From db6e1f035de2541b962ea85181d31d78835ed3cd Mon Sep 17 00:00:00 2001 From: dtucker <> Date: Fri, 14 Oct 2016 18:19:04 +0000 Subject: [PATCH] Cast pointers to uintptr_t to avoid potential signedness errors. Based on patch from yuanjie.huang at windriver.com via OpenSSH bz#2608, with & ok millert, ok deraadt. --- src/lib/libc/string/strlcat.c | 12 +++++++++--- src/lib/libc/string/strlcpy.c | 10 ++++++++-- src/lib/libc/string/strnlen.c | 9 +++++++-- 3 files changed, 24 insertions(+), 7 deletions(-) diff --git a/src/lib/libc/string/strlcat.c b/src/lib/libc/string/strlcat.c index 073b0d42..410f448b 100644 --- a/src/lib/libc/string/strlcat.c +++ b/src/lib/libc/string/strlcat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: strlcat.c,v 1.16 2015/08/31 02:53:57 guenther Exp $ */ +/* $OpenBSD: strlcat.c,v 1.17 2016/10/14 18:19:04 dtucker Exp $ */ /* * Copyright (c) 1998, 2015 Todd C. Miller @@ -18,6 +18,7 @@ #include #include +#include /* * Appends src to string dst of size dsize (unlike strncat, dsize is the @@ -37,7 +38,7 @@ strlcat(char *dst, const char *src, size_t dsize) /* Find the end of dst and adjust bytes left but don't go past end. */ while (n-- != 0 && *dst != '\0') dst++; - dlen = dst - odst; + dlen = (uintptr_t)dst - (uintptr_t)odst; n = dsize - dlen; if (n-- == 0) @@ -51,6 +52,11 @@ strlcat(char *dst, const char *src, size_t dsize) } *dst = '\0'; - return(dlen + (src - osrc)); /* count does not include NUL */ + /* + * Cast pointers to unsigned type before calculation, to avoid signed + * overflow when the string ends where the MSB has changed. + * Return value does not include NUL. + */ + return (dlen + ((uintptr_t)src - (uintptr_t)osrc)); } DEF_WEAK(strlcat); diff --git a/src/lib/libc/string/strlcpy.c b/src/lib/libc/string/strlcpy.c index 5fcf084a..f2828346 100644 --- a/src/lib/libc/string/strlcpy.c +++ b/src/lib/libc/string/strlcpy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: strlcpy.c,v 1.13 2015/08/31 02:53:57 guenther Exp $ */ +/* $OpenBSD: strlcpy.c,v 1.14 2016/10/14 18:19:04 dtucker Exp $ */ /* * Copyright (c) 1998, 2015 Todd C. Miller @@ -18,6 +18,7 @@ #include #include +#include /* * Copy string src to buffer dst of size dsize. At most dsize-1 @@ -46,6 +47,11 @@ strlcpy(char *dst, const char *src, size_t dsize) ; } - return(src - osrc - 1); /* count does not include NUL */ + /* + * Cast pointers to unsigned type before calculation, to avoid signed + * overflow when the string ends where the MSB has changed. + * Return value does not include NUL. + */ + return((uintptr_t)src - (uintptr_t)osrc - 1); } DEF_WEAK(strlcpy); diff --git a/src/lib/libc/string/strnlen.c b/src/lib/libc/string/strnlen.c index 26e9743f..33c3b6e2 100644 --- a/src/lib/libc/string/strnlen.c +++ b/src/lib/libc/string/strnlen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: strnlen.c,v 1.6 2015/08/31 02:53:57 guenther Exp $ */ +/* $OpenBSD: strnlen.c,v 1.7 2016/10/14 18:19:04 dtucker Exp $ */ /* * Copyright (c) 2010 Todd C. Miller @@ -19,6 +19,7 @@ #include #include +#include size_t strnlen(const char *str, size_t maxlen) @@ -28,6 +29,10 @@ strnlen(const char *str, size_t maxlen) for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--) ; - return (size_t)(cp - str); + /* + * Cast pointers to unsigned type before calculation, to avoid signed + * overflow when the string ends where the MSB has changed. + */ + return (size_t)((uintptr_t)cp - (uintptr_t)str); } DEF_WEAK(strnlen);