Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 24 Aug 2021 18:29:18 GMT
From:      Gordon Tetlow <gordon@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: c8a2cc4ba845 - releng/13.0 - Fix remote code execution in ggatec(8).
Message-ID:  <202108241829.17OITI1p023924@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch releng/13.0 has been updated by gordon:

URL: https://cgit.FreeBSD.org/src/commit/?id=c8a2cc4ba845333c122fb6d86ee7430a01cc397e

commit c8a2cc4ba845333c122fb6d86ee7430a01cc397e
Author:     Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2021-08-24 17:37:45 +0000
Commit:     Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2021-08-24 17:37:45 +0000

    Fix remote code execution in ggatec(8).
    
    Approved by:    so
    Security:       SA-21:14.ggatec
    Security:       CVE-2021-29630
---
 sbin/ggate/ggatec/ggatec.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/sbin/ggate/ggatec/ggatec.c b/sbin/ggate/ggatec/ggatec.c
index 45a93c4512fe..0695dae0dca2 100644
--- a/sbin/ggate/ggatec/ggatec.c
+++ b/sbin/ggate/ggatec/ggatec.c
@@ -145,7 +145,21 @@ send_thread(void *arg __unused)
 		case BIO_WRITE:
 			hdr.gh_cmd = GGATE_CMD_WRITE;
 			break;
+		default:
+			g_gate_log(LOG_NOTICE, "Unknown gctl_cmd: %i", ggio.gctl_cmd);
+			ggio.gctl_error = EOPNOTSUPP;
+			g_gate_ioctl(G_GATE_CMD_DONE, &ggio);
+			continue;
+		}
+
+		/* Don't send requests for more data than we can handle the response for! */
+		if (ggio.gctl_length > MAXPHYS) {
+			g_gate_log(LOG_ERR, "Request too big: %zd", ggio.gctl_length);
+			ggio.gctl_error = EOPNOTSUPP;
+			g_gate_ioctl(G_GATE_CMD_DONE, &ggio);
+			continue;
 		}
+
 		hdr.gh_seq = ggio.gctl_seq;
 		hdr.gh_offset = ggio.gctl_offset;
 		hdr.gh_length = ggio.gctl_length;
@@ -219,6 +233,12 @@ recv_thread(void *arg __unused)
 		ggio.gctl_length = hdr.gh_length;
 		ggio.gctl_error = hdr.gh_error;
 
+		/* Do not overflow our buffer if there is a bogus response. */
+		if (ggio.gctl_length > (off_t) sizeof(buf)) {
+			g_gate_log(LOG_ERR, "Received too big response: %zd", ggio.gctl_length);
+			break;
+		}
+
 		if (ggio.gctl_error == 0 && ggio.gctl_cmd == GGATE_CMD_READ) {
 			data = g_gate_recv(recvfd, ggio.gctl_data,
 			    ggio.gctl_length, MSG_WAITALL);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202108241829.17OITI1p023924>