lp)
+-register XDR *xdrs;
+-long *lp;
++static bool_t xdrmem_putlong(XDR* xdrs, const long* lp)
+ {
++  if (xdrs->x_handy < 4) return FALSE;
++  xdrs->x_handy -= 4;
+ 
+-      if ((xdrs->x_handy -= sizeof(long)) < 0)
+-              return (FALSE);
+-
+-      *(long *) xdrs->x_private = (long) htonl((unsigned long) (*lp));
+-      xdrs->x_private += sizeof(long);
++  *(int32_t *) xdrs->x_private = htonl(*lp);
++  xdrs->x_private += sizeof(long);
+ 
+-      return (TRUE);
++  return (TRUE);
+ }
+ 
+-static bool_t xdrmem_getbytes(xdrs, addr, len)
+-register XDR *xdrs;
+-char* addr;
+-register unsigned int len;
++static bool_t xdrmem_getbytes(XDR* xdrs, char* addr, unsigned int len)
+ {
+-
+-      if ((xdrs->x_handy -= len) < 0)
+-              return (FALSE);
+-      memmove(addr, xdrs->x_private, len);
+-      xdrs->x_private += len;
+-      return (TRUE);
++  if (xdrs->x_handy < len) return FALSE;
++  xdrs->x_handy -= len;
++  memmove(addr, xdrs->x_private, len);
++  xdrs->x_private += len;
++  return TRUE;
+ }
+ 
+-static bool_t xdrmem_putbytes(xdrs, addr, len)
+-register XDR *xdrs;
+-char* addr;
+-register unsigned int len;
++static bool_t xdrmem_putbytes(XDR* xdrs, char* addr, unsigned int len)
+ {
+-
+-      if ((xdrs->x_handy -= len) < 0)
+-              return (FALSE);
+-      memmove(xdrs->x_private, addr, len);
+-      xdrs->x_private += len;
+-      return (TRUE);
++  if (xdrs->x_handy < len) return FALSE;
++  xdrs->x_handy -= len;
++  memmove(xdrs->x_private, addr, len);
++  xdrs->x_private += len;
++  return (TRUE);
+ }
+ 
+ static unsigned int xdrmem_getpos(xdrs)
+@@ -155,19 +142,19 @@
+ register XDR *xdrs;
+ unsigned int pos;
+ {
+-      register char* newaddr = xdrs->x_base + pos;
+-      register char* lastaddr = xdrs->x_private + xdrs->x_handy;
++  register char* newaddr = xdrs->x_base + pos;
++  register char* lastaddr = xdrs->x_private + xdrs->x_handy;
+ 
+-      if ((long) newaddr > (long) lastaddr)
+-              return (FALSE);
+-      xdrs->x_private = newaddr;
+-      xdrs->x_handy = (int) lastaddr - (int) newaddr;
+-      return (TRUE);
++  if ((long) newaddr > (long) lastaddr || (long)newaddr<(long)xdrs->x_base)
++        return (FALSE);
++  xdrs->x_private = newaddr;
++  xdrs->x_handy = (int) lastaddr - (int) newaddr;
++  return (TRUE);
+ }
+ 
+ static int32_t *xdrmem_inline(xdrs, len)
+ register XDR *xdrs;
+-int len;
++unsigned int len;
+ {
+       int32_t *buf = 0;
+ 
+--- dietlibc-0.12.orig/librpc/xdr_rec.c
++++ dietlibc-0.12/librpc/xdr_rec.c
+@@ -458,9 +458,7 @@
+       return (FALSE);
+ }
+ 
+-static int32_t *xdrrec_inline(xdrs, len)
+-register XDR *xdrs;
+-int len;
++static int32_t *xdrrec_inline(XDR* xdrs, unsigned int len)
+ {
+       register RECSTREAM *rstrm = (RECSTREAM *) xdrs->x_private;
+       int32_t *buf = NULL;
+--- dietlibc-0.12.orig/librpc/xdr_stdio.c
++++ dietlibc-0.12/librpc/xdr_stdio.c
+@@ -169,9 +169,7 @@
+                       FALSE : TRUE);
+ }
+ 
+-static int32_t *xdrstdio_inline(xdrs, len)
+-XDR *xdrs;
+-unsigned int len;
++static int32_t *xdrstdio_inline(XDR* xdrs, unsigned int len)
+ {
+ 
+       /*
+--- dietlibc-0.12.orig/include/rpc/xdr.h
++++ dietlibc-0.12/include/rpc/xdr.h
+@@ -126,7 +126,7 @@
+       /* returns bytes off from beginning */
+       bool_t (*x_setpostn) (XDR *__xdrs, unsigned int __pos);
+       /* lets you reposition the stream */
+-      int32_t *(*x_inline) (XDR *__xdrs, int __len);
++      int32_t *(*x_inline) (XDR *__xdrs, unsigned int __len);
+       /* buf quick ptr to buffered data */
+       void (*x_destroy) (XDR *__xdrs);
+       /* free privates of this xdr_stream */
+@@ -139,7 +139,7 @@
+     char* x_public;           /* users' data */
+     char* x_private;          /* pointer to private data */
+     char* x_base;             /* private used for position info */
+-    int x_handy;              /* extra private word */
++    unsigned int x_handy;     /* extra private word */
+   };
+ 
+ /*