[PATCH] simple_strtoul: prevent integer overflows
From: Mansour Moufid
Date: Thu May 05 2011 - 01:55:39 EST
From: Mansour Moufid <mansourmoufid@xxxxxxxxx>
This patch prevents integer overflows in the functions
`simple_strtoull' and `simple_strtoul', in the file lib/vsprintf.c.
This applies to stable version 2.6.38.5.
I'm aware of the kstrto* functions, but simple_strto* are still used
in some network-exposed code (netfilter).
Signed-off-by: Mansour Moufid <mansourmoufid@xxxxxxxxx>
---
--- vsprintf.c.orig 2011-05-04 22:00:07.000000000 -0400
+++ vsprintf.c 2011-05-04 22:27:45.000000000 -0400
@@ -63,11 +63,20 @@ unsigned long long simple_strtoull(const
cp += 2;
while (isxdigit(*cp)) {
- unsigned int value;
+ unsigned int value = 0;
- value = isdigit(*cp) ? *cp - '0' : TOLOWER(*cp) - 'a' + 10;
+ if (isdigit(*cp))
+ value = *cp - '0';
+ else if (isalpha(*cp))
+ value = TOLOWER(*cp) - 'a' + 10;
+ else
+ break;
if (value >= base)
break;
+ if (result > (ULLONG_MAX - value) / base) {
+ result = ULLONG_MAX;
+ break;
+ }
result = result * base + value;
cp++;
}
@@ -86,7 +95,12 @@ EXPORT_SYMBOL(simple_strtoull);
*/
unsigned long simple_strtoul(const char *cp, char **endp, unsigned int base)
{
- return simple_strtoull(cp, endp, base);
+ unsigned long long result = simple_strtoull(cp, endp, base);
+
+ if (result <= ULONG_MAX)
+ return result;
+
+ return ULONG_MAX;
}
EXPORT_SYMBOL(simple_strtoul);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/