From b629d0984206ad855cc0cb7e6a376c919f7bf366 Mon Sep 17 00:00:00 2001
From: Daniel Mack <zonque@gmail.com>
Date: Sat, 8 Mar 2014 14:18:48 +0100
Subject: [PATCH] sd-bus: check for potential integer overflow in
 KDBUS_ITEM_FOREACH()

For large values of item->size, the 'part' pointer can wrap around,
which results in an illegal pointer, but currently passes the for-loop
condition.
---
 src/libsystemd/sd-bus/bus-kernel.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/libsystemd/sd-bus/bus-kernel.h b/src/libsystemd/sd-bus/bus-kernel.h
index c4722cbac..a1e9691f1 100644
--- a/src/libsystemd/sd-bus/bus-kernel.h
+++ b/src/libsystemd/sd-bus/bus-kernel.h
@@ -31,7 +31,8 @@
 
 #define KDBUS_ITEM_FOREACH(part, head, first)                           \
         for (part = (head)->first;                                      \
-             (uint8_t *)(part) < (uint8_t *)(head) + (head)->size;      \
+             ((uint8_t *)(part) < (uint8_t *)(head) + (head)->size) &&  \
+                ((uint8_t *) part >= (uint8_t *) head);                 \
              part = KDBUS_ITEM_NEXT(part))
 
 #define KDBUS_ITEM_HEADER_SIZE offsetof(struct kdbus_item, data)
-- 
2.30.2