git: 0729ba2f49c9 - stable/13 - Fix remote code execution in ggatec(8).
Gordon Tetlow
gordon at FreeBSD.org
Tue Aug 24 18:28:27 UTC 2021
The branch stable/13 has been updated by gordon:
URL: https://cgit.FreeBSD.org/src/commit/?id=0729ba2f49c956789701aecb70f4f555181fd3a7
commit 0729ba2f49c956789701aecb70f4f555181fd3a7
Author: Gordon Tetlow <gordon at FreeBSD.org>
AuthorDate: 2021-08-24 17:40:49 +0000
Commit: Gordon Tetlow <gordon at FreeBSD.org>
CommitDate: 2021-08-24 17:50:50 +0000
Fix remote code execution in ggatec(8).
Approved by: so
Security: SA-21:14.ggatec
Security: CVE-2021-29630
(cherry picked from commit 515216929c40169cc72b62466ff9238682661613)
---
sbin/ggate/ggatec/ggatec.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/sbin/ggate/ggatec/ggatec.c b/sbin/ggate/ggatec/ggatec.c
index 45a93c4512fe..0695dae0dca2 100644
--- a/sbin/ggate/ggatec/ggatec.c
+++ b/sbin/ggate/ggatec/ggatec.c
@@ -145,7 +145,21 @@ send_thread(void *arg __unused)
case BIO_WRITE:
hdr.gh_cmd = GGATE_CMD_WRITE;
break;
+ default:
+ g_gate_log(LOG_NOTICE, "Unknown gctl_cmd: %i", ggio.gctl_cmd);
+ ggio.gctl_error = EOPNOTSUPP;
+ g_gate_ioctl(G_GATE_CMD_DONE, &ggio);
+ continue;
+ }
+
+ /* Don't send requests for more data than we can handle the response for! */
+ if (ggio.gctl_length > MAXPHYS) {
+ g_gate_log(LOG_ERR, "Request too big: %zd", ggio.gctl_length);
+ ggio.gctl_error = EOPNOTSUPP;
+ g_gate_ioctl(G_GATE_CMD_DONE, &ggio);
+ continue;
}
+
hdr.gh_seq = ggio.gctl_seq;
hdr.gh_offset = ggio.gctl_offset;
hdr.gh_length = ggio.gctl_length;
@@ -219,6 +233,12 @@ recv_thread(void *arg __unused)
ggio.gctl_length = hdr.gh_length;
ggio.gctl_error = hdr.gh_error;
+ /* Do not overflow our buffer if there is a bogus response. */
+ if (ggio.gctl_length > (off_t) sizeof(buf)) {
+ g_gate_log(LOG_ERR, "Received too big response: %zd", ggio.gctl_length);
+ break;
+ }
+
if (ggio.gctl_error == 0 && ggio.gctl_cmd == GGATE_CMD_READ) {
data = g_gate_recv(recvfd, ggio.gctl_data,
ggio.gctl_length, MSG_WAITALL);
More information about the dev-commits-src-all
mailing list