libdhcpcd: Limit messages to SSIZE_MAX
authorRoy Marples <roy@marples.name>
Wed, 11 Dec 2019 12:27:51 +0000 (12:27 +0000)
committerRoy Marples <roy@marples.name>
Wed, 11 Dec 2019 12:27:51 +0000 (12:27 +0000)
We need to add one to it for allocation to terminate it and
this is a stupidly big string anyway.

Found by LGMT.

src/libdhcpcd/dhcpcd.c

index c4c1f5d2bc0ce63de1509273e47e090e9b5b6cd0..f8f558beb0416800d7c357348a3a3d30f352022b 100644 (file)
@@ -903,6 +903,11 @@ dhcpcd_read_if(DHCPCD_CONNECTION *con, int fd)
                return NULL;
        }
        memcpy(&len, sbuf, sizeof(len));
+       if (len >= SSIZE_MAX) {
+               /* Even this is probably too big! */
+               errno = ENOBUFS;
+               return NULL;
+       }
        rbuf = malloc(len + 1);
        if (rbuf == NULL)
                return NULL;