File U_12-Protect-against-overflow-of-size_valp.patch of Package slurm.32313

From: Tim Wickberg <tim@schedmd.com>
Date: Tue Nov 28 23:20:13 2023 -0700
Subject: [PATCH 12/28]Protect against overflow of size_valp.
Patch-mainline: Upstream
Git-repo: https://github.com/SchedMD/slurm
Git-commit: 12e202a7ce19953236e872f2a0e9c1672f876671
References: bsc#1218046, bsc#1218050, bsc#1218051, bsc#1218053
Signed-off-by: Egbert Eich <eich@suse.de>

Since we want to NULL-terminate the array, we need to ensure *size_valp is
not 0xffffffff as the + 1 would wrap to 0. The allocation would succeed,
and then we'd NULL-dereference immediately in the for loop and crash.

MAX_PACK_MEM_LEN is somewhat arbitrary, but sufficient for this check.

CVE-2023-49936.

# Conflicts:
#	NEWS
#	src/common/pack.c
---
 NEWS              | 1 +
 src/common/pack.c | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index ad93b88d53..b8902e238b 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ documents those changes that are of interest to users and administrators.
 
 * Backported changes
 ====================
+ -- Prevent NULL pointer dereference on size_valp overflow. CVE-2023-49936.
  -- Prevent double-xfree() on error in _unpack_node_reg_resp(). CVE-2023-49937.
  -- Fix filesystem handling race conditions that could lead to an attacker
     taking control of an arbitrary file, or removing entire directories'
diff --git a/src/common/pack.c b/src/common/pack.c
index 53662442b5..a5c9ac1d91 100644
--- a/src/common/pack.c
+++ b/src/common/pack.c
@@ -1087,7 +1087,7 @@ int unpackstr_array(char ***valp, uint32_t * size_valp, Buf buffer)
 	if (*size_valp > MAX_ARRAY_LEN_MEDIUM) {
 		error("%s: Buffer to be unpacked is too large (%u > %u)",
 		      __func__, *size_valp, MAX_ARRAY_LEN_MEDIUM);
-		return SLURM_ERROR;
+		goto unpack_error;
 	}
 
 	safe_xcalloc(*valp, *size_valp + 1, sizeof(char *));