Fix handling of corrupt compress(1)ed data. [11:04]
Add missing length checks on unix socket addresses. [11:05] Approved by: so (cperciva) Approved by: re (kensmith) Security: FreeBSD-SA-11:04.compress Security: CVE-2011-2895 [11:04] Security: FreeBSD-SA-11:05.unix
This commit is contained in:
Bjoern A. Zeeb
parent
0e0290482b
commit
a06534c3c2
@ -462,6 +462,8 @@ uipc_bind(struct socket *so, struct sockaddr *nam, struct thread *td)
|
||||
unp = sotounpcb(so);
|
||||
KASSERT(unp != NULL, ("uipc_bind: unp == NULL"));
|
||||
|
||||
if (soun->sun_len > sizeof(struct sockaddr_un))
|
||||
return (EINVAL);
|
||||
namelen = soun->sun_len - offsetof(struct sockaddr_un, sun_path);
|
||||
if (namelen <= 0)
|
||||
return (EINVAL);
|
||||
@ -1252,6 +1254,8 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
|
||||
unp = sotounpcb(so);
|
||||
KASSERT(unp != NULL, ("unp_connect: unp == NULL"));
|
||||
|
||||
if (nam->sa_len > sizeof(struct sockaddr_un))
|
||||
return (EINVAL);
|
||||
len = nam->sa_len - offsetof(struct sockaddr_un, sun_path);
|
||||
if (len <= 0)
|
||||
return (EINVAL);
|
||||
|
||||
@ -486,7 +486,7 @@ zread(void *cookie, char *rbp, int num)
|
||||
block_compress = maxbits & BLOCK_MASK;
|
||||
maxbits &= BIT_MASK;
|
||||
maxmaxcode = 1L << maxbits;
|
||||
if (maxbits > BITS) {
|
||||
if (maxbits > BITS || maxbits < 12) {
|
||||
errno = EFTYPE;
|
||||
return (-1);
|
||||
}
|
||||
@ -513,17 +513,28 @@ zread(void *cookie, char *rbp, int num)
|
||||
for (code = 255; code >= 0; code--)
|
||||
tab_prefixof(code) = 0;
|
||||
clear_flg = 1;
|
||||
free_ent = FIRST - 1;
|
||||
if ((code = getcode(zs)) == -1) /* O, untimely death! */
|
||||
break;
|
||||
free_ent = FIRST;
|
||||
oldcode = -1;
|
||||
continue;
|
||||
}
|
||||
incode = code;
|
||||
|
||||
/* Special case for KwKwK string. */
|
||||
/* Special case for kWkWk string. */
|
||||
if (code >= free_ent) {
|
||||
if (code > free_ent || oldcode == -1) {
|
||||
/* Bad stream. */
|
||||
errno = EINVAL;
|
||||
return (-1);
|
||||
}
|
||||
*stackp++ = finchar;
|
||||
code = oldcode;
|
||||
}
|
||||
/*
|
||||
* The above condition ensures that code < free_ent.
|
||||
* The construction of tab_prefixof in turn guarantees that
|
||||
* each iteration decreases code and therefore stack usage is
|
||||
* bound by 1 << BITS - 256.
|
||||
*/
|
||||
|
||||
/* Generate output characters in reverse order. */
|
||||
while (code >= 256) {
|
||||
@ -540,7 +551,7 @@ middle: do {
|
||||
} while (stackp > de_stack);
|
||||
|
||||
/* Generate the new entry. */
|
||||
if ((code = free_ent) < maxmaxcode) {
|
||||
if ((code = free_ent) < maxmaxcode && oldcode != -1) {
|
||||
tab_prefixof(code) = (u_short) oldcode;
|
||||
tab_suffixof(code) = finchar;
|
||||
free_ent = code + 1;
|
||||
|
||||
@ -247,7 +247,7 @@ zread(void *cookie, char *rbp, int num)
|
||||
zs->zs_block_compress = zs->zs_maxbits & BLOCK_MASK;
|
||||
zs->zs_maxbits &= BIT_MASK;
|
||||
zs->zs_maxmaxcode = 1L << zs->zs_maxbits;
|
||||
if (zs->zs_maxbits > BITS) {
|
||||
if (zs->zs_maxbits > BITS || zs->zs_maxbits < 12) {
|
||||
errno = EFTYPE;
|
||||
return (-1);
|
||||
}
|
||||
@ -259,13 +259,7 @@ zread(void *cookie, char *rbp, int num)
|
||||
}
|
||||
zs->zs_free_ent = zs->zs_block_compress ? FIRST : 256;
|
||||
|
||||
zs->u.r.zs_finchar = zs->u.r.zs_oldcode = getcode(zs);
|
||||
if (zs->u.r.zs_oldcode == -1) /* EOF already? */
|
||||
return (0); /* Get out of here */
|
||||
|
||||
/* First code must be 8 bits = char. */
|
||||
*bp++ = (u_char)zs->u.r.zs_finchar;
|
||||
count--;
|
||||
zs->u.r.zs_oldcode = -1;
|
||||
zs->u.r.zs_stackp = de_stack;
|
||||
|
||||
while ((zs->u.r.zs_code = getcode(zs)) > -1) {
|
||||
@ -275,17 +269,29 @@ zread(void *cookie, char *rbp, int num)
|
||||
zs->u.r.zs_code--)
|
||||
tab_prefixof(zs->u.r.zs_code) = 0;
|
||||
zs->zs_clear_flg = 1;
|
||||
zs->zs_free_ent = FIRST - 1;
|
||||
if ((zs->u.r.zs_code = getcode(zs)) == -1) /* O, untimely death! */
|
||||
break;
|
||||
zs->zs_free_ent = FIRST;
|
||||
zs->u.r.zs_oldcode = -1;
|
||||
continue;
|
||||
}
|
||||
zs->u.r.zs_incode = zs->u.r.zs_code;
|
||||
|
||||
/* Special case for KwKwK string. */
|
||||
if (zs->u.r.zs_code >= zs->zs_free_ent) {
|
||||
if (zs->u.r.zs_code > zs->zs_free_ent ||
|
||||
zs->u.r.zs_oldcode == -1) {
|
||||
/* Bad stream. */
|
||||
errno = EINVAL;
|
||||
return (-1);
|
||||
}
|
||||
*zs->u.r.zs_stackp++ = zs->u.r.zs_finchar;
|
||||
zs->u.r.zs_code = zs->u.r.zs_oldcode;
|
||||
}
|
||||
/*
|
||||
* The above condition ensures that code < free_ent.
|
||||
* The construction of tab_prefixof in turn guarantees that
|
||||
* each iteration decreases code and therefore stack usage is
|
||||
* bound by 1 << BITS - 256.
|
||||
*/
|
||||
|
||||
/* Generate output characters in reverse order. */
|
||||
while (zs->u.r.zs_code >= 256) {
|
||||
@ -302,7 +308,8 @@ middle: do {
|
||||
} while (zs->u.r.zs_stackp > de_stack);
|
||||
|
||||
/* Generate the new entry. */
|
||||
if ((zs->u.r.zs_code = zs->zs_free_ent) < zs->zs_maxmaxcode) {
|
||||
if ((zs->u.r.zs_code = zs->zs_free_ent) < zs->zs_maxmaxcode &&
|
||||
zs->u.r.zs_oldcode != -1) {
|
||||
tab_prefixof(zs->u.r.zs_code) = (u_short) zs->u.r.zs_oldcode;
|
||||
tab_suffixof(zs->u.r.zs_code) = zs->u.r.zs_finchar;
|
||||
zs->zs_free_ent = zs->u.r.zs_code + 1;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user