Attachment 867616 Details for Bug 1049703 – Patch from davidz

[patch] Patch from davidz

0001-CVE-2014-0004-Stack-based-buffer-overflow-when-handl.patch (text/plain), 3.29 KB, created by Josh Bressers on 2014-02-25 20:00:24 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Josh Bressers

Created: 2014-02-25 20:00:24 UTC

Size: 3.29 KB

patch

obsolete

>From 4cd35a8db2c6a0b94218a89cb183f50e8550de0e Mon Sep 17 00:00:00 2001
>From: David Zeuthen <zeuthen@gmail.com>
>Date: Wed, 12 Feb 2014 20:01:41 -0800
>Subject: [PATCH] CVE-2014-0004: Stack-based buffer overflow when handling long
> path names
>
>Fix this by being more careful when parsing strings.
>
>Acknowledgements: This issue was discovered by Florian Weimer of the
>Red Hat Product Security Team.
>
>Signed-off-by: David Zeuthen <zeuthen@gmail.com>
>---
> src/udisksmountmonitor.c | 21 +++++++++++++--------
> 1 file changed, 13 insertions(+), 8 deletions(-)
>
>diff --git a/src/udisksmountmonitor.c b/src/udisksmountmonitor.c
>index 8af1028..77cf94c 100644
>--- a/src/udisksmountmonitor.c
>+++ b/src/udisksmountmonitor.c
>@@ -416,8 +416,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
>       guint mount_id;
>       guint parent_id;
>       guint major, minor;
>-      gchar encoded_root[PATH_MAX];
>-      gchar encoded_mount_point[PATH_MAX];
>+      gchar encoded_root[4096];
>+      gchar encoded_mount_point[4096];
>       gchar *mount_point;
>       dev_t dev;
> 
>@@ -425,7 +425,7 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
>         continue;
> 
>       if (sscanf (lines[n],
>-                  "%d %d %d:%d %s %s",
>+                  "%d %d %d:%d %4095s %4095s",
>                   &mount_id,
>                   &parent_id,
>                   &major,
>@@ -436,6 +436,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
>           udisks_warning ("Error parsing line '%s'", lines[n]);
>           continue;
>         }
>+      encoded_root[sizeof encoded_root - 1] = '\0';
>+      encoded_mount_point[sizeof encoded_mount_point - 1] = '\0';
> 
>       /* Temporary work-around for btrfs, see
>        *
>@@ -450,15 +452,17 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
>           sep = strstr (lines[n], " - ");
>           if (sep != NULL)
>             {
>-              gchar fstype[PATH_MAX];
>-              gchar mount_source[PATH_MAX];
>+              gchar fstype[4096];
>+              gchar mount_source[4096];
>               struct stat statbuf;
> 
>-              if (sscanf (sep + 3, "%s %s", fstype, mount_source) != 2)
>+              if (sscanf (sep + 3, "%4095s %4095s", fstype, mount_source) != 2)
>                 {
>                   udisks_warning ("Error parsing things past - for '%s'", lines[n]);
>                   continue;
>                 }
>+              fstype[sizeof fstype - 1] = '\0';
>+              mount_source[sizeof mount_source - 1] = '\0';
> 
>               if (g_strcmp0 (fstype, "btrfs") != 0)
>                 continue;
>@@ -546,7 +550,7 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor  *monitor,
>   lines = g_strsplit (contents, "\n", 0);
>   for (n = 0; lines[n] != NULL; n++)
>     {
>-      gchar filename[PATH_MAX];
>+      gchar filename[4096];
>       struct stat statbuf;
>       dev_t dev;
> 
>@@ -557,11 +561,12 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor  *monitor,
>       if (strlen (lines[n]) == 0)
>         continue;
> 
>-      if (sscanf (lines[n], "%s", filename) != 1)
>+      if (sscanf (lines[n], "%4095s", filename) != 1)
>         {
>           udisks_warning ("Error parsing line '%s'", lines[n]);
>           continue;
>         }
>+      filename[sizeof filename - 1] = '\0';
> 
>       if (stat (filename, &statbuf) != 0)
>         {
>-- 
>1.8.5.3
>

Actions: View | Diff

Attachments on bug 1049703: 867616