svn commit: r205654 - head/contrib/cpio/lib
Xin LI
delphij at FreeBSD.org
Thu Mar 25 20:02:54 UTC 2010
Author: delphij
Date: Thu Mar 25 20:02:54 2010
New Revision: 205654
URL: http://svn.freebsd.org/changeset/base/205654
Log:
The rmt client in GNU cpio could have a heap overflow when a malicious
remote tape service returns deliberately crafted packets containing
more data than requested.
Fix this by checking the returned amount of data and bail out when it
is more than what we requested.
PR: gnu/145010
Submitted by: naddy
Reviewed by: imp
MFC after: immediately
Security: CVE-2010-0624
Modified:
head/contrib/cpio/lib/rtapelib.c
Modified: head/contrib/cpio/lib/rtapelib.c
==============================================================================
--- head/contrib/cpio/lib/rtapelib.c Thu Mar 25 17:51:05 2010 (r205653)
+++ head/contrib/cpio/lib/rtapelib.c Thu Mar 25 20:02:54 2010 (r205654)
@@ -570,7 +570,8 @@ rmt_read__ (int handle, char *buffer, si
sprintf (command_buffer, "R%lu\n", (unsigned long) length);
if (do_command (handle, command_buffer) == -1
- || (status = get_status (handle)) == SAFE_READ_ERROR)
+ || (status = get_status (handle)) == SAFE_READ_ERROR
+ || status > length)
return SAFE_READ_ERROR;
for (counter = 0; counter < status; counter += rlen, buffer += rlen)
More information about the svn-src-all
mailing list