diff options
author | Brandon Philips <brandon@ifup.org> | 2009-12-17 16:30:43 -0800 |
---|---|---|
committer | Brandon Philips <brandon@ifup.org> | 2009-12-17 16:30:43 -0800 |
commit | 2e8f820c8c5ab0ab9444398cc122e3a63fa4bc3e (patch) | |
tree | e4405879bea8ea1894dd0947ee75de65fc30cf5f | |
parent | a1815d4ad4ffe84e8f7d128a38955e3dab306e0d (diff) | |
download | acl-2e8f820c8c5ab0ab9444398cc122e3a63fa4bc3e.tar.gz |
libacl: fix potential null pointer dereference
stanse found that acl_copy_int() derefences ext_acl when initializing
ent_p and then later checks if ext_acl is NULL.
Delay initializing ent_p and size until the NULL check has been made on
ext_acl.
Fix this bug:
https://bugzilla.novell.com/show_bug.cgi?id=564733
Signed-off-by: Brandon Philips <bphilips@suse.de>
-rw-r--r-- | libacl/acl_copy_int.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/libacl/acl_copy_int.c b/libacl/acl_copy_int.c index e58bbe3..7bcb0c9 100644 --- a/libacl/acl_copy_int.c +++ b/libacl/acl_copy_int.c @@ -27,17 +27,18 @@ acl_t acl_copy_int(const void *buf_p) { const struct __acl *ext_acl = (struct __acl *)buf_p; - const struct __acl_entry *ent_p = ext_acl->x_entries, *end_p; - size_t size = ext_acl ? ext_acl->x_size : 0; + const struct __acl_entry *ent_p, *end_p; + size_t size; int entries; acl_obj *acl_obj_p; acl_entry_obj *entry_obj_p; - if (!ext_acl || size < sizeof(struct __acl)) { + if (!ext_acl || ext_acl->x_size < sizeof(struct __acl)) { errno = EINVAL; return NULL; } - size -= sizeof(struct __acl); + ent_p = ext_acl->x_entries; + size = ext_acl->x_size - sizeof(struct __acl); if (size % sizeof(struct __acl_entry)) { errno = EINVAL; return NULL; |