Bug 1027905
| Summary: | adcli: technically wrong length checks in binary parsers | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Florian Weimer <fweimer> |
| Component: | adcli | Assignee: | Sumit Bose <sbose> |
| Status: | CLOSED ERRATA | QA Contact: | Stefan Dordevic <sdordevi> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | pkis, sbose, sdordevi |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | adcli-0.8.1-1.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 06:21:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1027886 | ||
Makes sense, but as you noted is non-critical. Bumping to next release. Will fix upstream in the meantime. Fixed in git master upstream. This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2428.html |
library/addisco.c has several comparison like the check in this function: static unsigned short get_16 (unsigned char **p, unsigned char *end) { unsigned short val; if ((*p) + 2 > end) return 0; val = ns_get16 (*p); (*p) += 2; return val; } The problem is that a pointer that points after the element after the last element in the buffer is invalid. Depending on how this function is call, a smart compiler could optimize away such checks. The comparison should be written like this: if (end - (*p) < 2)