From owner-svn-src-stable@FreeBSD.ORG Thu Mar 25 20:07:31 2010 Return-Path: Delivered-To: svn-src-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02B2A106566B; Thu, 25 Mar 2010 20:07:31 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id E499C8FC17; Thu, 25 Mar 2010 20:07:30 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o2PK7UqH024047; Thu, 25 Mar 2010 20:07:30 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id o2PK7ULI024045; Thu, 25 Mar 2010 20:07:30 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201003252007.o2PK7ULI024045@svn.freebsd.org> From: Xin LI Date: Thu, 25 Mar 2010 20:07:30 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r205655 - in stable: 6/contrib/cpio/lib 7/contrib/cpio/lib 8/contrib/cpio/lib X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Mar 2010 20:07:31 -0000 Author: delphij Date: Thu Mar 25 20:07:30 2010 New Revision: 205655 URL: http://svn.freebsd.org/changeset/base/205655 Log: MFC r205654: The rmt client in GNU cpio could have a heap overflow when a malicious remote tape service returns deliberately crafted packets containing more data than requested. Fix this by checking the returned amount of data and bail out when it is more than what we requested. PR: gnu/145010 Submitted by: naddy Reviewed by: imp Security: CVE-2010-0624 Modified: stable/8/contrib/cpio/lib/rtapelib.c Directory Properties: stable/8/contrib/cpio/ (props changed) Changes in other areas also in this revision: Modified: stable/6/contrib/cpio/lib/rtapelib.c stable/7/contrib/cpio/lib/rtapelib.c Directory Properties: stable/6/contrib/cpio/ (props changed) stable/7/contrib/cpio/ (props changed) Modified: stable/8/contrib/cpio/lib/rtapelib.c ============================================================================== --- stable/8/contrib/cpio/lib/rtapelib.c Thu Mar 25 20:02:54 2010 (r205654) +++ stable/8/contrib/cpio/lib/rtapelib.c Thu Mar 25 20:07:30 2010 (r205655) @@ -570,7 +570,8 @@ rmt_read__ (int handle, char *buffer, si sprintf (command_buffer, "R%lu\n", (unsigned long) length); if (do_command (handle, command_buffer) == -1 - || (status = get_status (handle)) == SAFE_READ_ERROR) + || (status = get_status (handle)) == SAFE_READ_ERROR + || status > length) return SAFE_READ_ERROR; for (counter = 0; counter < status; counter += rlen, buffer += rlen)