diff options
| author | bz <bz@FreeBSD.org> | 2011-09-28 08:47:17 +0000 |
|---|---|---|
| committer | bz <bz@FreeBSD.org> | 2011-09-28 08:47:17 +0000 |
| commit | 2e8e044c2fd777a22fe0e18a64666670c4b72dd7 (patch) | |
| tree | 6b2a5e897537e8defdf4089f141f835461cd9343 | |
| parent | 38b4a9842482e6817e8229e2fb567a4431b1924b (diff) | |
| download | FreeBSD-src-2e8e044c2fd777a22fe0e18a64666670c4b72dd7.zip FreeBSD-src-2e8e044c2fd777a22fe0e18a64666670c4b72dd7.tar.gz | |
Fix handling of corrupt compress(1)ed data. [11:04]
Add missing length checks on unix socket addresses. [11:05]
Approved by: so (cperciva)
Approved by: re (kensmith)
Security: FreeBSD-SA-11:04.compress
Security: CVE-2011-2895 [11:04]
Security: FreeBSD-SA-11:05.unix
| -rw-r--r-- | sys/kern/uipc_usrreq.c | 4 | ||||
| -rw-r--r-- | usr.bin/compress/zopen.c | 23 | ||||
| -rw-r--r-- | usr.bin/gzip/zuncompress.c | 31 |
3 files changed, 40 insertions, 18 deletions
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 3a34f58..801a244 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -462,6 +462,8 @@ uipc_bind(struct socket *so, struct sockaddr *nam, struct thread *td) unp = sotounpcb(so); KASSERT(unp != NULL, ("uipc_bind: unp == NULL")); + if (soun->sun_len > sizeof(struct sockaddr_un)) + return (EINVAL); namelen = soun->sun_len - offsetof(struct sockaddr_un, sun_path); if (namelen <= 0) return (EINVAL); @@ -1252,6 +1254,8 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td) unp = sotounpcb(so); KASSERT(unp != NULL, ("unp_connect: unp == NULL")); + if (nam->sa_len > sizeof(struct sockaddr_un)) + return (EINVAL); len = nam->sa_len - offsetof(struct sockaddr_un, sun_path); if (len <= 0) return (EINVAL); diff --git a/usr.bin/compress/zopen.c b/usr.bin/compress/zopen.c index a729e13..8ae3d7d 100644 --- a/usr.bin/compress/zopen.c +++ b/usr.bin/compress/zopen.c @@ -486,7 +486,7 @@ zread(void *cookie, char *rbp, int num) block_compress = maxbits & BLOCK_MASK; maxbits &= BIT_MASK; maxmaxcode = 1L << maxbits; - if (maxbits > BITS) { + if (maxbits > BITS || maxbits < 12) { errno = EFTYPE; return (-1); } @@ -513,17 +513,28 @@ zread(void *cookie, char *rbp, int num) for (code = 255; code >= 0; code--) tab_prefixof(code) = 0; clear_flg = 1; - free_ent = FIRST - 1; - if ((code = getcode(zs)) == -1) /* O, untimely death! */ - break; + free_ent = FIRST; + oldcode = -1; + continue; } incode = code; - /* Special case for KwKwK string. */ + /* Special case for kWkWk string. */ if (code >= free_ent) { + if (code > free_ent || oldcode == -1) { + /* Bad stream. */ + errno = EINVAL; + return (-1); + } *stackp++ = finchar; code = oldcode; } + /* + * The above condition ensures that code < free_ent. + * The construction of tab_prefixof in turn guarantees that + * each iteration decreases code and therefore stack usage is + * bound by 1 << BITS - 256. + */ /* Generate output characters in reverse order. */ while (code >= 256) { @@ -540,7 +551,7 @@ middle: do { } while (stackp > de_stack); /* Generate the new entry. */ - if ((code = free_ent) < maxmaxcode) { + if ((code = free_ent) < maxmaxcode && oldcode != -1) { tab_prefixof(code) = (u_short) oldcode; tab_suffixof(code) = finchar; free_ent = code + 1; diff --git a/usr.bin/gzip/zuncompress.c b/usr.bin/gzip/zuncompress.c index f68ba59..1d0b66f 100644 --- a/usr.bin/gzip/zuncompress.c +++ b/usr.bin/gzip/zuncompress.c @@ -247,7 +247,7 @@ zread(void *cookie, char *rbp, int num) zs->zs_block_compress = zs->zs_maxbits & BLOCK_MASK; zs->zs_maxbits &= BIT_MASK; zs->zs_maxmaxcode = 1L << zs->zs_maxbits; - if (zs->zs_maxbits > BITS) { + if (zs->zs_maxbits > BITS || zs->zs_maxbits < 12) { errno = EFTYPE; return (-1); } @@ -259,13 +259,7 @@ zread(void *cookie, char *rbp, int num) } zs->zs_free_ent = zs->zs_block_compress ? FIRST : 256; - zs->u.r.zs_finchar = zs->u.r.zs_oldcode = getcode(zs); - if (zs->u.r.zs_oldcode == -1) /* EOF already? */ - return (0); /* Get out of here */ - - /* First code must be 8 bits = char. */ - *bp++ = (u_char)zs->u.r.zs_finchar; - count--; + zs->u.r.zs_oldcode = -1; zs->u.r.zs_stackp = de_stack; while ((zs->u.r.zs_code = getcode(zs)) > -1) { @@ -275,17 +269,29 @@ zread(void *cookie, char *rbp, int num) zs->u.r.zs_code--) tab_prefixof(zs->u.r.zs_code) = 0; zs->zs_clear_flg = 1; - zs->zs_free_ent = FIRST - 1; - if ((zs->u.r.zs_code = getcode(zs)) == -1) /* O, untimely death! */ - break; + zs->zs_free_ent = FIRST; + zs->u.r.zs_oldcode = -1; + continue; } zs->u.r.zs_incode = zs->u.r.zs_code; /* Special case for KwKwK string. */ if (zs->u.r.zs_code >= zs->zs_free_ent) { + if (zs->u.r.zs_code > zs->zs_free_ent || + zs->u.r.zs_oldcode == -1) { + /* Bad stream. */ + errno = EINVAL; + return (-1); + } *zs->u.r.zs_stackp++ = zs->u.r.zs_finchar; zs->u.r.zs_code = zs->u.r.zs_oldcode; } + /* + * The above condition ensures that code < free_ent. + * The construction of tab_prefixof in turn guarantees that + * each iteration decreases code and therefore stack usage is + * bound by 1 << BITS - 256. + */ /* Generate output characters in reverse order. */ while (zs->u.r.zs_code >= 256) { @@ -302,7 +308,8 @@ middle: do { } while (zs->u.r.zs_stackp > de_stack); /* Generate the new entry. */ - if ((zs->u.r.zs_code = zs->zs_free_ent) < zs->zs_maxmaxcode) { + if ((zs->u.r.zs_code = zs->zs_free_ent) < zs->zs_maxmaxcode && + zs->u.r.zs_oldcode != -1) { tab_prefixof(zs->u.r.zs_code) = (u_short) zs->u.r.zs_oldcode; tab_suffixof(zs->u.r.zs_code) = zs->u.r.zs_finchar; zs->zs_free_ent = zs->u.r.zs_code + 1; |
