• Ian Goldberg's avatar
    Prevent integer overflow on 64-bit architectures when receiving 4GB messages · ecfd4f46
    Ian Goldberg authored
    In several places in proto.c, the sizes of portions of incoming messages
    were stored in variables of type int or unsigned int instead of size_t.
    If a message arrives with very large sizes (for example unsigned int
    datalen = UINT_MAX), then constructions like malloc(datalen+1) will turn
    into malloc(0), which on some architectures returns a non-NULL pointer,
    but UINT_MAX bytes will get written to that pointer.
    
    Ensure all calls to malloc or realloc cannot integer overflow like this.
    
    Thanks to Markus Vervier of X41 D-Sec GmbH <markus.vervier@x41-dsec.de>
    for the report.
    Signed-off-by: default avatarIan Goldberg <iang@cs.uwaterloo.ca>
    Signed-off-by: default avatarDavid Goulet <dgoulet@ev0ke.net>
    ecfd4f46
Name
Last commit
Last update
packaging/fedora Loading commit data...
src Loading commit data...
test_suite Loading commit data...
tests Loading commit data...
toolkit Loading commit data...
.gitignore Loading commit data...
AUTHORS Loading commit data...
COPYING Loading commit data...
COPYING.LIB Loading commit data...
ChangeLog Loading commit data...
INSTALL Loading commit data...
Makefile.am Loading commit data...
NEWS Loading commit data...
Protocol-v1.txt Loading commit data...
Protocol-v2.html Loading commit data...
Protocol-v3.html Loading commit data...
README Loading commit data...
UPGRADING Loading commit data...
bootstrap Loading commit data...
configure.ac Loading commit data...
libotr.m4 Loading commit data...
libotr.pc.in Loading commit data...
makedist Loading commit data...