From: Serge Hallyn <serge@hallyn.com>
Date: Sun, 14 Aug 2016 23:05:00 +0000 (-0500)
Subject: idmapping: add more checks for overflow
X-Git-Tag: 4.3.1~1
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ff2baed5dbf81e8967b805889f565fedb48600df;p=shadow

idmapping: add more checks for overflow

At this point they are redundant but should be safe.  Thanks to
Sebastian Krahmer for the first check.
---

diff --git a/libmisc/idmapping.c b/libmisc/idmapping.c
index 625a07a0..db254fcb 100644
--- a/libmisc/idmapping.c
+++ b/libmisc/idmapping.c
@@ -83,16 +83,26 @@ struct map_range *get_map_ranges(int ranges, int argc, char **argv)
 			free(mappings);
 			return NULL;
 		}
+		if (ULONG_MAX - mapping->upper <= mapping->count || ULONG_MAX - mapping->lower <= mapping->count) {
+			fprintf(stderr, _( "%s: subuid overflow detected.\n"), Prog);
+			exit(EXIT_FAILURE);
+		}
 		if (mapping->upper > UINT_MAX ||
 			mapping->lower > UINT_MAX ||
 			mapping->count > UINT_MAX)  {
-			free(mappings);
-			return NULL;
+			fprintf(stderr, _( "%s: subuid overflow detected.\n"), Prog);
+			exit(EXIT_FAILURE);
+		}
+		if (mapping->lower + mapping->count > UINT_MAX ||
+				mapping->upper + mapping->count > UINT_MAX) {
+			fprintf(stderr, _( "%s: subuid overflow detected.\n"), Prog);
+			exit(EXIT_FAILURE);
 		}
 		if (mapping->lower + mapping->count < mapping->lower ||
 				mapping->upper + mapping->count < mapping->upper) {
-			free(mapping);
-			return NULL;
+			/* this one really shouldn't be possible given previous checks */
+			fprintf(stderr, _( "%s: subuid overflow detected.\n"), Prog);
+			exit(EXIT_FAILURE);
 		}
 	}
 	return mappings;