summaryrefslogtreecommitdiff
path: root/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1513.patch
diff options
context:
space:
mode:
Diffstat (limited to 'mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1513.patch')
-rw-r--r--mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1513.patch66
1 files changed, 66 insertions, 0 deletions
diff --git a/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1513.patch b/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1513.patch
new file mode 100644
index 000000000000..58af5a9cee11
--- /dev/null
+++ b/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1513.patch
@@ -0,0 +1,66 @@
+From bb92ea678c2a2a524d2ee6e9d598275a659168d2 Mon Sep 17 00:00:00 2001
+From: Rolf Eike Beer <eike@sf-mail.de>
+Date: Mon, 11 May 2020 18:30:13 +0200
+Subject: [PATCH 3/4] mimimum fix for CVE-2005-1513
+
+The first allocation at the tail of the function is not changed as that
+one starts with a small number of elements and grows only on
+subsequent call.s
+---
+ gen_allocdefs.h | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/gen_allocdefs.h b/gen_allocdefs.h
+index 783a9b1..0588441 100644
+--- a/gen_allocdefs.h
++++ b/gen_allocdefs.h
+@@ -4,24 +4,41 @@
+ #define GEN_ALLOC_ready(ta,type,field,len,a,i,n,x,base,ta_ready) \
+ int ta_ready(x,n) register ta *x; register unsigned int n; \
+ { register unsigned int i; \
++ unsigned int nlen; \
+ if (x->field) { \
+ i = x->a; \
+ if (n > i) { \
+- x->a = base + n + (n >> 3); \
+- if (alloc_re(&x->field,i * sizeof(type),x->a * sizeof(type))) return 1; \
++ unsigned int nnum; \
++ if (__builtin_add_overflow(base, n, &nlen)) \
++ return 0; \
++ if (__builtin_add_overflow(nlen, n >> 3, &nlen)) \
++ return 0; \
++ if (__builtin_mul_overflow(nlen, sizeof(type), &nnum)) \
++ return 0; \
++ x->a = nlen; \
++ if (alloc_re(&x->field,i * sizeof(type),nnum)) return 1; \
+ x->a = i; return 0; } \
+ return 1; } \
+ x->len = 0; \
+ return !!(x->field = (type *) alloc((x->a = n) * sizeof(type))); }
+
+ #define GEN_ALLOC_readyplus(ta,type,field,len,a,i,n,x,base,ta_rplus) \
+-int ta_rplus(x,n) register ta *x; register unsigned int n; \
++int ta_rplus(x,n) register ta *x; unsigned int n; \
+ { register unsigned int i; \
+ if (x->field) { \
+ i = x->a; n += x->len; \
++ if (__builtin_add_overflow(n, x->len, &n)) \
++ return 0; \
+ if (n > i) { \
+- x->a = base + n + (n >> 3); \
+- if (alloc_re(&x->field,i * sizeof(type),x->a * sizeof(type))) return 1; \
++ unsigned int nlen, nnum; \
++ if (__builtin_add_overflow(base, n, &nlen)) \
++ return 0; \
++ if (__builtin_add_overflow(nlen, n >> 3, &nlen)) \
++ return 0; \
++ if (__builtin_mul_overflow(nlen, sizeof(type), &nnum)) \
++ return 0; \
++ x->a = nlen; \
++ if (alloc_re(&x->field,i * sizeof(type),nnum)) return 1; \
+ x->a = i; return 0; } \
+ return 1; } \
+ x->len = 0; \
+--
+2.26.1
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-04 06:15:47 +0000