GNU glibc Information for VU#192995

Integer overflow in xdr_array() function when deserializing the XDR stream

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Version 2.2.5 and earlier versions of the GNU C Library are
vulnerable.  For Version 2.2.5, we suggest the following patch.
This patch is also available from the GNU C Library CVS repository at:

http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc


2002-08-02  Jakub Jelinek  <jakub@redhat.com>

* sunrpc/xdr_array.c (xdr_array): Check for overflow on
multiplication.  Patch by Solar Designer <solar@openwall.com>.

===================================================================
RCS file: /cvs/glibc/libc/sunrpc/xdr_array.c,v
retrieving revision 1.5
retrieving revision 1.5.2.1
diff -u -r1.5 -r1.5.2.1
- --- libc/sunrpc/xdr_array.c 2001/08/17 04:48:31 1.5
+++ libc/sunrpc/xdr_array.c 2002/08/02 01:35:39 1.5.2.1
@@ -45,6 +45,7 @@
#include <rpc/types.h>
#include <rpc/xdr.h>
#include <libintl.h>
+#include <limits.h>

 #ifdef USE_IN_LIBIO
# include <wchar.h>
@@ -81,7 +82,11 @@
      return FALSE;
    }
  c = *sizep;
- -  if ((c > maxsize) && (xdrs->x_op != XDR_FREE))
+  /*
+   * XXX: Let the overflow possibly happen with XDR_FREE because mem_free()
+   * doesn't actually use its second argument anyway.
+   */
+  if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE))
    {
      return FALSE;
    }


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (SunOS)
Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <http://www.gnupg.org/>

iD8DBQE9Tv0wddnqSFPI1IgRAmomAJ9cK6vT8zZMGdO/0Z4nOIZwUej2BwCfbRT3
mnvR4B781bGEg3y6PVaRdDw=
=qn87
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.