204f08495a
Resolves: #1074459, CVE-2014-0004
97 lines
3.3 KiB
Diff
97 lines
3.3 KiB
Diff
From 4cd35a8db2c6a0b94218a89cb183f50e8550de0e Mon Sep 17 00:00:00 2001
|
|
From: David Zeuthen <zeuthen@gmail.com>
|
|
Date: Wed, 12 Feb 2014 20:01:41 -0800
|
|
Subject: [PATCH] CVE-2014-0004: Stack-based buffer overflow when handling long
|
|
path names
|
|
|
|
Fix this by being more careful when parsing strings.
|
|
|
|
Acknowledgements: This issue was discovered by Florian Weimer of the
|
|
Red Hat Product Security Team.
|
|
|
|
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
|
|
---
|
|
src/udisksmountmonitor.c | 21 +++++++++++++--------
|
|
1 file changed, 13 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/src/udisksmountmonitor.c b/src/udisksmountmonitor.c
|
|
index 8af1028..77cf94c 100644
|
|
--- a/src/udisksmountmonitor.c
|
|
+++ b/src/udisksmountmonitor.c
|
|
@@ -416,8 +416,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
|
|
guint mount_id;
|
|
guint parent_id;
|
|
guint major, minor;
|
|
- gchar encoded_root[PATH_MAX];
|
|
- gchar encoded_mount_point[PATH_MAX];
|
|
+ gchar encoded_root[4096];
|
|
+ gchar encoded_mount_point[4096];
|
|
gchar *mount_point;
|
|
dev_t dev;
|
|
|
|
@@ -425,7 +425,7 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
|
|
continue;
|
|
|
|
if (sscanf (lines[n],
|
|
- "%d %d %d:%d %s %s",
|
|
+ "%d %d %d:%d %4095s %4095s",
|
|
&mount_id,
|
|
&parent_id,
|
|
&major,
|
|
@@ -436,6 +436,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
|
|
udisks_warning ("Error parsing line '%s'", lines[n]);
|
|
continue;
|
|
}
|
|
+ encoded_root[sizeof encoded_root - 1] = '\0';
|
|
+ encoded_mount_point[sizeof encoded_mount_point - 1] = '\0';
|
|
|
|
/* Temporary work-around for btrfs, see
|
|
*
|
|
@@ -450,15 +452,17 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor *monitor,
|
|
sep = strstr (lines[n], " - ");
|
|
if (sep != NULL)
|
|
{
|
|
- gchar fstype[PATH_MAX];
|
|
- gchar mount_source[PATH_MAX];
|
|
+ gchar fstype[4096];
|
|
+ gchar mount_source[4096];
|
|
struct stat statbuf;
|
|
|
|
- if (sscanf (sep + 3, "%s %s", fstype, mount_source) != 2)
|
|
+ if (sscanf (sep + 3, "%4095s %4095s", fstype, mount_source) != 2)
|
|
{
|
|
udisks_warning ("Error parsing things past - for '%s'", lines[n]);
|
|
continue;
|
|
}
|
|
+ fstype[sizeof fstype - 1] = '\0';
|
|
+ mount_source[sizeof mount_source - 1] = '\0';
|
|
|
|
if (g_strcmp0 (fstype, "btrfs") != 0)
|
|
continue;
|
|
@@ -546,7 +550,7 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor *monitor,
|
|
lines = g_strsplit (contents, "\n", 0);
|
|
for (n = 0; lines[n] != NULL; n++)
|
|
{
|
|
- gchar filename[PATH_MAX];
|
|
+ gchar filename[4096];
|
|
struct stat statbuf;
|
|
dev_t dev;
|
|
|
|
@@ -557,11 +561,12 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor *monitor,
|
|
if (strlen (lines[n]) == 0)
|
|
continue;
|
|
|
|
- if (sscanf (lines[n], "%s", filename) != 1)
|
|
+ if (sscanf (lines[n], "%4095s", filename) != 1)
|
|
{
|
|
udisks_warning ("Error parsing line '%s'", lines[n]);
|
|
continue;
|
|
}
|
|
+ filename[sizeof filename - 1] = '\0';
|
|
|
|
if (stat (filename, &statbuf) != 0)
|
|
{
|
|
--
|
|
1.8.5.3
|
|
|