From 2183683bd633818dd031b090b5530951de76f392 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 11 Feb 2015 10:27:57 +0100
Subject: Use inline functions to convert buffer data to scalars.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* common/host2net.h (buf16_to_ulong, buf16_to_uint): New.
(buf16_to_ushort, buf16_to_u16): New.
(buf32_to_size_t, buf32_to_ulong, buf32_to_uint, buf32_to_u32): New.
--

Commit 91b826a38880fd8a989318585eb502582636ddd8 was not enough to
avoid all sign extension on shift problems.  Hanno Böck found a case
with an invalid read due to this problem.  To fix that once and for
all almost all uses of "<< 24" and "<< 8" are changed by this patch to
use an inline function from host2net.h.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 kbx/keybox-update.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

(limited to 'kbx/keybox-update.c')

diff --git a/kbx/keybox-update.c b/kbx/keybox-update.c
index 7b207a520..4b14b2f23 100644
--- a/kbx/keybox-update.c
+++ b/kbx/keybox-update.c
@@ -28,6 +28,7 @@
 
 #include "keybox-defs.h"
 #include "../common/sysutils.h"
+#include "../common/host2net.h"
 
 #define EXTSEP_S "."
 
@@ -734,8 +735,7 @@ keybox_compress (KEYBOX_HANDLE hd)
       buffer = _keybox_get_blob_image (blob, &length);
       if (length > 4 && buffer[4] == KEYBOX_BLOBTYPE_HEADER)
         {
-          u32 last_maint = ((buffer[20] << 24) | (buffer[20+1] << 16)
-                            | (buffer[20+2] << 8) | (buffer[20+3]));
+          u32 last_maint = buf32_to_u32 (buffer+20);
 
           if ( (last_maint + 3*3600) > time (NULL) )
             {
@@ -811,7 +811,7 @@ keybox_compress (KEYBOX_HANDLE hd)
           rc = gpg_error (GPG_ERR_BUG);
           break;
         }
-      blobflags = ((buffer[pos] << 8) | (buffer[pos+1]));
+      blobflags = buf16_to_uint (buffer+pos);
       if ((blobflags & KEYBOX_FLAG_BLOB_EPHEMERAL))
         {
           /* This is an ephemeral blob. */
@@ -820,8 +820,7 @@ keybox_compress (KEYBOX_HANDLE hd)
               || size != 4)
             created_at = 0; /* oops. */
           else
-            created_at = ((buffer[pos] << 24) | (buffer[pos+1] << 16)
-                          | (buffer[pos+2] << 8) | (buffer[pos+3]));
+            created_at = buf32_to_u32 (buffer+pos);
 
           if (created_at && created_at < cut_time)
             {
-- 
cgit v1.2.3