projects / product / upstream / cpio.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 939931c)
[CVE-2010-0624] checking the returned amount of data and bail out when it is more... 47/254647/1 submit/tizen_base/20210309.041845
authorJinWang An <jinwang.an@samsung.com>
Fri, 5 Mar 2021 12:12:59 +0000 (21:12 +0900)
committerJinWang An <jinwang.an@samsung.com>
Fri, 5 Mar 2021 12:17:48 +0000 (21:17 +0900)
The rmt client in GNU cpio could have a heap overflow when a malicious
remote tape service returns deliberately crafted packets containing
more data than requested.

PR: gnu/145010
Submitted by: naddy
Reviewed by: imp
MFC after: immediately
Security: CVE-2010-0624

Change-Id: I489741e2faefd9353307a571a6a32c1e249f4488
Signed-off-by: JinWang An <jinwang.an@samsung.com>
lib/rtapelib.c patch | blob | history

diff --git a/lib/rtapelib.c b/lib/rtapelib.c
index af19b04..c39398e 100644 (file)
--- a/lib/rtapelib.c
+++ b/lib/rtapelib.c
@@ -570,7 +570,8 @@ rmt_read__ (int handle, char *buffer, size_t length)
 
   sprintf (command_buffer, "R%lu\n", (unsigned long) length);
   if (do_command (handle, command_buffer) == -1
-      || (status = get_status (handle)) == SAFE_READ_ERROR)
+      || (status = get_status (handle)) == SAFE_READ_ERROR
+         || status > length)
     return SAFE_READ_ERROR;
 
   for (counter = 0; counter < status; counter += rlen, buffer += rlen)
Domain: System / Base;