From: Guy Harris <guy@alum.mit.edu>
Date: Fri, 4 Oct 2019 00:29:04 +0000 (-0700)
Subject: Do the 32-bit overflow check more cleanly.
X-Git-Tag: libpcap-1.10-bp~406
X-Git-Url: https://git.tcpdump.org/libpcap/commitdiff_plain/432b46e390402acc684c9ae26e44a21c97f143dd

Do the 32-bit overflow check more cleanly.
---

diff --git a/rpcapd/daemon.c b/rpcapd/daemon.c
index 18923d81..51ed295d 100644
--- a/rpcapd/daemon.c
+++ b/rpcapd/daemon.c
@@ -1574,17 +1574,17 @@ daemon_AuthUserPwd(char *username, char *password, char *errbuf)
 /*
  * Make sure that the reply length won't overflow 32 bits if we add the
  * specified amount to it.  If it won't, add that amount to it.
+ *
+ * We check whether replylen + itemlen > UINT32_MAX, but subtract itemlen
+ * from both sides, to prevent overflow.
  */
-#define CHECK_AND_INCREASE_REPLY_LEN(itemlen) { \
-	size_t replylen_before = replylen; \
-\
-	replylen += (uint32)(itemlen); \
-	if (replylen < replylen_before) { \
+#define CHECK_AND_INCREASE_REPLY_LEN(itemlen) \
+	if (replylen > UINT32_MAX - (itemlen)) { \
 		pcap_strlcpy(errmsgbuf, "Reply length doesn't fit in 32 bits", \
 		    sizeof (errmsgbuf)); \
 		goto error; \
 	} \
-}
+	replylen += (uint32)(itemlen);
 
 static int
 daemon_msg_findallif_req(uint8 ver, struct daemon_slpars *pars, uint32 plen)