From ae7ce1723d2155a6c34ce17a901b61bfbcdfd746 Mon Sep 17 00:00:00 2001
From: Moe Jette <jette1@llnl.gov>
Date: Sat, 1 Jan 2011 18:59:49 +0000
Subject: [PATCH] Patch from Gerrit: 04_hostlist__hostrange_numstr.diff

hostrange_numstr(): overflow cases

This checks hostrange_numstr() for overflow cases:
 * requires n > dims (if dims=1, min 1 digit, else dim + '\0' digits);
   - this precondition simplifies many subsequent checks and
   - addresses if (len == n) then len++ means buf[len] = buf[n];
 * also checks return value of the snprintfs.
---
 src/common/hostlist.c | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/src/common/hostlist.c b/src/common/hostlist.c
index 80e84d31451..2a447a12a6e 100644
--- a/src/common/hostlist.c
+++ b/src/common/hostlist.c
@@ -1210,6 +1210,8 @@ static size_t hostrange_numstr(hostrange_t hr, size_t n, char *buf)
 
 	if (hr->singlehost || n == 0)
 		return 0;
+	if (n <= dims)
+		return -1;
 
 	if ((dims > 1) && (hr->width == dims)) {
 		int i2 = 0;
@@ -1217,16 +1219,18 @@ static size_t hostrange_numstr(hostrange_t hr, size_t n, char *buf)
 
 		hostlist_parse_int_to_array(hr->lo, coord, dims, 0);
 
-		for (i2 = 0; i2 < dims; i2++) {
-			if (len <= n)
-				buf[len++] = alpha_num[coord[i2]];
-		}
+		while (i2 < dims)
+			buf[len++] = alpha_num[coord[i2++]];
 		buf[len] = '\0';
 	} else {
 		len = snprintf(buf, n, "%0*lu", hr->width, hr->lo);
+		if (len < 0 || len >= n)
+			return -1;
 	}
 
-	if ((len >= 0) && (len < n) && (hr->lo < hr->hi)) {
+	if (hr->lo < hr->hi) {
+		if (n < len + dims + 2)	/* '-' plus 'dims' digits, plus '\0' */
+			return -1;
 		if ((dims > 1) && (hr->width == dims)) {
 			int i2 = 0;
 			int coord[dims];
@@ -1234,18 +1238,14 @@ static size_t hostrange_numstr(hostrange_t hr, size_t n, char *buf)
 			hostlist_parse_int_to_array(hr->hi, coord, dims, 0);
 
 			buf[len++] = '-';
-			for (i2 = 0; i2 < dims; i2++) {
-				if (len <= n)
-					buf[len++] = alpha_num[coord[i2]];
-			}
+			while (i2 < dims)
+				buf[len++] = alpha_num[coord[i2++]];
 			buf[len] = '\0';
 		} else {
 			int len2 = snprintf(buf + len, n - len, "-%0*lu",
 					    hr->width, hr->hi);
-			if (len2 < 0)
-				len = -1;
-			else
-				len += len2;
+			if (len2 < 0 || (len += len2) >= n)
+				return -1;
 		}
 	}
 
-- 
GitLab