[PATCH] Check for overflow in __alloc_dir

[Florian Weimer <fweimer at redhat dot com>]

In __alloc_dir in sysdeps/posix/opendir.c, the st_blksize member can 
contain a large value from a source which is not necessarily trusted. 
Therefore, we should check that the addition does not overflow and fall 
back to default_allocation in that case.

Built and regression-tested on x86_64-redhat-linux-gnu.  This is 
difficult to test because it requires file system support.

--
Florian Weimer / Red Hat Product Security Team

2012-10-11  Florian Weimer  <fweimer@redhat.com>

	* sysdeps/posix/opendir.c (__alloc_dir): Check for overflow in
	size calculation.

>From 50bf1c9ec9c65ba257b9ebf8639e572a01a70cf2 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Thu, 11 Oct 2012 16:46:01 +0200
Subject: [PATCH] __aloc_dir: check for integer overflow in malloc argument

---
 sysdeps/posix/opendir.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/sysdeps/posix/opendir.c b/sysdeps/posix/opendir.c
index e093142..b056ee3 100644
--- a/sysdeps/posix/opendir.c
+++ b/sysdeps/posix/opendir.c
@@ -1,5 +1,4 @@
-/* Copyright (C) 1991-1996,98,2000-2003,2005,2007,2009,2011
-   Free Software Foundation, Inc.
+/* Copyright (C) 1991-2012 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -193,7 +192,12 @@ __alloc_dir (int fd, bool close_fd, int flags, const struct stat64 *statp)
   size_t allocation = default_allocation;
 #ifdef _STATBUF_ST_BLKSIZE
   if (statp != NULL && default_allocation < statp->st_blksize)
-    allocation = statp->st_blksize;
+    {
+      allocation = statp->st_blksize;
+      /* This checks for overflow in the malloc argument below.  */
+      if (sizeof (DIR) + allocation < sizeof (DIR))
+	allocation = default_allocation;
+    }
 #endif
 
   DIR *dirp = (DIR *) malloc (sizeof (DIR) + allocation);
-- 
1.7.11.7