svn commit: r205655 - in stable: 6/contrib/cpio/lib
7/contrib/cpio/lib 8/contrib/cpio/lib
Xin LI
delphij at FreeBSD.org
Thu Mar 25 20:07:31 UTC 2010
Author: delphij
Date: Thu Mar 25 20:07:30 2010
New Revision: 205655
URL: http://svn.freebsd.org/changeset/base/205655
Log:
MFC r205654:
The rmt client in GNU cpio could have a heap overflow when a malicious
remote tape service returns deliberately crafted packets containing
more data than requested.
Fix this by checking the returned amount of data and bail out when it
is more than what we requested.
PR: gnu/145010
Submitted by: naddy
Reviewed by: imp
Security: CVE-2010-0624
Modified:
stable/7/contrib/cpio/lib/rtapelib.c
Directory Properties:
stable/7/contrib/cpio/ (props changed)
Changes in other areas also in this revision:
Modified:
stable/6/contrib/cpio/lib/rtapelib.c
stable/8/contrib/cpio/lib/rtapelib.c
Directory Properties:
stable/6/contrib/cpio/ (props changed)
stable/8/contrib/cpio/ (props changed)
Modified: stable/7/contrib/cpio/lib/rtapelib.c
==============================================================================
--- stable/7/contrib/cpio/lib/rtapelib.c Thu Mar 25 20:02:54 2010 (r205654)
+++ stable/7/contrib/cpio/lib/rtapelib.c Thu Mar 25 20:07:30 2010 (r205655)
@@ -570,7 +570,8 @@ rmt_read__ (int handle, char *buffer, si
sprintf (command_buffer, "R%lu\n", (unsigned long) length);
if (do_command (handle, command_buffer) == -1
- || (status = get_status (handle)) == SAFE_READ_ERROR)
+ || (status = get_status (handle)) == SAFE_READ_ERROR
+ || status > length)
return SAFE_READ_ERROR;
for (counter = 0; counter < status; counter += rlen, buffer += rlen)
More information about the svn-src-all
mailing list