From owner-freebsd-security@FreeBSD.ORG Fri Jul 31 05:29:26 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4466A1065673 for ; Fri, 31 Jul 2009 05:29:26 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id DF7418FC0C for ; Fri, 31 Jul 2009 05:29:25 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:Reply-To:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=N3KSaBiQmC62XJrV6cq9eYSxgy0wBU1aX8/u6+r/O1gzxBEljSGZnpmzrZVXDmhWiLrtECpnWQPk9ggsxrYmuE93Pv1VMPmQD+nh/0j7ZKymP/8EAzWyYxaX3BVkf0XHLLf4K2cNi+tdVoIJMOQ7eV1VFWlQ7WbXh4IR3zxrjVg=; Received: from amnesiac.at.no.dns (ppp91-78-117-58.pppoe.mtu-net.ru [91.78.117.58]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1MWkgF-0007pP-Uq; Fri, 31 Jul 2009 09:29:24 +0400 Date: Fri, 31 Jul 2009 09:29:21 +0400 From: Eygene Ryabinkin To: d@delphij.net Message-ID: <856ux8zhn21/d1hDLYeNjC7FQ1Y@xg9dzetjpj18poIU9mNsJ0TqP1U> References: <20090708193339.GA4836@minerva.freedsl.mg> <4A553080.5060205@delphij.net> <4A553458.70005@delphij.net> <4A7231A1.2050104@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A7231A1.2050104@delphij.net> Sender: rea-fbsd@codelabs.ru Cc: rrl , freebsd-security@freebsd.org Subject: Re: gzip memory corruption X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2009 05:29:26 -0000 Xin, good day. Thu, Jul 30, 2009 at 04:49:53PM -0700, Xin LI wrote: > Having checked with GNU's gzip, it looks like that they arbitrarily set > an upper limit of the suffix length to 30. This is unrelated to the > memcpy bug but let's address it here as well. My revised patch would > make the memcpy into a fatal errx, and reduce the allowed suffix length > to 30 to match GNU behavior. > > Please let me know if this version looks better, I'll propose it to re@ > and commit if they approved it. Yes, this patch looks much better, thanks! One thing: I would expand the error message here: > + if (len >= SUFFIX_MAXLEN) > + errx(1, "incorrect suffix: '%s'", optarg); say to > + errx(1, "incorrect suffix: '%s': too long", optarg); I will be better, since the reason of incorrectness will be stated: it is not very obvious why the suffix like '.barrhmumbojombofromthemightyuserwhoseemtogonecompletelymad' isn't acceptable ;)) -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #