Date: Thu, 25 Mar 2010 20:07:30 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org Subject: svn commit: r205655 - in stable: 6/contrib/cpio/lib 7/contrib/cpio/lib 8/contrib/cpio/lib Message-ID: <201003252007.o2PK7UOQ024051@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Thu Mar 25 20:07:30 2010 New Revision: 205655 URL: http://svn.freebsd.org/changeset/base/205655 Log: MFC r205654: The rmt client in GNU cpio could have a heap overflow when a malicious remote tape service returns deliberately crafted packets containing more data than requested. Fix this by checking the returned amount of data and bail out when it is more than what we requested. PR: gnu/145010 Submitted by: naddy Reviewed by: imp Security: CVE-2010-0624 Modified: stable/7/contrib/cpio/lib/rtapelib.c Directory Properties: stable/7/contrib/cpio/ (props changed) Changes in other areas also in this revision: Modified: stable/6/contrib/cpio/lib/rtapelib.c stable/8/contrib/cpio/lib/rtapelib.c Directory Properties: stable/6/contrib/cpio/ (props changed) stable/8/contrib/cpio/ (props changed) Modified: stable/7/contrib/cpio/lib/rtapelib.c ============================================================================== --- stable/7/contrib/cpio/lib/rtapelib.c Thu Mar 25 20:02:54 2010 (r205654) +++ stable/7/contrib/cpio/lib/rtapelib.c Thu Mar 25 20:07:30 2010 (r205655) @@ -570,7 +570,8 @@ rmt_read__ (int handle, char *buffer, si sprintf (command_buffer, "R%lu\n", (unsigned long) length); if (do_command (handle, command_buffer) == -1 - || (status = get_status (handle)) == SAFE_READ_ERROR) + || (status = get_status (handle)) == SAFE_READ_ERROR + || status > length) return SAFE_READ_ERROR; for (counter = 0; counter < status; counter += rlen, buffer += rlen)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201003252007.o2PK7UOQ024051>