OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: gzip memory corruption

From: Xin LI (delphijdelphij.net)
Date: Wed Jul 08 2009 - 19:05:44 CDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Xin LI wrote:
> Eygene Ryabinkin wrote:
>> Wed, Jul 08, 2009 at 10:33:39PM +0300, rrl wrote:
>>> I run Freebsd 7.2 and gzip doesn't handle correctly long suffix name
>>> with the -S option.
>>>> gzip -S `perl -e 'print "A"x1200'` dummy_file
>>> Memory fault (core dumped)
>>>
>>> The offending code lays in the function file_compress:
>>>> /* Add (usually) .gz to filename */
>>>> if ((size_t)snprintf(outfile, outsize, "%s%s",
>>>> file, suffixes[0].zipped) >= outsize)
>>>> memcpy(outfile - suffixes[0].ziplen - 1,
>>>> suffixes[0].zipped, suffixes[0].ziplen + 1);
>> The memcpy() call looks like a complete madness: it will write before
>> the beginning of the 'outfile', so it will be buffer underflow in any
>> case (unless I am terribly mistaken and missing some obvious point).
>
>> I'd change the above code to warn and return if snprintf will discard
>> some trailing characters, the patch is attached.

I have attached another possible fix, which catches the problem when
parsing the command line. The point is that, I think we really want to
catch bad input as early as possible.

If there is no objections I would request for approval from re.

Cheers,
- --
Xin LI <delphijdelphij.net> http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)

iEUEARECAAYFAkpVNFcACgkQi+vbBBjt66AkuQCfSm79QmZC2jPwE8kSEaz5NvH7
V+8Al0zsIfe40Tv0Yu/LrtMpnEK5cok=
=OtC/
-----END PGP SIGNATURE-----

Index: gzip.c
===================================================================
--- gzip.c (版本 195435)
+++ gzip.c (工作副本)
-372,6 +372,8
                 case 'S':
                         len = strlen(optarg);
                         if (len != 0) {
+ if (len >= PATH_MAX)
+ errx(1, "incorrect suffix: '%s'", optarg);
                                 suffixes[0].zipped = optarg;
                                 suffixes[0].ziplen = len;
                         } else {

_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"