From 0f12e6d5bb325df4eb9273b1e294a2cf94a53120 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 28 May 2024 12:25:57 +0200 Subject: [PATCH 1/1] ping: check return value of write() to avoid integer overflow Error: INTEGER_OVERFLOW (CWE-190): iputils-20240117/ping/ping.h:291: tainted_data_return: Called function "write(1, str + o, len - o)", and a possible return value may be less than zero. iputils-20240117/ping/ping.h:291: assign: Assigning: "cc" = "write(1, str + o, len - o)". iputils-20240117/ping/ping.h:292: overflow: The expression "o += cc" might be negative, but is used in a context that treats it as unsigned. iputils-20240117/ping/ping.h:291: overflow: The expression "len - o" is deemed underflowed because at least one of its arguments has underflowed. iputils-20240117/ping/ping.h:291: overflow_sink: "len - o", which might have underflowed, is passed to "write(1, str + o, len - o)". 289| ssize_t cc; 290| do { 291|-> cc = write(STDOUT_FILENO, str + o, len - o); 292| o += cc; 293| } while (len > o || cc < 0); Closes: https://github.com/iputils/iputils/pull/545 Reviewed-by: Petr Vorel Reviewed-by: Cyril Hrubis Signed-off-by: Jan Macku Reference:https://github.com/iputils/iputils/commit/0f12e6d5bb325df4eb9273b1e294a2cf94a53120 Conflict:NA --- ping/ping.h | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ping/ping.h b/ping/ping.h index 98d035d..3e2e3c3 100644 --- a/ping/ping.h +++ b/ping/ping.h @@ -290,8 +290,12 @@ static inline void write_stdout(const char *str, size_t len) ssize_t cc; do { cc = write(STDOUT_FILENO, str + o, len - o); - o += cc; - } while (len > o || cc < 0); + + if (cc < 0) + break; + + o += (size_t) cc; + } while (len > o); } /* -- 2.33.0