packaging/06-fix_potential_null_pointer_dereference.patch

   1 commit 2e8f820c8c5ab0ab9444398cc122e3a63fa4bc3e
   2 Author: Brandon Philips <brandon@ifup.org>
   3 Date:   Thu Dec 17 16:30:43 2009 -0800
   4
   5     libacl: fix potential null pointer dereference
   6
   7     stanse found that acl_copy_int() derefences ext_acl when initializing
   8     ent_p and then later checks if ext_acl is NULL.
   9
  10     Delay initializing ent_p and size until the NULL check has been made on
  11     ext_acl.
  12
  13     Fix this bug:
  14      https://bugzilla.novell.com/show_bug.cgi?id=564733
  15
  16     Signed-off-by: Brandon Philips <bphilips@suse.de>
  17
  18 diff --git a/libacl/acl_copy_int.c b/libacl/acl_copy_int.c
  19 index e58bbe3..7bcb0c9 100644
  20 --- a/libacl/acl_copy_int.c
  21 +++ b/libacl/acl_copy_int.c
  22 @@ -27,17 +27,18 @@ acl_t
  23  acl_copy_int(const void *buf_p)
  24  {
  25         const struct __acl *ext_acl = (struct __acl *)buf_p;
  26 -       const struct __acl_entry *ent_p = ext_acl->x_entries, *end_p;
  27 -       size_t size = ext_acl ? ext_acl->x_size : 0;
  28 +       const struct __acl_entry *ent_p, *end_p;
  29 +       size_t size;
  30         int entries;
  31         acl_obj *acl_obj_p;
  32         acl_entry_obj *entry_obj_p;
  33
  34 -       if (!ext_acl || size < sizeof(struct __acl)) {
  35 +       if (!ext_acl || ext_acl->x_size < sizeof(struct __acl)) {
  36                 errno = EINVAL;
  37                 return NULL;
  38         }
  39 -       size -= sizeof(struct __acl);
  40 +       ent_p = ext_acl->x_entries;
  41 +       size = ext_acl->x_size - sizeof(struct __acl);
  42         if (size % sizeof(struct __acl_entry)) {
  43                 errno = EINVAL;
  44                 return NULL;