Date: Thu, 25 Mar 2010 20:02:54 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r205654 - head/contrib/cpio/lib Message-ID: <201003252002.o2PK2sJm022899@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Thu Mar 25 20:02:54 2010 New Revision: 205654 URL: http://svn.freebsd.org/changeset/base/205654 Log: The rmt client in GNU cpio could have a heap overflow when a malicious remote tape service returns deliberately crafted packets containing more data than requested. Fix this by checking the returned amount of data and bail out when it is more than what we requested. PR: gnu/145010 Submitted by: naddy Reviewed by: imp MFC after: immediately Security: CVE-2010-0624 Modified: head/contrib/cpio/lib/rtapelib.c Modified: head/contrib/cpio/lib/rtapelib.c ============================================================================== --- head/contrib/cpio/lib/rtapelib.c Thu Mar 25 17:51:05 2010 (r205653) +++ head/contrib/cpio/lib/rtapelib.c Thu Mar 25 20:02:54 2010 (r205654) @@ -570,7 +570,8 @@ rmt_read__ (int handle, char *buffer, si sprintf (command_buffer, "R%lu\n", (unsigned long) length); if (do_command (handle, command_buffer) == -1 - || (status = get_status (handle)) == SAFE_READ_ERROR) + || (status = get_status (handle)) == SAFE_READ_ERROR + || status > length) return SAFE_READ_ERROR; for (counter = 0; counter < status; counter += rlen, buffer += rlen)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201003252002.o2PK2sJm022899>