From owner-svn-src-head@FreeBSD.ORG Thu Mar 25 20:02:54 2010 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6DD30106564A; Thu, 25 Mar 2010 20:02:54 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 5D22A8FC17; Thu, 25 Mar 2010 20:02:54 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o2PK2sZO022901; Thu, 25 Mar 2010 20:02:54 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id o2PK2sJm022899; Thu, 25 Mar 2010 20:02:54 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201003252002.o2PK2sJm022899@svn.freebsd.org> From: Xin LI Date: Thu, 25 Mar 2010 20:02:54 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r205654 - head/contrib/cpio/lib X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Mar 2010 20:02:54 -0000 Author: delphij Date: Thu Mar 25 20:02:54 2010 New Revision: 205654 URL: http://svn.freebsd.org/changeset/base/205654 Log: The rmt client in GNU cpio could have a heap overflow when a malicious remote tape service returns deliberately crafted packets containing more data than requested. Fix this by checking the returned amount of data and bail out when it is more than what we requested. PR: gnu/145010 Submitted by: naddy Reviewed by: imp MFC after: immediately Security: CVE-2010-0624 Modified: head/contrib/cpio/lib/rtapelib.c Modified: head/contrib/cpio/lib/rtapelib.c ============================================================================== --- head/contrib/cpio/lib/rtapelib.c Thu Mar 25 17:51:05 2010 (r205653) +++ head/contrib/cpio/lib/rtapelib.c Thu Mar 25 20:02:54 2010 (r205654) @@ -570,7 +570,8 @@ rmt_read__ (int handle, char *buffer, si sprintf (command_buffer, "R%lu\n", (unsigned long) length); if (do_command (handle, command_buffer) == -1 - || (status = get_status (handle)) == SAFE_READ_ERROR) + || (status = get_status (handle)) == SAFE_READ_ERROR + || status > length) return SAFE_READ_ERROR; for (counter = 0; counter < status; counter += rlen, buffer += rlen)