Gitweb:
https://git.exim.org/exim.git/commitdiff/9232671764ff40285d5b1b846a118fc80020dd64
Commit: 9232671764ff40285d5b1b846a118fc80020dd64
Parent: 5e4fd0533c99c75cb27137ab469e2ce1e3efaf72
Author: Heiko Schlittermann (HS12-RIPE) <hs@???>
AuthorDate: Mon Mar 29 23:02:34 2021 +0200
Committer: Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Thu May 27 21:30:48 2021 +0200
SECURITY: Refuse negative and large store allocations
Based on Phil Pennock's commits b34d3046 and e6c1606a. Done by Qualys.
(cherry picked from commit 09d36bd64fc5bf71d8882af35c41ac4e8599acc1)
(cherry picked from commit f9c58fb385343b8e3fa13988efcbd30ae3285ea7)
---
src/src/store.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/src/src/store.c b/src/src/store.c
index a038c4a..2a32e9b 100644
--- a/src/src/store.c
+++ b/src/src/store.c
@@ -274,12 +274,10 @@ A zero size might be also suspect, but our internal usage deliberately
does this to return a current watermark value for a later release of
allocated store. */
-if (size < 0)
- {
+if (size < 0 || size >= INT_MAX/2)
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
"bad memory allocation requested (%d bytes) at %s %d",
size, func, linenumber);
- }
/* Round up the size to a multiple of the alignment. Although this looks a
messy statement, because "alignment" is a constant expression, the compiler can
@@ -430,12 +428,10 @@ int pool = tainted ? store_pool + POOL_TAINT_BASE : store_pool;
int inc = newsize - oldsize;
int rounded_oldsize = oldsize;
-if (newsize < 0)
- {
+if (oldsize < 0 || newsize < oldsize || newsize >= INT_MAX/2)
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
"bad memory extension requested (%d -> %d bytes) at %s %d",
oldsize, newsize, func, linenumber);
- }
/* Check that the block being extended was already of the required taint status;
refuse to extend if not. */
@@ -804,6 +800,11 @@ if (is_tainted(block) != tainted)
die_tainted(US"store_newblock", CUS func, linenumber);
#endif
+if (len < 0 || len > newsize)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "bad memory extension requested (%d -> %d bytes) at %s %d",
+ len, newsize, func, linenumber);
+
newtext = store_get(newsize, tainted);
memcpy(newtext, block, len);
if (release_ok) store_release_3(block, pool, func, linenumber);
@@ -834,6 +835,11 @@ internal_store_malloc(int size, const char *func, int line)
{
void * yield;
+if (size < 0 || size >= INT_MAX/2)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "bad memory allocation requested (%d bytes) at %s %d",
+ size, func, line);
+
size += sizeof(int); /* space to store the size, used under debug */
if (size < 16) size = 16;
