[Rpm-maint] [rpm-software-management/rpm] pgpGet(): check that the returned length is in bounds (#1706)

Panu Matilainen notifications at github.com
Fri Jun 18 09:00:50 UTC 2021


@pmatilai commented on this pull request.



> + * hold `nbytes + *valp` bytes.
+ * @param s		pointer to read from
+ * @param nbytes	length of length field
+ * @param send		pointer past end of buffer
+ * @param[out] *valp	decoded length
+ * @return		0 if buffer can hold `nbytes + *valp` of data,
+ * 			otherwise -1.
+ */
+static int pgpGet(const uint8_t *s, size_t nbytes, const uint8_t *send,
+		  size_t *valp)
+{
+    int rc = -1;
+
+    if (nbytes <= send - s &&
+	nbytes <= sizeof(size_t) &&
+	nbytes <= sizeof(unsigned int)) {

It's the size_t in both here and pgpGrab() that looks totally bogus (the length of data in the message does NOT depend on the architecture of the computer its being executed on). Checking for the size of an int (or "4") here is probably right. 

There's no hard rule for indenting such cases except that the condition and the following code *must* be visibly separated from each other. When in doubt, `indent -kr` generally produces results close enuf for government work... And again, the kernel coding style provides excellent guidance on these matters. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1706#discussion_r654265598
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210618/11ea03d8/attachment.html>


More information about the Rpm-maint mailing list