debian/patches/84_07-Security-Refuse-negative-and-large-store-allocations.patch

   1 From 5fd6af5815401dc60e8fe4309258911aa41d3013 Mon Sep 17 00:00:00 2001
   2 From: Qualys Security Advisory <qsa@qualys.com>
   3 Date: Sun, 21 Feb 2021 19:40:21 -0800
   4 Subject: [PATCH 07/29] Security: Refuse negative and large store allocations
   5
   6 Based on Phil Pennock's commits b34d3046 and e6c1606a.
   7 ---
   8  src/store.c | 29 ++++++++++++++++++++++++++++-
   9  1 file changed, 28 insertions(+), 1 deletion(-)
  10
  11 diff --git a/src/store.c b/src/store.c
  12 index b52799132..a2a80f631 100644
  13 --- a/src/store.c
  14 +++ b/src/store.c
  15 @@ -128,6 +128,12 @@ Returns:      pointer to store (panic on malloc failure)
  16  void *
  17  store_get_3(int size, const char *filename, int linenumber)
  18  {
  19 +if (size < 0 || size > INT_MAX/2)
  20 +  {
  21 +  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
  22 +          "bad memory allocation requested (%d bytes)",
  23 +          size);
  24 +  }
  25  /* Round up the size to a multiple of the alignment. Although this looks a
  26  messy statement, because "alignment" is a constant expression, the compiler can
  27  do a reasonable job of optimizing, especially if the value of "alignment" is a
  28 @@ -270,6 +276,13 @@ store_extend_3(void *ptr, int oldsize, int newsize, const char *filename,
  29  int inc = newsize - oldsize;
  30  int rounded_oldsize = oldsize;
  31
  32 +if (oldsize < 0 || newsize < oldsize || newsize >= INT_MAX/2)
  33 +  {
  34 +  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
  35 +          "bad memory extension requested (%d -> %d bytes)",
  36 +          oldsize, newsize);
  37 +  }
  38 +
  39  if (rounded_oldsize % alignment != 0)
  40    rounded_oldsize += alignment - (rounded_oldsize % alignment);
  41
  42 @@ -508,7 +521,16 @@ store_newblock_3(void * block, int newsize, int len,
  43    const char * filename, int linenumber)
  44  {
  45  BOOL release_ok = store_last_get[store_pool] == block;
  46 -uschar * newtext = store_get(newsize);
  47 +uschar * newtext;
  48 +
  49 +if (len < 0 || len > newsize)
  50 +  {
  51 +  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
  52 +            "bad memory extension requested (%d -> %d bytes)",
  53 +            len, newsize);
  54 +  }
  55 +
  56 +newtext = store_get(newsize);
  57
  58  memcpy(newtext, block, len);
  59  if (release_ok) store_release_3(block, filename, linenumber);
  60 @@ -539,6 +561,11 @@ store_malloc_3(int size, const char *filename, int linenumber)
  61  {
  62  void *yield;
  63
  64 +if (size < 0 || size >= INT_MAX/2)
  65 +  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
  66 +      "bad memory allocation requested (%d bytes)",
  67 +      size);
  68 +
  69  if (size < 16) size = 16;
  70
  71  if (!(yield = malloc((size_t)size)))
  72 --
  73 2.30.2
  74