nixpkgs/pkgs/tools/misc/dtach/fix-CVE-2012-3368.patch
2015-07-15 18:19:46 +02:00

49 lines
1.4 KiB
Diff

Fix error handling for read from stdin in attach.c
attach.c did not correctly handle a read from stdin when read returned
an error. The code assigned the return value of read to pkt.len (an
unsigned char) before checking the value. This prevented the error check
from working correctly, since an unsigned integer can never be < 0.
A packet with an invalid length was then sent to the master, which then
sent 255 bytes of garbage to the program.
Fix the bug in attach.c and the unchecked packet length bug in master.c.
Report and initial patch by Enrico Scholz.
--- a/master.c 2012/07/01 21:26:10 1.14
+++ b/master.c 2012/07/01 21:44:34 1.15
@@ -351,7 +351,10 @@
/* Push out data to the program. */
if (pkt.type == MSG_PUSH)
- write(the_pty.fd, pkt.u.buf, pkt.len);
+ {
+ if (pkt.len <= sizeof(pkt.u.buf))
+ write(the_pty.fd, pkt.u.buf, pkt.len);
+ }
/* Attach or detach from the program. */
else if (pkt.type == MSG_ATTACH)
--- a/attach.c 2012/07/01 21:26:10 1.12
+++ b/attach.c 2012/07/01 21:44:34 1.13
@@ -237,12 +237,16 @@
/* stdin activity */
if (n > 0 && FD_ISSET(0, &readfds))
{
+ ssize_t len;
+
pkt.type = MSG_PUSH;
memset(pkt.u.buf, 0, sizeof(pkt.u.buf));
- pkt.len = read(0, pkt.u.buf, sizeof(pkt.u.buf));
+ len = read(0, pkt.u.buf, sizeof(pkt.u.buf));
- if (pkt.len <= 0)
+ if (len <= 0)
exit(1);
+
+ pkt.len = len;
process_kbd(s, &pkt);
n--;
}