Re: [PATCH] simple_strtoul: prevent integer overflows
From: Alexey Dobriyan
Date: Thu May 05 2011 - 03:26:29 EST
On Thu, May 05, 2011 at 01:54:41AM -0400, Mansour Moufid wrote:
> This patch prevents integer overflows in the functions
> `simple_strtoull' and `simple_strtoul', in the file lib/vsprintf.c.
> This applies to stable version 2.6.38.5.
>
> I'm aware of the kstrto* functions, but simple_strto* are still used
> in some network-exposed code (netfilter).
These changes break end pointer management at least
for simple_strtoul().
> --- vsprintf.c.orig
> +++ vsprintf.c
> @@ -63,11 +63,20 @@ unsigned long long simple_strtoull(const
> cp += 2;
>
> while (isxdigit(*cp)) {
> - unsigned int value;
> + unsigned int value = 0;
>
> - value = isdigit(*cp) ? *cp - '0' : TOLOWER(*cp) - 'a' + 10;
> + if (isdigit(*cp))
> + value = *cp - '0';
> + else if (isalpha(*cp))
> + value = TOLOWER(*cp) - 'a' + 10;
> + else
> + break;
> if (value >= base)
> break;
> + if (result > (ULLONG_MAX - value) / base) {
> + result = ULLONG_MAX;
> + break;
> + }
> result = result * base + value;
> cp++;
> }
> @@ -86,7 +95,12 @@ EXPORT_SYMBOL(simple_strtoull);
> */
> unsigned long simple_strtoul(const char *cp, char **endp, unsigned int base)
> {
> - return simple_strtoull(cp, endp, base);
> + unsigned long long result = simple_strtoull(cp, endp, base);
> +
> + if (result <= ULONG_MAX)
> + return result;
> +
> + return ULONG_MAX;
> }
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/