Re: gzip memory corruption



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

After talking with Matthew Green (the author of NetBSD) it seems that it
would be more reasonable to fix the bug itself than breaking upon
receipt. Here is the patch.

Regarding to the suffix prompt, give me some time to think about it. At
the beginning I just matched GNU gzip's behavior, but they cover when
the -S is specified when decompressing, which we don't care about, so it
might be reasonable for us to explicitly say it's too long.

Cheers,
- --
Xin LI <delphij@xxxxxxxxxxx> http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)

iEYEARECAAYFAkpyhGoACgkQi+vbBBjt66Bk3wCfT0w2DQipG05hksUv9r/CPioo
s4IAni8otQHmNOxticY23JqzevzsDeBL
=JzTo
-----END PGP SIGNATURE-----
Index: gzip.c
===================================================================
--- gzip.c (revision 195945)
+++ gzip.c (working copy)
@@ -150,6 +150,8 @@
};
#define NUM_SUFFIXES (sizeof suffixes / sizeof suffixes[0])

+#define SUFFIX_MAXLEN 30
+
static const char gzip_version[] = "FreeBSD gzip 20090621";

#ifndef SMALL
@@ -372,6 +374,8 @@
case 'S':
len = strlen(optarg);
if (len != 0) {
+ if (len > SUFFIX_MAXLEN)
+ errx(1, "incorrect suffix: '%s'", optarg);
suffixes[0].zipped = optarg;
suffixes[0].ziplen = len;
} else {
@@ -1236,7 +1240,7 @@
/* Add (usually) .gz to filename */
if ((size_t)snprintf(outfile, outsize, "%s%s",
file, suffixes[0].zipped) >= outsize)
- memcpy(outfile - suffixes[0].ziplen - 1,
+ memcpy(outfile + outsize - suffixes[0].ziplen - 1,
suffixes[0].zipped, suffixes[0].ziplen + 1);

#ifndef SMALL
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • RE: Anthonys drive issues.Re: ssh password delay
    ... The dmesg you sent indicated that the 2 disks were negotiating at ... > possible cause in the universe before blaming it on FreeBSD. ... to take the risk of it being hardware, ... believe is that it's a bug in the FreeBSD driver. ...
    (freebsd-questions)
  • Re: What do you dislike about OSX?
    ... is is when you claim that OS X is derivative of FreeBSD. ... about *other people* not needing to have all windows visible at all times. ... Most end users don't even know the bug exists. ... offer reasons for me to change my mind. ...
    (comp.sys.mac.advocacy)
  • Re: Support for 5.x (Was: Re: What about BIND 9.3.4 in FreeBSD in base system ?)
    ... Handling other people's send-pr bug input would be boring ... I've filed some send-pr diffs years back & not seen action, ... so if the FreeBSD Foundation ever has spare ...
    (FreeBSD-Security)
  • Re: Do we need this junk?
    ... I have an 1742A if any developer needs it for bug chasing. ... It's a full length card. ... To counter Nikolas' `stats' argument to abandon much hardware support: ... There's scanners with FreeBSD embedded inside: ...
    (freebsd-current)
  • cvs-src summary for November 8-15
    ... It is intended to help the FreeBSD community keep up with the fast-paced ... You can get old summaries, and an HTML version of this one, at ... sf driver gets polling and ALTQ support ... Xin Li committed a fix to pppd, the PPP daemon, to a bug ...
    (freebsd-current)