From d5ea7024ae018b5a22c14703695026988019835a Mon Sep 17 00:00:00 2001 From: tobias Date: Fri, 17 Jan 2014 23:13:49 +0000 Subject: [PATCH] Validate file size before loading content into memory. ok millert@ --- usr.sbin/ppp/ppp/ipcp.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/usr.sbin/ppp/ppp/ipcp.c b/usr.sbin/ppp/ppp/ipcp.c index 535c5ad6443..90e42a238b7 100644 --- a/usr.sbin/ppp/ppp/ipcp.c +++ b/usr.sbin/ppp/ppp/ipcp.c @@ -25,7 +25,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $OpenBSD: ipcp.c,v 1.44 2005/09/21 16:58:34 brad Exp $ + * $OpenBSD: ipcp.c,v 1.45 2014/01/17 23:13:49 tobias Exp $ */ #include @@ -192,7 +192,10 @@ ipcp_LoadDNS(struct ipcp *ipcp) if (fstat(fd, &st) == 0) { ssize_t got; - if ((ipcp->ns.resolv_nons = (char *)malloc(st.st_size + 1)) == NULL) + if (st.st_size >= SIZE_MAX) + log_Printf(LogERROR, "%s is too large: %llu\n", + _PATH_RESCONF, (unsigned long long)st.st_size); + else if ((ipcp->ns.resolv_nons = (char *)malloc(st.st_size + 1)) == NULL) log_Printf(LogERROR, "Failed to malloc %lu for %s: %s\n", (unsigned long)st.st_size, _PATH_RESCONF, strerror(errno)); else if ((ipcp->ns.resolv = (char *)malloc(st.st_size + 1)) == NULL) { -- 2.20.1