From b0f2b0ccd4b2b95c00bdf773907ade413a29adf1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gwenol=C3=A9=20Beauchesne?= <gbeauchesne@mandriva.org>
Date: Tue, 19 Aug 2003 09:01:26 +0000
Subject: XDR security fix from glibc [CAN 2003-0028]

---
 mdk-stage1/dietlibc/librpc/xdr_mem.c   | 83 ++++++++++++++--------------------
 mdk-stage1/dietlibc/librpc/xdr_rec.c   |  4 +-
 mdk-stage1/dietlibc/librpc/xdr_stdio.c |  4 +-
 3 files changed, 37 insertions(+), 54 deletions(-)

(limited to 'mdk-stage1/dietlibc/librpc')

diff --git a/mdk-stage1/dietlibc/librpc/xdr_mem.c b/mdk-stage1/dietlibc/librpc/xdr_mem.c
index 5bc54cd4a..0f137b676 100644
--- a/mdk-stage1/dietlibc/librpc/xdr_mem.c
+++ b/mdk-stage1/dietlibc/librpc/xdr_mem.c
@@ -48,13 +48,13 @@ static char sccsid[] = "@(#)xdr_mem.c 1.19 87/08/11 Copyr 1984 Sun Micro";
 #include <netinet/in.h>
 #include <string.h>
 
-static bool_t xdrmem_getlong();
-static bool_t xdrmem_putlong();
+static bool_t xdrmem_getlong(XDR*, long*);
+static bool_t xdrmem_putlong(XDR*, const long*);
 static bool_t xdrmem_getbytes();
 static bool_t xdrmem_putbytes();
 static unsigned int xdrmem_getpos();
 static bool_t xdrmem_setpos();
-static int32_t *xdrmem_inline();
+static int32_t *xdrmem_inline(XDR*, unsigned int);
 static void xdrmem_destroy();
 
 static struct xdr_ops xdrmem_ops = {
@@ -95,54 +95,41 @@ static bool_t xdrmem_getlong(xdrs, lp)
 register XDR *xdrs;
 long *lp;
 {
+  if (xdrs->x_handy < 4) return FALSE;
+  xdrs->x_handy -= 4;
 
-	if ((xdrs->x_handy -= sizeof(long)) < 0)
-		return (FALSE);
-
-	*lp = (long) ntohl((unsigned long) (*((long *) (xdrs->x_private))));
-	xdrs->x_private += sizeof(long);
-
-	return (TRUE);
+  *lp = (int32_t) ntohl((*((int32_t *) (xdrs->x_private))));
+  xdrs->x_private += 4;
+  return TRUE;
 }
 
-static bool_t xdrmem_putlong(xdrs, lp)
-register XDR *xdrs;
-long *lp;
+static bool_t xdrmem_putlong(XDR* xdrs, const long* lp)
 {
+  if (xdrs->x_handy < 4) return FALSE;
+  xdrs->x_handy -= 4;
 
-	if ((xdrs->x_handy -= sizeof(long)) < 0)
-		return (FALSE);
-
-	*(long *) xdrs->x_private = (long) htonl((unsigned long) (*lp));
-	xdrs->x_private += sizeof(long);
+  *(int32_t *) xdrs->x_private = htonl(*lp);
+  xdrs->x_private += sizeof(long);
 
-	return (TRUE);
+  return (TRUE);
 }
 
-static bool_t xdrmem_getbytes(xdrs, addr, len)
-register XDR *xdrs;
-char* addr;
-register unsigned int len;
+static bool_t xdrmem_getbytes(XDR* xdrs, char* addr, unsigned int len)
 {
-
-	if ((xdrs->x_handy -= len) < 0)
-		return (FALSE);
-	memmove(addr, xdrs->x_private, len);
-	xdrs->x_private += len;
-	return (TRUE);
+  if (xdrs->x_handy < len) return FALSE;
+  xdrs->x_handy -= len;
+  memmove(addr, xdrs->x_private, len);
+  xdrs->x_private += len;
+  return TRUE;
 }
 
-static bool_t xdrmem_putbytes(xdrs, addr, len)
-register XDR *xdrs;
-char* addr;
-register unsigned int len;
+static bool_t xdrmem_putbytes(XDR* xdrs, char* addr, unsigned int len)
 {
-
-	if ((xdrs->x_handy -= len) < 0)
-		return (FALSE);
-	memmove(xdrs->x_private, addr, len);
-	xdrs->x_private += len;
-	return (TRUE);
+  if (xdrs->x_handy < len) return FALSE;
+  xdrs->x_handy -= len;
+  memmove(xdrs->x_private, addr, len);
+  xdrs->x_private += len;
+  return (TRUE);
 }
 
 static unsigned int xdrmem_getpos(xdrs)
@@ -156,19 +143,19 @@ static bool_t xdrmem_setpos(xdrs, pos)
 register XDR *xdrs;
 unsigned int pos;
 {
-	register char* newaddr = xdrs->x_base + pos;
-	register char* lastaddr = xdrs->x_private + xdrs->x_handy;
-
-	if ((long) newaddr > (long) lastaddr)
-		return (FALSE);
-	xdrs->x_private = newaddr;
-	xdrs->x_handy = (int) lastaddr - (int) newaddr;
-	return (TRUE);
+  register char* newaddr = xdrs->x_base + pos;
+  register char* lastaddr = xdrs->x_private + xdrs->x_handy;
+
+  if ((long) newaddr > (long) lastaddr || (long)newaddr<(long)xdrs->x_base)
+	  return (FALSE);
+  xdrs->x_private = newaddr;
+  xdrs->x_handy = (int) lastaddr - (int) newaddr;
+  return (TRUE);
 }
 
 static int32_t *xdrmem_inline(xdrs, len)
 register XDR *xdrs;
-int len;
+unsigned int len;
 {
 	int32_t *buf = 0;
 
diff --git a/mdk-stage1/dietlibc/librpc/xdr_rec.c b/mdk-stage1/dietlibc/librpc/xdr_rec.c
index 759a76108..54bd1a0c8 100644
--- a/mdk-stage1/dietlibc/librpc/xdr_rec.c
+++ b/mdk-stage1/dietlibc/librpc/xdr_rec.c
@@ -459,9 +459,7 @@ unsigned int pos;
 	return (FALSE);
 }
 
-static int32_t *xdrrec_inline(xdrs, len)
-register XDR *xdrs;
-int len;
+static int32_t *xdrrec_inline(XDR* xdrs, unsigned int len)
 {
 	register RECSTREAM *rstrm = (RECSTREAM *) xdrs->x_private;
 	int32_t *buf = NULL;
diff --git a/mdk-stage1/dietlibc/librpc/xdr_stdio.c b/mdk-stage1/dietlibc/librpc/xdr_stdio.c
index 1bc9ada16..405cc6a69 100644
--- a/mdk-stage1/dietlibc/librpc/xdr_stdio.c
+++ b/mdk-stage1/dietlibc/librpc/xdr_stdio.c
@@ -170,9 +170,7 @@ unsigned int pos;
 			FALSE : TRUE);
 }
 
-static int32_t *xdrstdio_inline(xdrs, len)
-XDR *xdrs;
-unsigned int len;
+static int32_t *xdrstdio_inline(XDR* xdrs, unsigned int len)
 {
 
 	/*
-- 
cgit v1.2.1