diff options
author | Guy Harris <guy@alum.mit.edu> | 2019-10-03 17:29:04 -0700 |
---|---|---|
committer | Guy Harris <guy@alum.mit.edu> | 2019-10-03 17:29:04 -0700 |
commit | 432b46e390402acc684c9ae26e44a21c97f143dd (patch) | |
tree | 2dc2f8bda94c787772787956d3e3031030882aa4 | |
parent | befdfc048cfe3c0af0a51e411a7a1300c8a1ea4e (diff) |
Do the 32-bit overflow check more cleanly.
-rw-r--r-- | rpcapd/daemon.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/rpcapd/daemon.c b/rpcapd/daemon.c index 18923d81..51ed295d 100644 --- a/rpcapd/daemon.c +++ b/rpcapd/daemon.c @@ -1574,17 +1574,17 @@ daemon_AuthUserPwd(char *username, char *password, char *errbuf) /* * Make sure that the reply length won't overflow 32 bits if we add the * specified amount to it. If it won't, add that amount to it. + * + * We check whether replylen + itemlen > UINT32_MAX, but subtract itemlen + * from both sides, to prevent overflow. */ -#define CHECK_AND_INCREASE_REPLY_LEN(itemlen) { \ - size_t replylen_before = replylen; \ -\ - replylen += (uint32)(itemlen); \ - if (replylen < replylen_before) { \ +#define CHECK_AND_INCREASE_REPLY_LEN(itemlen) \ + if (replylen > UINT32_MAX - (itemlen)) { \ pcap_strlcpy(errmsgbuf, "Reply length doesn't fit in 32 bits", \ sizeof (errmsgbuf)); \ goto error; \ } \ -} + replylen += (uint32)(itemlen); static int daemon_msg_findallif_req(uint8 ver, struct daemon_slpars *pars, uint32 plen) |