Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1:kernel-2.6.32
cpio
cpio-2.9-heap_overflow_in_rtapelib.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File cpio-2.9-heap_overflow_in_rtapelib.patch of Package cpio
From 9bc39283e4cc6ab9e5913ccbf766998eab4ff093 Mon Sep 17 00:00:00 2001 From: Sergey Poznyakoff <gray@gnu.org.ua> Date: Mon, 01 Mar 2010 08:49:03 +0000 Subject: Bugfixes in rtapelib * lib/rmt.h (rmtcreat): Use fcntl O_ macros insead of their hardcoded values. * lib/rtapelib.c (rmt_read__,rmt_ioctl__): Prevent potential overflow. --- Index: cpio-2.9/lib/rmt.h =================================================================== --- cpio-2.9.orig/lib/rmt.h 2007-06-27 15:49:45.000000000 +0200 +++ cpio-2.9/lib/rmt.h 2010-08-12 14:13:02.000000000 +0200 @@ -61,7 +61,7 @@ extern bool force_local_option; #define rmtcreat(dev_name, mode, command) \ (_remdev (dev_name) \ - ? rmt_open__ (dev_name, 1 | O_CREAT, __REM_BIAS, command) \ + ? rmt_open__ (dev_name, O_CREAT | O_WRONLY, __REM_BIAS, command) \ : creat (dev_name, mode)) #define rmtlstat(dev_name, muffer) \ Index: cpio-2.9/lib/rtapelib.c =================================================================== --- cpio-2.9.orig/lib/rtapelib.c 2010-08-12 14:11:45.000000000 +0200 +++ cpio-2.9/lib/rtapelib.c 2010-08-12 14:13:02.000000000 +0200 @@ -570,7 +570,8 @@ rmt_read__ (int handle, char *buffer, si sprintf (command_buffer, "R%lu\n", (unsigned long) length); if (do_command (handle, command_buffer) == -1 - || (status = get_status (handle)) == SAFE_READ_ERROR) + || (status = get_status (handle)) == SAFE_READ_ERROR + || status > length) return SAFE_READ_ERROR; for (counter = 0; counter < status; counter += rlen, buffer += rlen) @@ -706,6 +707,12 @@ rmt_ioctl__ (int handle, int operation, || (status = get_status (handle), status == -1)) return -1; + if (status > sizeof (struct mtop)) + { + errno = EOVERFLOW; + return -1; + } + for (; status > 0; status -= counter, argument += counter) { counter = safe_read (READ_SIDE (handle), argument, status);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor