From 9170eb325dbfb3404b14fd1703eef7e0f7be4653 Mon Sep 17 00:00:00 2001 From: millert Date: Mon, 19 Aug 2024 15:08:21 +0000 Subject: [PATCH] Fix CVE-2024-43688, buffer underflow for very large step values In get_number(), reject values that are so large that they are interpreted as negative numbers. In set_range(), step values smaller than one or larger than the "stop" value are ignored. This prevents bit_nset() from being called with out-of-range values. Bug found by Dave G. of Supernetworks. --- usr.sbin/cron/entry.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/usr.sbin/cron/entry.c b/usr.sbin/cron/entry.c index 536085410cc..622e628695e 100644 --- a/usr.sbin/cron/entry.c +++ b/usr.sbin/cron/entry.c @@ -1,4 +1,4 @@ -/* $OpenBSD: entry.c,v 1.59 2023/07/19 21:26:02 millert Exp $ */ +/* $OpenBSD: entry.c,v 1.60 2024/08/19 15:08:21 millert Exp $ */ /* * Copyright 1988,1990,1993,1994 by Paul Vixie @@ -625,7 +625,10 @@ get_number(int *numptr, int low, const char *names[], int ch, FILE *file, /* got a number, check for valid terminator */ if (!strchr(terms, ch)) goto bad; - *numptr = atoi(temp); + i = atoi(temp); + if (i < 0) + goto bad; + *numptr = i; return (ch); } @@ -675,7 +678,7 @@ set_range(bitstr_t *bits, int low, int high, int start, int stop, int step) start -= low; stop -= low; - if (step == 1) { + if (step <= 1 || step > stop) { bit_nset(bits, start, stop); } else { for (i = start; i <= stop; i += step) -- 2.20.1