diff options
author | delphij <delphij@FreeBSD.org> | 2010-03-25 20:02:54 +0000 |
---|---|---|
committer | delphij <delphij@FreeBSD.org> | 2010-03-25 20:02:54 +0000 |
commit | 54c5278fbd78e51eadbda5e9c67c741e5bc5880f (patch) | |
tree | 9d4fd2a14fcbf806ff962f315dbd89b281f644f3 /contrib | |
parent | 4545dc3090989db4cbd9c7be42f6be8fcf691f59 (diff) | |
download | FreeBSD-src-54c5278fbd78e51eadbda5e9c67c741e5bc5880f.zip FreeBSD-src-54c5278fbd78e51eadbda5e9c67c741e5bc5880f.tar.gz |
The rmt client in GNU cpio could have a heap overflow when a malicious
remote tape service returns deliberately crafted packets containing
more data than requested.
Fix this by checking the returned amount of data and bail out when it
is more than what we requested.
PR: gnu/145010
Submitted by: naddy
Reviewed by: imp
MFC after: immediately
Security: CVE-2010-0624
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/cpio/lib/rtapelib.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/contrib/cpio/lib/rtapelib.c b/contrib/cpio/lib/rtapelib.c index af19b04..d73d136 100644 --- a/contrib/cpio/lib/rtapelib.c +++ b/contrib/cpio/lib/rtapelib.c @@ -570,7 +570,8 @@ rmt_read__ (int handle, char *buffer, size_t length) sprintf (command_buffer, "R%lu\n", (unsigned long) length); if (do_command (handle, command_buffer) == -1 - || (status = get_status (handle)) == SAFE_READ_ERROR) + || (status = get_status (handle)) == SAFE_READ_ERROR + || status > length) return SAFE_READ_ERROR; for (counter = 0; counter < status; counter += rlen, buffer += rlen) |