upstream commit

Check for integer overflow when parsing times in
convtime().  Reported by nicolas.iooss at m4x.org, ok djm@

Upstream-ID: 35e6a4e98f6fa24df50bfb8ba1307cf70e966f13

1 files changed, 11 insertions, 6 deletions

diff --git a/misc.c b/misc.c
index 65c9222aa..08fcb38c2 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.107 2016/11/30 00:28:31 dtucker Exp $ */
+/* $OpenBSD: misc.c,v 1.108 2017/03/14 00:25:03 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2005,2006 Damien Miller.  All rights reserved.
@@ -306,7 +306,7 @@ a2tun(const char *s, int *remote)
 long
 convtime(const char *s)
 {
-        long total, secs;
+        long total, secs, multiplier = 1;
         const char *p;
         char *endp;
 
@@ -333,23 +333,28 @@ convtime(const char *s)
                         break;
                 case 'm':
                 case 'M':
-                        secs *= MINUTES;
+                        multiplier = MINUTES;
                         break;
                 case 'h':
                 case 'H':
-                        secs *= HOURS;
+                        multiplier = HOURS;
                         break;
                 case 'd':
                 case 'D':
-                        secs *= DAYS;
+                        multiplier = DAYS;
                         break;
                 case 'w':
                 case 'W':
-                        secs *= WEEKS;
+                        multiplier = WEEKS;
                         break;
                 default:
                         return -1;
                 }
+                if (secs > LONG_MAX / multiplier)
+                        return -1;
+                secs *= multiplier;
+                if  (total > LONG_MAX - secs)
+                        return -1;
                 total += secs;
                 if (total < 0)
                         return -1;