svn commit: r205655 - in stable: 6/contrib/cpio/lib 7/contrib/cpio/lib 8/contrib/cpio/lib

Xin LI delphij at FreeBSD.org
Thu Mar 25 20:07:31 UTC 2010


Author: delphij
Date: Thu Mar 25 20:07:30 2010
New Revision: 205655
URL: http://svn.freebsd.org/changeset/base/205655

Log:
  MFC r205654:
  
  The rmt client in GNU cpio could have a heap overflow when a malicious
  remote tape service returns deliberately crafted packets containing
  more data than requested.
  
  Fix this by checking the returned amount of data and bail out when it
  is more than what we requested.
  
  PR:		gnu/145010
  Submitted by:	naddy
  Reviewed by:	imp
  Security:	CVE-2010-0624

Modified:
  stable/8/contrib/cpio/lib/rtapelib.c
Directory Properties:
  stable/8/contrib/cpio/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/6/contrib/cpio/lib/rtapelib.c
  stable/7/contrib/cpio/lib/rtapelib.c
Directory Properties:
  stable/6/contrib/cpio/   (props changed)
  stable/7/contrib/cpio/   (props changed)

Modified: stable/8/contrib/cpio/lib/rtapelib.c
==============================================================================
--- stable/8/contrib/cpio/lib/rtapelib.c	Thu Mar 25 20:02:54 2010	(r205654)
+++ stable/8/contrib/cpio/lib/rtapelib.c	Thu Mar 25 20:07:30 2010	(r205655)
@@ -570,7 +570,8 @@ rmt_read__ (int handle, char *buffer, si
 
   sprintf (command_buffer, "R%lu\n", (unsigned long) length);
   if (do_command (handle, command_buffer) == -1
-      || (status = get_status (handle)) == SAFE_READ_ERROR)
+      || (status = get_status (handle)) == SAFE_READ_ERROR
+      || status > length)
     return SAFE_READ_ERROR;
 
   for (counter = 0; counter < status; counter += rlen, buffer += rlen)


More information about the svn-src-stable-8 mailing list