Commits

Anonymous committed 30431c6

Check for buffer overflow in xdr_string.

Signed-off-by: Steve Dickson <steved@redhat.com>

  • Participants
  • Parent commits 1c9e6b9

Comments (0)

Files changed (1)

 		}
 		/* FALLTHROUGH */
 	case XDR_ENCODE:
+		if (sp == NULL)
+			return FALSE;
 		size = strlen(sp);
 		break;
 	case XDR_DECODE:
 		return (FALSE);
 	}
 	nodesize = size + 1;
+	if (nodesize == 0) {
+		/* This means an overflow.  It a bug in the caller which
+		 * provided a too large maxsize but nevertheless catch it
+		 * here.
+		 */
+		return FALSE;
+	}
 
 	/*
 	 * now deal with the actual bytes
 	switch (xdrs->x_op) {
 
 	case XDR_DECODE:
-		if (nodesize == 0) {
-			return (TRUE);
-		}
 		if (sp == NULL)
 			*cpp = sp = mem_alloc(nodesize);
 		if (sp == NULL) {