Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-6]: src/lib/libc/rpc Pull up revision 1.16 (requested by david ...
details: https://anonhg.NetBSD.org/src/rev/dc9e7925c0a9
branches: netbsd-1-6
changeset: 530184:dc9e7925c0a9
user: tron <tron%NetBSD.org@localhost>
date: Fri Mar 21 08:38:29 2003 +0000
description:
Pull up revision 1.16 (requested by david in ticket #1224):
Don't do:
if ((xdrp->x_handy -= need) < 0)
return FALSE;
because by repeatedly calling this we can cause overflow, and then
overwrite
valid memory. Instead do:
if (xdrp->x_handy < need)
return FALSE;
xdrp->x_handy -= need;
diffstat:
lib/libc/rpc/xdr_mem.c | 22 ++++++++++++++--------
1 files changed, 14 insertions(+), 8 deletions(-)
diffs (84 lines):
diff -r b1f373177186 -r dc9e7925c0a9 lib/libc/rpc/xdr_mem.c
--- a/lib/libc/rpc/xdr_mem.c Thu Mar 20 09:49:03 2003 +0000
+++ b/lib/libc/rpc/xdr_mem.c Fri Mar 21 08:38:29 2003 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: xdr_mem.c,v 1.15 2000/01/22 22:19:18 mycroft Exp $ */
+/* $NetBSD: xdr_mem.c,v 1.15.8.1 2003/03/21 08:38:29 tron Exp $ */
/*
* Sun RPC is a product of Sun Microsystems, Inc. and is provided for
@@ -35,7 +35,7 @@
static char *sccsid = "@(#)xdr_mem.c 1.19 87/08/11 Copyr 1984 Sun Micro";
static char *sccsid = "@(#)xdr_mem.c 2.1 88/07/29 4.0 RPCSRC";
#else
-__RCSID("$NetBSD: xdr_mem.c,v 1.15 2000/01/22 22:19:18 mycroft Exp $");
+__RCSID("$NetBSD: xdr_mem.c,v 1.15.8.1 2003/03/21 08:38:29 tron Exp $");
#endif
#endif
@@ -133,8 +133,9 @@
long *lp;
{
- if ((xdrs->x_handy -= sizeof(int32_t)) < 0)
+ if (xdrs->x_handy < sizeof(int32_t))
return (FALSE);
+ xdrs->x_handy -= sizeof(int32_t);
*lp = ntohl(*(u_int32_t *)xdrs->x_private);
xdrs->x_private = (char *)xdrs->x_private + sizeof(int32_t);
return (TRUE);
@@ -146,8 +147,9 @@
const long *lp;
{
- if ((xdrs->x_handy -= sizeof(int32_t)) < 0)
+ if (xdrs->x_handy < sizeof(int32_t))
return (FALSE);
+ xdrs->x_handy -= sizeof(int32_t);
*(u_int32_t *)xdrs->x_private = htonl((u_int32_t)*lp);
xdrs->x_private = (char *)xdrs->x_private + sizeof(int32_t);
return (TRUE);
@@ -160,8 +162,9 @@
{
u_int32_t l;
- if ((xdrs->x_handy -= sizeof(int32_t)) < 0)
+ if (xdrs->x_handy < sizeof(int32_t))
return (FALSE);
+ xdrs->x_handy -= sizeof(int32_t);
memmove(&l, xdrs->x_private, sizeof(int32_t));
*lp = ntohl(l);
xdrs->x_private = (char *)xdrs->x_private + sizeof(int32_t);
@@ -175,8 +178,9 @@
{
u_int32_t l;
- if ((xdrs->x_handy -= sizeof(int32_t)) < 0)
+ if (xdrs->x_handy < sizeof(int32_t))
return (FALSE);
+ xdrs->x_handy -= sizeof(int32_t);
l = htonl((u_int32_t)*lp);
memmove(xdrs->x_private, &l, sizeof(int32_t));
xdrs->x_private = (char *)xdrs->x_private + sizeof(int32_t);
@@ -190,8 +194,9 @@
u_int len;
{
- if ((xdrs->x_handy -= len) < 0)
+ if (xdrs->x_handy < len)
return (FALSE);
+ xdrs->x_handy -= len;
memmove(addr, xdrs->x_private, len);
xdrs->x_private = (char *)xdrs->x_private + len;
return (TRUE);
@@ -204,8 +209,9 @@
u_int len;
{
- if ((xdrs->x_handy -= len) < 0)
+ if (xdrs->x_handy < len)
return (FALSE);
+ xdrs->x_handy -= len;
memmove(xdrs->x_private, addr, len);
xdrs->x_private = (char *)xdrs->x_private + len;
return (TRUE);
Home |
Main Index |
Thread Index |
Old Index