From owner-freebsd-security@FreeBSD.ORG Fri Jul 31 06:52:10 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 65A9A1065674 for ; Fri, 31 Jul 2009 06:52:10 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 186A58FC21 for ; Fri, 31 Jul 2009 06:52:09 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:Reply-To:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=i87JIIGs3kfx8WeDoIuI//Sl4dK1pWnVrj7USOgwFUEfB9m9fUhxDgNm0XvStT4zBDYZqGvTSVG+g6YYOq830xYxVe0CXt2uSohju+sfQEEiEvW3M+McWxI/ViYmXm45OydmUMO/wk1KelYXe6sPMCpQyL3JvjLprn/b6JQ/1qw=; Received: from amnesiac.at.no.dns (ppp91-78-117-58.pppoe.mtu-net.ru [91.78.117.58]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1MWlyK-000H5B-7N; Fri, 31 Jul 2009 10:52:08 +0400 Date: Fri, 31 Jul 2009 10:52:06 +0400 From: Eygene Ryabinkin To: d@delphij.net Message-ID: References: <20090708193339.GA4836@minerva.freedsl.mg> <4A553080.5060205@delphij.net> <4A553458.70005@delphij.net> <4A7231A1.2050104@delphij.net> <856ux8zhn21/d1hDLYeNjC7FQ1Y@xg9dzetjpj18poIU9mNsJ0TqP1U> <4A72846B.60604@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A72846B.60604@delphij.net> Sender: rea-fbsd@codelabs.ru Cc: rrl , freebsd-security@freebsd.org Subject: Re: gzip memory corruption X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2009 06:52:10 -0000 Xin, Thu, Jul 30, 2009 at 10:43:07PM -0700, Xin LI wrote: > After talking with Matthew Green (the author of NetBSD) it seems that it > would be more reasonable to fix the bug itself than breaking upon > receipt. Here is the patch. You'll probably want to check that (outsize - suffixes[0].ziplen - 1) is greater than zero. Like this: ----- if ((size_t)snprintf(outfile, outsize, "%s%s", file, suffixes[0].zipped) >= outsize) { size_t sfx_start = outsize - suffixes[0] - 1; if (sfx_start > 0) { memcpy(outfile + sfx_start, suffixes[0].zipped, suffixes[0].ziplen + 1); } else { errx(1, "Can't insert suffix: name buffer is too short"); } } ----- Just now we can garantee that 'outsize' will fit any suffix because of the suffix length check, but when Someone (TM) will modify the code, this could no longer be true and a bug will arise again. So it is better to check this locally and fail loudly if we can't make it happen. I should say that transforming the "/long-path/foo.gz" (that is expected) into "/long-path/f.gz" isn't quite obvious for the end-user. But if the absence of such a transformation will break anything that relies on this behaviour (I can't think about any usages of this behaviour, but who knows), then the code should keep it. What were Mattew's arguments for keeping the old behaviour? -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #