d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

The rmt client in GNU cpio could have a heap overflow when a malicious

Browse Source 
remote tape service returns deliberately crafted packets containing
more data than requested.

Fix this by checking the returned amount of data and bail out when it
is more than what we requested.

PR:		gnu/145010
Submitted by:	naddy
Reviewed by:	imp
MFC after:	immediately
Security:	CVE-2010-0624
This commit is contained in:
Xin LI 2010-03-25 20:02:54 +00:00
parent bb6ba5f6b9
commit 780179e871
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
contrib/cpio/lib/rtapelib.c
View File

@ -570,7 +570,8 @@ rmt_read__ (int handle, char *buffer, size_t length)
sprintf (command_buffer, "R%lu\n", (unsigned long) length);
if (do_command (handle, command_buffer) == -1
|| (status = get_status (handle)) == SAFE_READ_ERROR)
|| (status = get_status (handle)) == SAFE_READ_ERROR
|| status > length)
return SAFE_READ_ERROR;
for (counter = 0; counter < status; counter += rlen, buffer += rlen)