diff options
author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2025-08-06 13:49:37 +0000 |
---|---|---|
committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2025-08-06 13:49:37 +0000 |
commit | 3caee2a93f235ebcfe3a8ec99eb2c3f3e5b0438f (patch) | |
tree | 61cb0c14d1142feba0bc47bd0b87e13f5acfcb27 /secure/lib/libcrypto/man/man3/(developers-only) | |
parent | 3456a0de9465335d4f1190b6a57abfeaf1639f4b (diff) |
The data size check, as currently written, can be defeated by providing
a very large number that rounds up to 0, which will pass the check
(because zero plus the size of the header and name is smaller than the
size of the message) but cause a segfault later when used to index the
data array.
Rewrite the data size check to take rounding into account, and add a
cast to ensure the name size can't round up to zero.
MFC after: 1 week
PR: 266827
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D51615
Diffstat (limited to 'secure/lib/libcrypto/man/man3/(developers-only)')
0 files changed, 0 insertions, 0 deletions