Date: Wed, 08 Jul 2009 17:05:44 -0700 From: Xin LI <delphij@delphij.net> To: d@delphij.net Cc: rrl <endian.sign@gmail.com>, freebsd-security@freebsd.org, rea-fbsd@codelabs.ru Subject: Re: gzip memory corruption Message-ID: <4A553458.70005@delphij.net> In-Reply-To: <4A553080.5060205@delphij.net> References: <20090708193339.GA4836@minerva.freedsl.mg> <qbNi6WaraP%2BYYd65ZtihTj0ewks@BpFm1zkZmHABxHH1eUOcQSRoWTc> <4A553080.5060205@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------010401030701030109000706 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Xin LI wrote: > Eygene Ryabinkin wrote: >> Wed, Jul 08, 2009 at 10:33:39PM +0300, rrl wrote: >>> I run Freebsd 7.2 and gzip doesn't handle correctly long suffix name >>> with the -S option. >>>> gzip -S `perl -e 'print "A"x1200'` dummy_file >>> Memory fault (core dumped) >>> >>> The offending code lays in the function file_compress: >>>> /* Add (usually) .gz to filename */ >>>> if ((size_t)snprintf(outfile, outsize, "%s%s", >>>> file, suffixes[0].zipped) >= outsize) >>>> memcpy(outfile - suffixes[0].ziplen - 1, >>>> suffixes[0].zipped, suffixes[0].ziplen + 1); >> The memcpy() call looks like a complete madness: it will write before >> the beginning of the 'outfile', so it will be buffer underflow in any >> case (unless I am terribly mistaken and missing some obvious point). > >> I'd change the above code to warn and return if snprintf will discard >> some trailing characters, the patch is attached. I have attached another possible fix, which catches the problem when parsing the command line. The point is that, I think we really want to catch bad input as early as possible. If there is no objections I would request for approval from re@. Cheers, - -- Xin LI <delphij@delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEUEARECAAYFAkpVNFcACgkQi+vbBBjt66AkuQCfSm79QmZC2jPwE8kSEaz5NvH7 V+8Al0zsIfe40Tv0Yu/LrtMpnEK5cok= =OtC/ -----END PGP SIGNATURE----- --------------010401030701030109000706 Content-Type: text/plain; name="gzip.c-S-underflow.diff" Content-Transfer-Encoding: 8bit Content-Disposition: inline; filename="gzip.c-S-underflow.diff" Index: gzip.c =================================================================== --- gzip.c (版本 195435) +++ gzip.c (工作副本) @@ -372,6 +372,8 @@ case 'S': len = strlen(optarg); if (len != 0) { + if (len >= PATH_MAX) + errx(1, "incorrect suffix: '%s'", optarg); suffixes[0].zipped = optarg; suffixes[0].ziplen = len; } else { --------------010401030701030109000706--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A553458.70005>