[CalendarServer-changes] [8041] CalendarServer/trunk/twext/python/sendmsg.c
source_changes at macosforge.org
source_changes at macosforge.org
Thu Sep 1 10:47:07 PDT 2011
Revision: 8041
http://trac.macosforge.org/projects/calendarserver/changeset/8041
Author: glyph at apple.com
Date: 2011-09-01 10:47:06 -0700 (Thu, 01 Sep 2011)
Log Message:
-----------
One more extremely obscure integer overflow condition.
Modified Paths:
--------------
CalendarServer/trunk/twext/python/sendmsg.c
Modified: CalendarServer/trunk/twext/python/sendmsg.c
===================================================================
--- CalendarServer/trunk/twext/python/sendmsg.c 2011-09-01 15:06:35 UTC (rev 8040)
+++ CalendarServer/trunk/twext/python/sendmsg.c 2011-09-01 17:47:06 UTC (rev 8041)
@@ -160,19 +160,28 @@
while ( (item = PyIter_Next(iterator)) ) {
int type, level;
Py_ssize_t data_len;
+ size_t prev_all_data_len;
char *data;
- if (!PyArg_ParseTuple(item, "iit#:sendmsg ancillary data (level, type, data)",
- &level,
- &type,
- &data,
- &data_len)) {
+ if (!PyArg_ParseTuple(
+ item, "iit#:sendmsg ancillary data (level, type, data)",
+ &level, &type, &data, &data_len)) {
Py_DECREF(item);
Py_DECREF(iterator);
return NULL;
}
+
+ prev_all_data_len = all_data_len;
all_data_len += CMSG_SPACE(data_len);
Py_DECREF(item);
+
+ if (all_data_len < prev_all_data_len) {
+ Py_DECREF(iterator);
+ PyErr_Format(PyExc_OverflowError,
+ "Too much msg_control to fit in a size_t: %zu",
+ prev_all_data_len);
+ return NULL;
+ }
}
Py_DECREF(iterator);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20110901/032cda5a/attachment.html>
More information about the calendarserver-changes
mailing list