bug-cpio
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-cpio] [PATCH] fix 1-byte out-of-bounds write


From: Pavel Raiskup
Subject: Re: [Bug-cpio] [PATCH] fix 1-byte out-of-bounds write
Date: Tue, 11 Apr 2017 12:32:18 +0200

On Thursday, April 6, 2017 3:01:46 PM CEST Kristýna Streitová wrote:
> Thank you for it. I have just small comments on your patch:
> 
> 1) It seems that the first hunk slightly changes the logic.
> Before your patch, the 'is_tar_filename_too_long()' function was called
> for tar and ustar archives only but now it's called for all archive types.

good catch.  It looked like a typo to me before (that non-tar archives were not
checked), but looking more precisely -- I would say it is useless check.
Previously there was comment:

  /* Debian hack: file_hrd.c_name is sometimes set to
     point to static memory by code in tar.c.  This
     causes a segfault.  This has been fixed and an
     additional check to ensure that the file name
     is not too long has been added.  (Reported by
     Horst Knobloch.)  This bug has been reported to
     "address@hidden". (99/1/6) -BEM */

I'm not sure what the "additional check" note talks about, and I'm not
able to find the original report from 1999 ...

Because --rename and --rename-batch-file is valid for copy-in mode, I
think removing the check is completely safe.

> As this function checks whether the filename is too long to fit in a tar
> header, it should be called for tar/ustar archives only, I believe.
> 
> 2) It's just a small thing but it seems that you forgot to use your new
> 'cpio_set_c_name()' function for 'file_hdr.c_name = CPIO_TRAILER_NAME'
> in the copyout.c file.

That's almost before exit(), but let's be consistent ... thanks for the
review.

Pavel

> Best regards,
> Kristyna Streitova
> 

Attachment: 0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch
Description: Text Data


reply via email to

[Prev in Thread] Current Thread [Next in Thread]