From 54c5278fbd78e51eadbda5e9c67c741e5bc5880f Mon Sep 17 00:00:00 2001
From: delphij <delphij@FreeBSD.org>
Date: Thu, 25 Mar 2010 20:02:54 +0000
Subject: The rmt client in GNU cpio could have a heap overflow when a
 malicious remote tape service returns deliberately crafted packets containing
 more data than requested.

Fix this by checking the returned amount of data and bail out when it
is more than what we requested.

PR:		gnu/145010
Submitted by:	naddy
Reviewed by:	imp
MFC after:	immediately
Security:	CVE-2010-0624
---
 contrib/cpio/lib/rtapelib.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'contrib')

diff --git a/contrib/cpio/lib/rtapelib.c b/contrib/cpio/lib/rtapelib.c
index af19b04..d73d136 100644
--- a/contrib/cpio/lib/rtapelib.c
+++ b/contrib/cpio/lib/rtapelib.c
@@ -570,7 +570,8 @@ rmt_read__ (int handle, char *buffer, size_t length)
 
   sprintf (command_buffer, "R%lu\n", (unsigned long) length);
   if (do_command (handle, command_buffer) == -1
-      || (status = get_status (handle)) == SAFE_READ_ERROR)
+      || (status = get_status (handle)) == SAFE_READ_ERROR
+      || status > length)
     return SAFE_READ_ERROR;
 
   for (counter = 0; counter < status; counter += rlen, buffer += rlen)
-- 
cgit v1.1