svn commit: r225827 - head/sys/kern head/usr.bin/compress
head/usr.bin/gzip releng/7.3 releng/7.3/sys/conf
releng/7.3/sys/kern releng/7.3/usr.bin/compress
releng/7.3/usr.bin/gzip releng/7.4 releng/...
Bjoern A. Zeeb
bz at FreeBSD.org
Wed Sep 28 08:47:19 UTC 2011
Author: bz
Date: Wed Sep 28 08:47:17 2011
New Revision: 225827
URL: http://svn.freebsd.org/changeset/base/225827
Log:
Fix handling of corrupt compress(1)ed data. [11:04]
Add missing length checks on unix socket addresses. [11:05]
Approved by: so (cperciva)
Approved by: re (kensmith)
Security: FreeBSD-SA-11:04.compress
Security: CVE-2011-2895 [11:04]
Security: FreeBSD-SA-11:05.unix
Modified:
releng/7.3/UPDATING
releng/7.3/sys/conf/newvers.sh
releng/7.3/sys/kern/uipc_usrreq.c
releng/7.3/usr.bin/compress/zopen.c
releng/7.3/usr.bin/gzip/zuncompress.c
releng/7.4/UPDATING
releng/7.4/sys/conf/newvers.sh
releng/7.4/sys/kern/uipc_usrreq.c
releng/7.4/usr.bin/compress/zopen.c
releng/7.4/usr.bin/gzip/zuncompress.c
releng/8.1/UPDATING
releng/8.1/sys/conf/newvers.sh
releng/8.1/sys/kern/uipc_usrreq.c
releng/8.1/usr.bin/compress/zopen.c
releng/8.1/usr.bin/gzip/zuncompress.c
releng/8.2/UPDATING
releng/8.2/sys/conf/newvers.sh
releng/8.2/sys/kern/uipc_usrreq.c
releng/8.2/usr.bin/compress/zopen.c
releng/8.2/usr.bin/gzip/zuncompress.c
Changes in other areas also in this revision:
Modified:
head/sys/kern/uipc_usrreq.c
head/usr.bin/compress/zopen.c
head/usr.bin/gzip/zuncompress.c
stable/7/sys/kern/uipc_usrreq.c
stable/7/usr.bin/compress/zopen.c
stable/7/usr.bin/gzip/zuncompress.c
stable/8/sys/kern/uipc_usrreq.c
stable/8/usr.bin/compress/zopen.c
stable/8/usr.bin/gzip/zuncompress.c
stable/9/sys/kern/uipc_usrreq.c
stable/9/usr.bin/compress/zopen.c
stable/9/usr.bin/gzip/zuncompress.c
Modified: releng/7.3/UPDATING
==============================================================================
--- releng/7.3/UPDATING Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/7.3/UPDATING Wed Sep 28 08:47:17 2011 (r225827)
@@ -8,6 +8,11 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20110928: p7 FreeBSD-SA-11:04.compress, FreeBSD-SA-11:05.unix
+ Fix handling of corrupt compress(1)ed data. [11:04]
+
+ Add missing length checks on unix socket addresses. [11:05]
+
20110528: p6 FreeBSD-SA-11:02.bind
Fix BIND remote DoS with large RRSIG RRsets and negative
caching.
Modified: releng/7.3/sys/conf/newvers.sh
==============================================================================
--- releng/7.3/sys/conf/newvers.sh Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/7.3/sys/conf/newvers.sh Wed Sep 28 08:47:17 2011 (r225827)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.3"
-BRANCH="RELEASE-p6"
+BRANCH="RELEASE-p7"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/7.3/sys/kern/uipc_usrreq.c
==============================================================================
--- releng/7.3/sys/kern/uipc_usrreq.c Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/7.3/sys/kern/uipc_usrreq.c Wed Sep 28 08:47:17 2011 (r225827)
@@ -395,6 +395,8 @@ uipc_bind(struct socket *so, struct sock
unp = sotounpcb(so);
KASSERT(unp != NULL, ("uipc_bind: unp == NULL"));
+ if (soun->sun_len > sizeof(struct sockaddr_un))
+ return (EINVAL);
namelen = soun->sun_len - offsetof(struct sockaddr_un, sun_path);
if (namelen <= 0)
return (EINVAL);
@@ -1141,6 +1143,8 @@ unp_connect(struct socket *so, struct so
unp = sotounpcb(so);
KASSERT(unp != NULL, ("unp_connect: unp == NULL"));
+ if (nam->sa_len > sizeof(struct sockaddr_un))
+ return (EINVAL);
len = nam->sa_len - offsetof(struct sockaddr_un, sun_path);
if (len <= 0)
return (EINVAL);
Modified: releng/7.3/usr.bin/compress/zopen.c
==============================================================================
--- releng/7.3/usr.bin/compress/zopen.c Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/7.3/usr.bin/compress/zopen.c Wed Sep 28 08:47:17 2011 (r225827)
@@ -490,7 +490,7 @@ zread(void *cookie, char *rbp, int num)
block_compress = maxbits & BLOCK_MASK;
maxbits &= BIT_MASK;
maxmaxcode = 1L << maxbits;
- if (maxbits > BITS) {
+ if (maxbits > BITS || maxbits < 12) {
errno = EFTYPE;
return (-1);
}
@@ -517,17 +517,28 @@ zread(void *cookie, char *rbp, int num)
for (code = 255; code >= 0; code--)
tab_prefixof(code) = 0;
clear_flg = 1;
- free_ent = FIRST - 1;
- if ((code = getcode(zs)) == -1) /* O, untimely death! */
- break;
+ free_ent = FIRST;
+ oldcode = -1;
+ continue;
}
incode = code;
- /* Special case for KwKwK string. */
+ /* Special case for kWkWk string. */
if (code >= free_ent) {
+ if (code > free_ent || oldcode == -1) {
+ /* Bad stream. */
+ errno = EINVAL;
+ return (-1);
+ }
*stackp++ = finchar;
code = oldcode;
}
+ /*
+ * The above condition ensures that code < free_ent.
+ * The construction of tab_prefixof in turn guarantees that
+ * each iteration decreases code and therefore stack usage is
+ * bound by 1 << BITS - 256.
+ */
/* Generate output characters in reverse order. */
while (code >= 256) {
@@ -544,7 +555,7 @@ middle: do {
} while (stackp > de_stack);
/* Generate the new entry. */
- if ((code = free_ent) < maxmaxcode) {
+ if ((code = free_ent) < maxmaxcode && oldcode != -1) {
tab_prefixof(code) = (u_short) oldcode;
tab_suffixof(code) = finchar;
free_ent = code + 1;
Modified: releng/7.3/usr.bin/gzip/zuncompress.c
==============================================================================
--- releng/7.3/usr.bin/gzip/zuncompress.c Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/7.3/usr.bin/gzip/zuncompress.c Wed Sep 28 08:47:17 2011 (r225827)
@@ -247,7 +247,7 @@ zread(void *cookie, char *rbp, int num)
zs->zs_block_compress = zs->zs_maxbits & BLOCK_MASK;
zs->zs_maxbits &= BIT_MASK;
zs->zs_maxmaxcode = 1L << zs->zs_maxbits;
- if (zs->zs_maxbits > BITS) {
+ if (zs->zs_maxbits > BITS || zs->zs_maxbits < 12) {
errno = EFTYPE;
return (-1);
}
@@ -259,13 +259,7 @@ zread(void *cookie, char *rbp, int num)
}
zs->zs_free_ent = zs->zs_block_compress ? FIRST : 256;
- zs->u.r.zs_finchar = zs->u.r.zs_oldcode = getcode(zs);
- if (zs->u.r.zs_oldcode == -1) /* EOF already? */
- return (0); /* Get out of here */
-
- /* First code must be 8 bits = char. */
- *bp++ = (u_char)zs->u.r.zs_finchar;
- count--;
+ zs->u.r.zs_oldcode = -1;
zs->u.r.zs_stackp = de_stack;
while ((zs->u.r.zs_code = getcode(zs)) > -1) {
@@ -275,17 +269,29 @@ zread(void *cookie, char *rbp, int num)
zs->u.r.zs_code--)
tab_prefixof(zs->u.r.zs_code) = 0;
zs->zs_clear_flg = 1;
- zs->zs_free_ent = FIRST - 1;
- if ((zs->u.r.zs_code = getcode(zs)) == -1) /* O, untimely death! */
- break;
+ zs->zs_free_ent = FIRST;
+ zs->u.r.zs_oldcode = -1;
+ continue;
}
zs->u.r.zs_incode = zs->u.r.zs_code;
/* Special case for KwKwK string. */
if (zs->u.r.zs_code >= zs->zs_free_ent) {
+ if (zs->u.r.zs_code > zs->zs_free_ent ||
+ zs->u.r.zs_oldcode == -1) {
+ /* Bad stream. */
+ errno = EINVAL;
+ return (-1);
+ }
*zs->u.r.zs_stackp++ = zs->u.r.zs_finchar;
zs->u.r.zs_code = zs->u.r.zs_oldcode;
}
+ /*
+ * The above condition ensures that code < free_ent.
+ * The construction of tab_prefixof in turn guarantees that
+ * each iteration decreases code and therefore stack usage is
+ * bound by 1 << BITS - 256.
+ */
/* Generate output characters in reverse order. */
while (zs->u.r.zs_code >= 256) {
@@ -302,7 +308,8 @@ middle: do {
} while (zs->u.r.zs_stackp > de_stack);
/* Generate the new entry. */
- if ((zs->u.r.zs_code = zs->zs_free_ent) < zs->zs_maxmaxcode) {
+ if ((zs->u.r.zs_code = zs->zs_free_ent) < zs->zs_maxmaxcode &&
+ zs->u.r.zs_oldcode != -1) {
tab_prefixof(zs->u.r.zs_code) = (u_short) zs->u.r.zs_oldcode;
tab_suffixof(zs->u.r.zs_code) = zs->u.r.zs_finchar;
zs->zs_free_ent = zs->u.r.zs_code + 1;
Modified: releng/7.4/UPDATING
==============================================================================
--- releng/7.4/UPDATING Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/7.4/UPDATING Wed Sep 28 08:47:17 2011 (r225827)
@@ -8,6 +8,11 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20110928: p3 FreeBSD-SA-11:04.compress, FreeBSD-SA-11:05.unix
+ Fix handling of corrupt compress(1)ed data. [11:04]
+
+ Add missing length checks on unix socket addresses. [11:05]
+
20110528: p2 FreeBSD-SA-11:02.bind
Fix BIND remote DoS with large RRSIG RRsets and negative
caching.
Modified: releng/7.4/sys/conf/newvers.sh
==============================================================================
--- releng/7.4/sys/conf/newvers.sh Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/7.4/sys/conf/newvers.sh Wed Sep 28 08:47:17 2011 (r225827)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.4"
-BRANCH="RELEASE-p2"
+BRANCH="RELEASE-p3"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/7.4/sys/kern/uipc_usrreq.c
==============================================================================
--- releng/7.4/sys/kern/uipc_usrreq.c Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/7.4/sys/kern/uipc_usrreq.c Wed Sep 28 08:47:17 2011 (r225827)
@@ -395,6 +395,8 @@ uipc_bind(struct socket *so, struct sock
unp = sotounpcb(so);
KASSERT(unp != NULL, ("uipc_bind: unp == NULL"));
+ if (soun->sun_len > sizeof(struct sockaddr_un))
+ return (EINVAL);
namelen = soun->sun_len - offsetof(struct sockaddr_un, sun_path);
if (namelen <= 0)
return (EINVAL);
@@ -1141,6 +1143,8 @@ unp_connect(struct socket *so, struct so
unp = sotounpcb(so);
KASSERT(unp != NULL, ("unp_connect: unp == NULL"));
+ if (nam->sa_len > sizeof(struct sockaddr_un))
+ return (EINVAL);
len = nam->sa_len - offsetof(struct sockaddr_un, sun_path);
if (len <= 0)
return (EINVAL);
Modified: releng/7.4/usr.bin/compress/zopen.c
==============================================================================
--- releng/7.4/usr.bin/compress/zopen.c Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/7.4/usr.bin/compress/zopen.c Wed Sep 28 08:47:17 2011 (r225827)
@@ -490,7 +490,7 @@ zread(void *cookie, char *rbp, int num)
block_compress = maxbits & BLOCK_MASK;
maxbits &= BIT_MASK;
maxmaxcode = 1L << maxbits;
- if (maxbits > BITS) {
+ if (maxbits > BITS || maxbits < 12) {
errno = EFTYPE;
return (-1);
}
@@ -517,17 +517,28 @@ zread(void *cookie, char *rbp, int num)
for (code = 255; code >= 0; code--)
tab_prefixof(code) = 0;
clear_flg = 1;
- free_ent = FIRST - 1;
- if ((code = getcode(zs)) == -1) /* O, untimely death! */
- break;
+ free_ent = FIRST;
+ oldcode = -1;
+ continue;
}
incode = code;
- /* Special case for KwKwK string. */
+ /* Special case for kWkWk string. */
if (code >= free_ent) {
+ if (code > free_ent || oldcode == -1) {
+ /* Bad stream. */
+ errno = EINVAL;
+ return (-1);
+ }
*stackp++ = finchar;
code = oldcode;
}
+ /*
+ * The above condition ensures that code < free_ent.
+ * The construction of tab_prefixof in turn guarantees that
+ * each iteration decreases code and therefore stack usage is
+ * bound by 1 << BITS - 256.
+ */
/* Generate output characters in reverse order. */
while (code >= 256) {
@@ -544,7 +555,7 @@ middle: do {
} while (stackp > de_stack);
/* Generate the new entry. */
- if ((code = free_ent) < maxmaxcode) {
+ if ((code = free_ent) < maxmaxcode && oldcode != -1) {
tab_prefixof(code) = (u_short) oldcode;
tab_suffixof(code) = finchar;
free_ent = code + 1;
Modified: releng/7.4/usr.bin/gzip/zuncompress.c
==============================================================================
--- releng/7.4/usr.bin/gzip/zuncompress.c Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/7.4/usr.bin/gzip/zuncompress.c Wed Sep 28 08:47:17 2011 (r225827)
@@ -247,7 +247,7 @@ zread(void *cookie, char *rbp, int num)
zs->zs_block_compress = zs->zs_maxbits & BLOCK_MASK;
zs->zs_maxbits &= BIT_MASK;
zs->zs_maxmaxcode = 1L << zs->zs_maxbits;
- if (zs->zs_maxbits > BITS) {
+ if (zs->zs_maxbits > BITS || zs->zs_maxbits < 12) {
errno = EFTYPE;
return (-1);
}
@@ -259,13 +259,7 @@ zread(void *cookie, char *rbp, int num)
}
zs->zs_free_ent = zs->zs_block_compress ? FIRST : 256;
- zs->u.r.zs_finchar = zs->u.r.zs_oldcode = getcode(zs);
- if (zs->u.r.zs_oldcode == -1) /* EOF already? */
- return (0); /* Get out of here */
-
- /* First code must be 8 bits = char. */
- *bp++ = (u_char)zs->u.r.zs_finchar;
- count--;
+ zs->u.r.zs_oldcode = -1;
zs->u.r.zs_stackp = de_stack;
while ((zs->u.r.zs_code = getcode(zs)) > -1) {
@@ -275,17 +269,29 @@ zread(void *cookie, char *rbp, int num)
zs->u.r.zs_code--)
tab_prefixof(zs->u.r.zs_code) = 0;
zs->zs_clear_flg = 1;
- zs->zs_free_ent = FIRST - 1;
- if ((zs->u.r.zs_code = getcode(zs)) == -1) /* O, untimely death! */
- break;
+ zs->zs_free_ent = FIRST;
+ zs->u.r.zs_oldcode = -1;
+ continue;
}
zs->u.r.zs_incode = zs->u.r.zs_code;
/* Special case for KwKwK string. */
if (zs->u.r.zs_code >= zs->zs_free_ent) {
+ if (zs->u.r.zs_code > zs->zs_free_ent ||
+ zs->u.r.zs_oldcode == -1) {
+ /* Bad stream. */
+ errno = EINVAL;
+ return (-1);
+ }
*zs->u.r.zs_stackp++ = zs->u.r.zs_finchar;
zs->u.r.zs_code = zs->u.r.zs_oldcode;
}
+ /*
+ * The above condition ensures that code < free_ent.
+ * The construction of tab_prefixof in turn guarantees that
+ * each iteration decreases code and therefore stack usage is
+ * bound by 1 << BITS - 256.
+ */
/* Generate output characters in reverse order. */
while (zs->u.r.zs_code >= 256) {
@@ -302,7 +308,8 @@ middle: do {
} while (zs->u.r.zs_stackp > de_stack);
/* Generate the new entry. */
- if ((zs->u.r.zs_code = zs->zs_free_ent) < zs->zs_maxmaxcode) {
+ if ((zs->u.r.zs_code = zs->zs_free_ent) < zs->zs_maxmaxcode &&
+ zs->u.r.zs_oldcode != -1) {
tab_prefixof(zs->u.r.zs_code) = (u_short) zs->u.r.zs_oldcode;
tab_suffixof(zs->u.r.zs_code) = zs->u.r.zs_finchar;
zs->zs_free_ent = zs->u.r.zs_code + 1;
Modified: releng/8.1/UPDATING
==============================================================================
--- releng/8.1/UPDATING Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/8.1/UPDATING Wed Sep 28 08:47:17 2011 (r225827)
@@ -15,6 +15,11 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20110928: p5 FreeBSD-SA-11:04.compress, FreeBSD-SA-11:05.unix
+ Fix handling of corrupt compress(1)ed data. [11:04]
+
+ Add missing length checks on unix socket addresses. [11:05]
+
20110528: p4 FreeBSD-SA-11:02.bind
Fix BIND remote DoS with large RRSIG RRsets and negative
caching.
Modified: releng/8.1/sys/conf/newvers.sh
==============================================================================
--- releng/8.1/sys/conf/newvers.sh Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/8.1/sys/conf/newvers.sh Wed Sep 28 08:47:17 2011 (r225827)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.1"
-BRANCH="RELEASE-p4"
+BRANCH="RELEASE-p5"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/8.1/sys/kern/uipc_usrreq.c
==============================================================================
--- releng/8.1/sys/kern/uipc_usrreq.c Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/8.1/sys/kern/uipc_usrreq.c Wed Sep 28 08:47:17 2011 (r225827)
@@ -394,6 +394,8 @@ uipc_bind(struct socket *so, struct sock
unp = sotounpcb(so);
KASSERT(unp != NULL, ("uipc_bind: unp == NULL"));
+ if (soun->sun_len > sizeof(struct sockaddr_un))
+ return (EINVAL);
namelen = soun->sun_len - offsetof(struct sockaddr_un, sun_path);
if (namelen <= 0)
return (EINVAL);
@@ -1140,6 +1142,8 @@ unp_connect(struct socket *so, struct so
unp = sotounpcb(so);
KASSERT(unp != NULL, ("unp_connect: unp == NULL"));
+ if (nam->sa_len > sizeof(struct sockaddr_un))
+ return (EINVAL);
len = nam->sa_len - offsetof(struct sockaddr_un, sun_path);
if (len <= 0)
return (EINVAL);
Modified: releng/8.1/usr.bin/compress/zopen.c
==============================================================================
--- releng/8.1/usr.bin/compress/zopen.c Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/8.1/usr.bin/compress/zopen.c Wed Sep 28 08:47:17 2011 (r225827)
@@ -490,7 +490,7 @@ zread(void *cookie, char *rbp, int num)
block_compress = maxbits & BLOCK_MASK;
maxbits &= BIT_MASK;
maxmaxcode = 1L << maxbits;
- if (maxbits > BITS) {
+ if (maxbits > BITS || maxbits < 12) {
errno = EFTYPE;
return (-1);
}
@@ -517,17 +517,28 @@ zread(void *cookie, char *rbp, int num)
for (code = 255; code >= 0; code--)
tab_prefixof(code) = 0;
clear_flg = 1;
- free_ent = FIRST - 1;
- if ((code = getcode(zs)) == -1) /* O, untimely death! */
- break;
+ free_ent = FIRST;
+ oldcode = -1;
+ continue;
}
incode = code;
- /* Special case for KwKwK string. */
+ /* Special case for kWkWk string. */
if (code >= free_ent) {
+ if (code > free_ent || oldcode == -1) {
+ /* Bad stream. */
+ errno = EINVAL;
+ return (-1);
+ }
*stackp++ = finchar;
code = oldcode;
}
+ /*
+ * The above condition ensures that code < free_ent.
+ * The construction of tab_prefixof in turn guarantees that
+ * each iteration decreases code and therefore stack usage is
+ * bound by 1 << BITS - 256.
+ */
/* Generate output characters in reverse order. */
while (code >= 256) {
@@ -544,7 +555,7 @@ middle: do {
} while (stackp > de_stack);
/* Generate the new entry. */
- if ((code = free_ent) < maxmaxcode) {
+ if ((code = free_ent) < maxmaxcode && oldcode != -1) {
tab_prefixof(code) = (u_short) oldcode;
tab_suffixof(code) = finchar;
free_ent = code + 1;
Modified: releng/8.1/usr.bin/gzip/zuncompress.c
==============================================================================
--- releng/8.1/usr.bin/gzip/zuncompress.c Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/8.1/usr.bin/gzip/zuncompress.c Wed Sep 28 08:47:17 2011 (r225827)
@@ -247,7 +247,7 @@ zread(void *cookie, char *rbp, int num)
zs->zs_block_compress = zs->zs_maxbits & BLOCK_MASK;
zs->zs_maxbits &= BIT_MASK;
zs->zs_maxmaxcode = 1L << zs->zs_maxbits;
- if (zs->zs_maxbits > BITS) {
+ if (zs->zs_maxbits > BITS || zs->zs_maxbits < 12) {
errno = EFTYPE;
return (-1);
}
@@ -259,13 +259,7 @@ zread(void *cookie, char *rbp, int num)
}
zs->zs_free_ent = zs->zs_block_compress ? FIRST : 256;
- zs->u.r.zs_finchar = zs->u.r.zs_oldcode = getcode(zs);
- if (zs->u.r.zs_oldcode == -1) /* EOF already? */
- return (0); /* Get out of here */
-
- /* First code must be 8 bits = char. */
- *bp++ = (u_char)zs->u.r.zs_finchar;
- count--;
+ zs->u.r.zs_oldcode = -1;
zs->u.r.zs_stackp = de_stack;
while ((zs->u.r.zs_code = getcode(zs)) > -1) {
@@ -275,17 +269,29 @@ zread(void *cookie, char *rbp, int num)
zs->u.r.zs_code--)
tab_prefixof(zs->u.r.zs_code) = 0;
zs->zs_clear_flg = 1;
- zs->zs_free_ent = FIRST - 1;
- if ((zs->u.r.zs_code = getcode(zs)) == -1) /* O, untimely death! */
- break;
+ zs->zs_free_ent = FIRST;
+ zs->u.r.zs_oldcode = -1;
+ continue;
}
zs->u.r.zs_incode = zs->u.r.zs_code;
/* Special case for KwKwK string. */
if (zs->u.r.zs_code >= zs->zs_free_ent) {
+ if (zs->u.r.zs_code > zs->zs_free_ent ||
+ zs->u.r.zs_oldcode == -1) {
+ /* Bad stream. */
+ errno = EINVAL;
+ return (-1);
+ }
*zs->u.r.zs_stackp++ = zs->u.r.zs_finchar;
zs->u.r.zs_code = zs->u.r.zs_oldcode;
}
+ /*
+ * The above condition ensures that code < free_ent.
+ * The construction of tab_prefixof in turn guarantees that
+ * each iteration decreases code and therefore stack usage is
+ * bound by 1 << BITS - 256.
+ */
/* Generate output characters in reverse order. */
while (zs->u.r.zs_code >= 256) {
@@ -302,7 +308,8 @@ middle: do {
} while (zs->u.r.zs_stackp > de_stack);
/* Generate the new entry. */
- if ((zs->u.r.zs_code = zs->zs_free_ent) < zs->zs_maxmaxcode) {
+ if ((zs->u.r.zs_code = zs->zs_free_ent) < zs->zs_maxmaxcode &&
+ zs->u.r.zs_oldcode != -1) {
tab_prefixof(zs->u.r.zs_code) = (u_short) zs->u.r.zs_oldcode;
tab_suffixof(zs->u.r.zs_code) = zs->u.r.zs_finchar;
zs->zs_free_ent = zs->u.r.zs_code + 1;
Modified: releng/8.2/UPDATING
==============================================================================
--- releng/8.2/UPDATING Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/8.2/UPDATING Wed Sep 28 08:47:17 2011 (r225827)
@@ -15,6 +15,11 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20110928: p3 FreeBSD-SA-11:04.compress, FreeBSD-SA-11:05.unix
+ Fix handling of corrupt compress(1)ed data. [11:04]
+
+ Add missing length checks on unix socket addresses. [11:05]
+
20110528: p2 FreeBSD-SA-11:02.bind
Fix BIND remote DoS with large RRSIG RRsets and negative
caching.
Modified: releng/8.2/sys/conf/newvers.sh
==============================================================================
--- releng/8.2/sys/conf/newvers.sh Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/8.2/sys/conf/newvers.sh Wed Sep 28 08:47:17 2011 (r225827)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.2"
-BRANCH="RELEASE-p2"
+BRANCH="RELEASE-p3"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/8.2/sys/kern/uipc_usrreq.c
==============================================================================
--- releng/8.2/sys/kern/uipc_usrreq.c Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/8.2/sys/kern/uipc_usrreq.c Wed Sep 28 08:47:17 2011 (r225827)
@@ -419,6 +419,8 @@ uipc_bind(struct socket *so, struct sock
unp = sotounpcb(so);
KASSERT(unp != NULL, ("uipc_bind: unp == NULL"));
+ if (soun->sun_len > sizeof(struct sockaddr_un))
+ return (EINVAL);
namelen = soun->sun_len - offsetof(struct sockaddr_un, sun_path);
if (namelen <= 0)
return (EINVAL);
@@ -1165,6 +1167,8 @@ unp_connect(struct socket *so, struct so
unp = sotounpcb(so);
KASSERT(unp != NULL, ("unp_connect: unp == NULL"));
+ if (nam->sa_len > sizeof(struct sockaddr_un))
+ return (EINVAL);
len = nam->sa_len - offsetof(struct sockaddr_un, sun_path);
if (len <= 0)
return (EINVAL);
Modified: releng/8.2/usr.bin/compress/zopen.c
==============================================================================
--- releng/8.2/usr.bin/compress/zopen.c Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/8.2/usr.bin/compress/zopen.c Wed Sep 28 08:47:17 2011 (r225827)
@@ -490,7 +490,7 @@ zread(void *cookie, char *rbp, int num)
block_compress = maxbits & BLOCK_MASK;
maxbits &= BIT_MASK;
maxmaxcode = 1L << maxbits;
- if (maxbits > BITS) {
+ if (maxbits > BITS || maxbits < 12) {
errno = EFTYPE;
return (-1);
}
@@ -517,17 +517,28 @@ zread(void *cookie, char *rbp, int num)
for (code = 255; code >= 0; code--)
tab_prefixof(code) = 0;
clear_flg = 1;
- free_ent = FIRST - 1;
- if ((code = getcode(zs)) == -1) /* O, untimely death! */
- break;
+ free_ent = FIRST;
+ oldcode = -1;
+ continue;
}
incode = code;
- /* Special case for KwKwK string. */
+ /* Special case for kWkWk string. */
if (code >= free_ent) {
+ if (code > free_ent || oldcode == -1) {
+ /* Bad stream. */
+ errno = EINVAL;
+ return (-1);
+ }
*stackp++ = finchar;
code = oldcode;
}
+ /*
+ * The above condition ensures that code < free_ent.
+ * The construction of tab_prefixof in turn guarantees that
+ * each iteration decreases code and therefore stack usage is
+ * bound by 1 << BITS - 256.
+ */
/* Generate output characters in reverse order. */
while (code >= 256) {
@@ -544,7 +555,7 @@ middle: do {
} while (stackp > de_stack);
/* Generate the new entry. */
- if ((code = free_ent) < maxmaxcode) {
+ if ((code = free_ent) < maxmaxcode && oldcode != -1) {
tab_prefixof(code) = (u_short) oldcode;
tab_suffixof(code) = finchar;
free_ent = code + 1;
Modified: releng/8.2/usr.bin/gzip/zuncompress.c
==============================================================================
--- releng/8.2/usr.bin/gzip/zuncompress.c Wed Sep 28 08:19:45 2011 (r225826)
+++ releng/8.2/usr.bin/gzip/zuncompress.c Wed Sep 28 08:47:17 2011 (r225827)
@@ -247,7 +247,7 @@ zread(void *cookie, char *rbp, int num)
zs->zs_block_compress = zs->zs_maxbits & BLOCK_MASK;
zs->zs_maxbits &= BIT_MASK;
zs->zs_maxmaxcode = 1L << zs->zs_maxbits;
- if (zs->zs_maxbits > BITS) {
+ if (zs->zs_maxbits > BITS || zs->zs_maxbits < 12) {
errno = EFTYPE;
return (-1);
}
@@ -259,13 +259,7 @@ zread(void *cookie, char *rbp, int num)
}
zs->zs_free_ent = zs->zs_block_compress ? FIRST : 256;
- zs->u.r.zs_finchar = zs->u.r.zs_oldcode = getcode(zs);
- if (zs->u.r.zs_oldcode == -1) /* EOF already? */
- return (0); /* Get out of here */
-
- /* First code must be 8 bits = char. */
- *bp++ = (u_char)zs->u.r.zs_finchar;
- count--;
+ zs->u.r.zs_oldcode = -1;
zs->u.r.zs_stackp = de_stack;
while ((zs->u.r.zs_code = getcode(zs)) > -1) {
@@ -275,17 +269,29 @@ zread(void *cookie, char *rbp, int num)
zs->u.r.zs_code--)
tab_prefixof(zs->u.r.zs_code) = 0;
zs->zs_clear_flg = 1;
- zs->zs_free_ent = FIRST - 1;
- if ((zs->u.r.zs_code = getcode(zs)) == -1) /* O, untimely death! */
- break;
+ zs->zs_free_ent = FIRST;
+ zs->u.r.zs_oldcode = -1;
+ continue;
}
zs->u.r.zs_incode = zs->u.r.zs_code;
/* Special case for KwKwK string. */
if (zs->u.r.zs_code >= zs->zs_free_ent) {
+ if (zs->u.r.zs_code > zs->zs_free_ent ||
+ zs->u.r.zs_oldcode == -1) {
+ /* Bad stream. */
+ errno = EINVAL;
+ return (-1);
+ }
*zs->u.r.zs_stackp++ = zs->u.r.zs_finchar;
zs->u.r.zs_code = zs->u.r.zs_oldcode;
}
+ /*
+ * The above condition ensures that code < free_ent.
+ * The construction of tab_prefixof in turn guarantees that
+ * each iteration decreases code and therefore stack usage is
+ * bound by 1 << BITS - 256.
+ */
/* Generate output characters in reverse order. */
while (zs->u.r.zs_code >= 256) {
@@ -302,7 +308,8 @@ middle: do {
} while (zs->u.r.zs_stackp > de_stack);
/* Generate the new entry. */
- if ((zs->u.r.zs_code = zs->zs_free_ent) < zs->zs_maxmaxcode) {
+ if ((zs->u.r.zs_code = zs->zs_free_ent) < zs->zs_maxmaxcode &&
+ zs->u.r.zs_oldcode != -1) {
tab_prefixof(zs->u.r.zs_code) = (u_short) zs->u.r.zs_oldcode;
tab_suffixof(zs->u.r.zs_code) = zs->u.r.zs_finchar;
zs->zs_free_ent = zs->u.r.zs_code + 1;
More information about the svn-src-all
mailing list