diff options
author | Yuanjie Huang <yuanjie.huang@windriver.com> | 2016-08-26 09:57:33 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-09-20 15:10:36 +0100 |
commit | 2ce02941300aa3e826df0c59fd8d4ce19950028e (patch) | |
tree | bd2697f0ae74ed16ed96c269f4a68fcbaa00def8 | |
parent | c687c9fcc010947f52e1cd153ea74ae5f6343ca4 (diff) | |
download | openembedded-core-2ce02941300aa3e826df0c59fd8d4ce19950028e.tar.gz openembedded-core-2ce02941300aa3e826df0c59fd8d4ce19950028e.tar.bz2 openembedded-core-2ce02941300aa3e826df0c59fd8d4ce19950028e.zip |
openssh: fix potential signed overflow to enable compilation with -ftrapv
Pointer arithmatic results in implementation defined signed integer
type, so that 's - src' in strlcpy and others may trigger signed overflow.
In case of compilation by gcc or clang with -ftrapv option, the overflow
would lead to program abort.
Upstream-status: Submitted [https://bugzilla.mindrot.org/show_bug.cgi?id=2608]
Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch | 99 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh_7.3p1.bb | 1 |
2 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch new file mode 100644 index 0000000000..df64a140d3 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch @@ -0,0 +1,99 @@ +From 3328e98bcbf2930cd7eea3e6c92ad5dcbdf4794f Mon Sep 17 00:00:00 2001 +From: Yuanjie Huang <yuanjie.huang@windriver.com> +Date: Wed, 24 Aug 2016 03:15:43 +0000 +Subject: [PATCH] Fix potential signed overflow in pointer arithmatic + +Pointer arithmatic results in implementation defined signed integer +type, so that 's - src' in strlcpy and others may trigger signed overflow. +In case of compilation by gcc or clang with -ftrapv option, the overflow +would lead to program abort. + +Upstream-status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608] + +Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> +--- + openbsd-compat/strlcat.c | 8 ++++++-- + openbsd-compat/strlcpy.c | 8 ++++++-- + openbsd-compat/strnlen.c | 8 ++++++-- + 3 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c +index bcc1b61..e758ebf 100644 +--- a/openbsd-compat/strlcat.c ++++ b/openbsd-compat/strlcat.c +@@ -23,6 +23,7 @@ + + #include <sys/types.h> + #include <string.h> ++#include <stdint.h> + + /* + * Appends src to string dst of size siz (unlike strncat, siz is the +@@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz) + s++; + } + *d = '\0'; +- +- return(dlen + (s - src)); /* count does not include NUL */ ++ /* ++ * Cast pointers to unsigned type before calculation, to avoid signed ++ * overflow when the string ends where the MSB has changed. ++ */ ++ return (dlen + ((uintptr_t)s - (uintptr_t)src)); /* count does not include NUL */ + } + + #endif /* !HAVE_STRLCAT */ +diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c +index b4b1b60..b06f374 100644 +--- a/openbsd-compat/strlcpy.c ++++ b/openbsd-compat/strlcpy.c +@@ -23,6 +23,7 @@ + + #include <sys/types.h> + #include <string.h> ++#include <stdint.h> + + /* + * Copy src to string dst of size siz. At most siz-1 characters +@@ -51,8 +52,11 @@ strlcpy(char *dst, const char *src, size_t siz) + while (*s++) + ; + } +- +- return(s - src - 1); /* count does not include NUL */ ++ /* ++ * Cast pointers to unsigned type before calculation, to avoid signed ++ * overflow when the string ends where the MSB has changed. ++ */ ++ return ((uintptr_t)s - (uintptr_t)src - 1); /* count does not include NUL */ + } + + #endif /* !HAVE_STRLCPY */ +diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c +index 93d5155..9b8de5d 100644 +--- a/openbsd-compat/strnlen.c ++++ b/openbsd-compat/strnlen.c +@@ -23,6 +23,7 @@ + #include <sys/types.h> + + #include <string.h> ++#include <stdint.h> + + size_t + strnlen(const char *str, size_t maxlen) +@@ -31,7 +32,10 @@ strnlen(const char *str, size_t maxlen) + + for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--) + ; +- +- return (size_t)(cp - str); ++ /* ++ * Cast pointers to unsigned type before calculation, to avoid signed ++ * overflow when the string ends where the MSB has changed. ++ */ ++ return (size_t)((uintptr_t)cp - (uintptr_t)str); + } + #endif +-- +1.9.1 + diff --git a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb index b31972649d..039b0ffdde 100644 --- a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb @@ -24,6 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://run-ptest \ file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \ file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \ + file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ " PAM_SRC_URI = "file://sshd" |