]> git.saurik.com Git - apple/launchd.git/commitdiff
projects / apple / launchd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f982396)
launchd-842.92.1.tar.gz master os-x-1094 os-x-1095 v842.92.1
authorApple <opensource@apple.com>
Wed, 13 Aug 2014 17:58:04 +0000 (17:58 +0000)
committerApple <opensource@apple.com>
Wed, 13 Aug 2014 17:58:04 +0000 (17:58 +0000)
liblaunch/liblaunch.c patch | blob | blame | history
src/core.c patch | blob | blame | history
src/log.c patch | blob | blame | history

diff --git a/liblaunch/liblaunch.c b/liblaunch/liblaunch.c
index 6cef3dd26cdc93b30418b706c40b34b74cb2e55b..67a0e073bba08413092d9a2062717bac96f83474 100644 (file)
--- a/liblaunch/liblaunch.c
+++ b/liblaunch/liblaunch.c
@@ -788,6 +788,10 @@ launch_data_unpack(void *data, size_t data_size, int *fds, size_t fd_cnt, size_t
        launch_data_t r = data + *data_offset;
        size_t i, tmpcnt;
 
+       //Check for integer underflow
+       if (data_size < *data_offset)
+               return NULL;
+
        if ((data_size - *data_offset) < sizeof(struct _launch_data))
                return NULL;
        *data_offset += sizeof(struct _launch_data);
@@ -796,6 +800,13 @@ launch_data_unpack(void *data, size_t data_size, int *fds, size_t fd_cnt, size_t
        case LAUNCH_DATA_DICTIONARY:
        case LAUNCH_DATA_ARRAY:
                tmpcnt = big2wire(r->_array_cnt);
+
+               //Check for integer overflows
+               if (tmpcnt > SIZE_MAX / sizeof(uint64_t)) {
+                       errno = EAGAIN;
+                       return NULL;
+               }
+
                if ((data_size - *data_offset) < (tmpcnt * sizeof(uint64_t))) {
                        errno = EAGAIN;
                        return NULL;
diff --git a/src/core.c b/src/core.c
index 61c4c3309c25d1abb5fc6c661aadee6ea514ba51..41308426f9debfe447a6b460ddde8e574f541565 100644 (file)
--- a/src/core.c
+++ b/src/core.c
@@ -9735,6 +9735,7 @@ job_mig_init_session(job_t j, name_t session_type, mach_port_t asport)
        if (j->mgr->session_initialized) {
                job_log(j, LOG_ERR, "Tried to initialize an already setup session!");
                kr = BOOTSTRAP_NOT_PRIVILEGED;
+               return kr;
        } else if (strcmp(session_type, VPROCMGR_SESSION_LOGINWINDOW) == 0) {
                jobmgr_t jmi;
 
diff --git a/src/log.c b/src/log.c
index 1bd8b4906b1114ba9ef2a643beec6c7cf71494f0..95a29ff6fecf41efc62350f9cc9d410e9c15da0d 100644 (file)
--- a/src/log.c
+++ b/src/log.c
@@ -347,6 +347,11 @@ launchd_log_forward(uid_t forward_uid, gid_t forward_gid, vm_offset_t inval, mac
                        break;
                }
 
+               if (lm_walk->obj_sz < sizeof(struct logmsg_s)) {
+                       launchd_syslog(LOG_WARNING, "Received bytes %llu are less than expected bytes %lu.", lm_walk->obj_sz, sizeof(struct logmsg_s));
+                       break;
+               }
+
                if (!(lm = malloc(lm_walk->obj_sz))) {
                        launchd_syslog(LOG_WARNING, "Failed to allocate %llu bytes for log message with %u bytes left in forwarded data. Ignoring remaining messages.", lm_walk->obj_sz, data_left);
                        break;
mirror of launchd