launchd-842.92.1.tar.gz

diff --git a/liblaunch/liblaunch.c b/liblaunch/liblaunch.c
index 6cef3dd26cdc93b30418b706c40b34b74cb2e55b..67a0e073bba08413092d9a2062717bac96f83474 100644 (file)
--- a/liblaunch/liblaunch.c
+++ b/liblaunch/liblaunch.c
@@ -788,6 +788,10 @@ launch_data_unpack(void *data, size_t data_size, int *fds, size_t fd_cnt, size_t
        launch_data_t r = data + *data_offset;
        size_t i, tmpcnt;
 
        launch_data_t r = data + *data_offset;
        size_t i, tmpcnt;
 

+       //Check for integer underflow
+       if (data_size < *data_offset)
+               return NULL;
+

        if ((data_size - *data_offset) < sizeof(struct _launch_data))
                return NULL;
        *data_offset += sizeof(struct _launch_data);
        if ((data_size - *data_offset) < sizeof(struct _launch_data))
                return NULL;
        *data_offset += sizeof(struct _launch_data);


@@ -796,6 +800,13 @@ launch_data_unpack(void *data, size_t data_size, int *fds, size_t fd_cnt, size_t
        case LAUNCH_DATA_DICTIONARY:
        case LAUNCH_DATA_ARRAY:
                tmpcnt = big2wire(r->_array_cnt);
        case LAUNCH_DATA_DICTIONARY:
        case LAUNCH_DATA_ARRAY:
                tmpcnt = big2wire(r->_array_cnt);

+
+               //Check for integer overflows
+               if (tmpcnt > SIZE_MAX / sizeof(uint64_t)) {
+                       errno = EAGAIN;
+                       return NULL;
+               }
+

                if ((data_size - *data_offset) < (tmpcnt * sizeof(uint64_t))) {
                        errno = EAGAIN;
                        return NULL;
                if ((data_size - *data_offset) < (tmpcnt * sizeof(uint64_t))) {
                        errno = EAGAIN;
                        return NULL;

diff --git a/src/core.c b/src/core.c
index 61c4c3309c25d1abb5fc6c661aadee6ea514ba51..41308426f9debfe447a6b460ddde8e574f541565 100644 (file)
--- a/src/core.c
+++ b/src/core.c
@@ -9735,6 +9735,7 @@ job_mig_init_session(job_t j, name_t session_type, mach_port_t asport)
        if (j->mgr->session_initialized) {
                job_log(j, LOG_ERR, "Tried to initialize an already setup session!");
                kr = BOOTSTRAP_NOT_PRIVILEGED;
        if (j->mgr->session_initialized) {
                job_log(j, LOG_ERR, "Tried to initialize an already setup session!");
                kr = BOOTSTRAP_NOT_PRIVILEGED;

+               return kr;

        } else if (strcmp(session_type, VPROCMGR_SESSION_LOGINWINDOW) == 0) {
                jobmgr_t jmi;
 
        } else if (strcmp(session_type, VPROCMGR_SESSION_LOGINWINDOW) == 0) {
                jobmgr_t jmi;
 

diff --git a/src/log.c b/src/log.c
index 1bd8b4906b1114ba9ef2a643beec6c7cf71494f0..95a29ff6fecf41efc62350f9cc9d410e9c15da0d 100644 (file)
--- a/src/log.c
+++ b/src/log.c
@@ -347,6 +347,11 @@ launchd_log_forward(uid_t forward_uid, gid_t forward_gid, vm_offset_t inval, mac
                        break;
                }
 
                        break;
                }
 

+               if (lm_walk->obj_sz < sizeof(struct logmsg_s)) {
+                       launchd_syslog(LOG_WARNING, "Received bytes %llu are less than expected bytes %lu.", lm_walk->obj_sz, sizeof(struct logmsg_s));
+                       break;
+               }
+

                if (!(lm = malloc(lm_walk->obj_sz))) {
                        launchd_syslog(LOG_WARNING, "Failed to allocate %llu bytes for log message with %u bytes left in forwarded data. Ignoring remaining messages.", lm_walk->obj_sz, data_left);
                        break;
                if (!(lm = malloc(lm_walk->obj_sz))) {
                        launchd_syslog(LOG_WARNING, "Failed to allocate %llu bytes for log message with %u bytes left in forwarded data. Ignoring remaining messages.", lm_walk->obj_sz, data_left);
                        break;