diff options
author | dtucker@openbsd.org <dtucker@openbsd.org> | 2017-03-14 00:25:03 +0000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2017-03-14 13:45:14 +1100 |
commit | f5746b40cfe6d767c8e128fe50c43274b31cd594 (patch) | |
tree | b8db53618053d0bb22cd7ed9491ade78849286fc | |
parent | f5907982f42a8d88a430b8a46752cbb7859ba979 (diff) |
upstream commit
Check for integer overflow when parsing times in
convtime(). Reported by nicolas.iooss at m4x.org, ok djm@
Upstream-ID: 35e6a4e98f6fa24df50bfb8ba1307cf70e966f13
-rw-r--r-- | misc.c | 17 |
1 files changed, 11 insertions, 6 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: misc.c,v 1.107 2016/11/30 00:28:31 dtucker Exp $ */ | 1 | /* $OpenBSD: misc.c,v 1.108 2017/03/14 00:25:03 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2005,2006 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2005,2006 Damien Miller. All rights reserved. |
@@ -306,7 +306,7 @@ a2tun(const char *s, int *remote) | |||
306 | long | 306 | long |
307 | convtime(const char *s) | 307 | convtime(const char *s) |
308 | { | 308 | { |
309 | long total, secs; | 309 | long total, secs, multiplier = 1; |
310 | const char *p; | 310 | const char *p; |
311 | char *endp; | 311 | char *endp; |
312 | 312 | ||
@@ -333,23 +333,28 @@ convtime(const char *s) | |||
333 | break; | 333 | break; |
334 | case 'm': | 334 | case 'm': |
335 | case 'M': | 335 | case 'M': |
336 | secs *= MINUTES; | 336 | multiplier = MINUTES; |
337 | break; | 337 | break; |
338 | case 'h': | 338 | case 'h': |
339 | case 'H': | 339 | case 'H': |
340 | secs *= HOURS; | 340 | multiplier = HOURS; |
341 | break; | 341 | break; |
342 | case 'd': | 342 | case 'd': |
343 | case 'D': | 343 | case 'D': |
344 | secs *= DAYS; | 344 | multiplier = DAYS; |
345 | break; | 345 | break; |
346 | case 'w': | 346 | case 'w': |
347 | case 'W': | 347 | case 'W': |
348 | secs *= WEEKS; | 348 | multiplier = WEEKS; |
349 | break; | 349 | break; |
350 | default: | 350 | default: |
351 | return -1; | 351 | return -1; |
352 | } | 352 | } |
353 | if (secs > LONG_MAX / multiplier) | ||
354 | return -1; | ||
355 | secs *= multiplier; | ||
356 | if (total > LONG_MAX - secs) | ||
357 | return -1; | ||
353 | total += secs; | 358 | total += secs; |
354 | if (total < 0) | 359 | if (total < 0) |
355 | return -1; | 360 | return -1; |