Skip to content

Commit

Permalink
Address integer overflows reported by a code analyser
Browse files Browse the repository at this point in the history
These seee quite improbable. For example the output of /usr/sbin/netstat
would have to be larger than 2. So address with an assert() in the short
term.
  • Loading branch information
DimitriPapadopoulos committed Dec 28, 2023
1 parent 1eda75a commit 4d42239
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 7 deletions.
8 changes: 5 additions & 3 deletions src/ipv4.c
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,13 @@
#include <sys/ioctl.h>
#include <sys/stat.h>

#include <assert.h>
#include <errno.h>
#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <assert.h>

#define IPV4_GET_ROUTE_BUFFER_CHUNK_SIZE 65536
#define SHOW_ROUTE_BUFFER_SIZE 128
Expand Down Expand Up @@ -165,6 +165,7 @@ static int ipv4_get_route(struct rtentry *route)
/* this is not present on Mac OS X and FreeBSD */
int fd;
uint32_t total_bytes_read = 0;
ssize_t bytes_read;

// Cannot stat, mmap not lseek this special /proc file
fd = open("/proc/net/route", O_RDONLY);
Expand All @@ -173,10 +174,10 @@ static int ipv4_get_route(struct rtentry *route)
goto end;
}

int bytes_read;

while ((bytes_read = read(fd, buffer + total_bytes_read,
buffer_size - total_bytes_read - 1)) > 0) {
assert(bytes_read < UINT32_MAX &&
total_bytes_read < UINT32_MAX - bytes_read);
total_bytes_read += bytes_read;

if ((buffer_size - total_bytes_read) < 1) {
Expand Down Expand Up @@ -232,6 +233,7 @@ static int ipv4_get_route(struct rtentry *route)
while (fgets(line, buffer_size - total_bytes_read - 1, fp) != NULL) {
uint32_t bytes_read = strlen(line);

assert(total_bytes_read < UINT32_MAX - bytes_read);
total_bytes_read += bytes_read;

if (bytes_read > 0 && line[bytes_read - 1] != '\n') {
Expand Down
14 changes: 10 additions & 4 deletions src/userinput.c
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
#include <sys/wait.h>
#include <termios.h>

#include <assert.h>
#include <ctype.h>
#include <errno.h>
#include <stdarg.h>
Expand Down Expand Up @@ -98,12 +99,14 @@ static char *uri_unescape(const char *string)

static int pinentry_read(int from, char **retstr)
{
int bufsiz = 0;
size_t bufsiz = 0;
char *buf = NULL, *saveptr = NULL;
int len = 0;
int ret;
size_t len = 0;

do {
ssize_t ret;

assert(bufsiz >= len);
if (bufsiz - len < 64) {
bufsiz += 64;
char *tmp = realloc(buf, bufsiz);
Expand Down Expand Up @@ -132,6 +135,7 @@ static int pinentry_read(int from, char **retstr)
*retstr = strdup("Short read");
return -1;
}
assert(len < SIZE_MAX - ret);
len += ret;
} while (buf[len - 1] != '\n');
// overwrite the newline with a null character
Expand All @@ -149,6 +153,8 @@ static int pinentry_read(int from, char **retstr)
}

if (strncmp(buf, "ERR ", 4) == 0 || strncmp(buf, "S ERROR", 7) == 0) {
long ret;

ret = strtol(&buf[4], NULL, 10);
if (!ret)
ret = -1;
Expand All @@ -157,7 +163,7 @@ static int pinentry_read(int from, char **retstr)
*retstr = *retstr ? uri_unescape(*retstr + 1) : NULL;
}
free(buf);
return ret;
return (int)ret;
}

free(buf);
Expand Down

0 comments on commit 4d42239

Please sign in to comment.