Re: [PATCH] find: fix potential buffer overflow in -execdir and -okdir

[James Youngman]

Thanks, I applied this directly (since you already have a copyright
assignment for findutils).

Sorry about the delay.

James.


On Thu, May 16, 2013 at 12:48 AM, Dmitry V. Levin <address@hidden> wrote:
> * lib/buildcmd.c (bc_push_arg): Take prefix length into account
> to avoid state->argbuf overflow.
> * NEWS: Mention this fix.
> ---
>
> It would be a security issue if one could control factors triggering this
> bug, which include a directory with thousands of files.
>
>  ChangeLog      | 7 +++++++
>  NEWS           | 2 ++
>  lib/buildcmd.c | 2 +-
>  3 files changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/ChangeLog b/ChangeLog
> index e6914ff..7b4f3e0 100644
> --- a/ChangeLog
> +++ b/ChangeLog
> @@ -1,3 +1,10 @@
> +2013-05-15  Dmitry V. Levin  <address@hidden>
> +
> +       find: fix potential buffer overflow in -execdir and -okdir.
> +       * lib/buildcmd.c (bc_push_arg): Take prefix length into account
> +       to avoid state->argbuf overflow.
> +       * NEWS: Mention this fix.
> +
>  2013-04-22  Paul Eggert  <address@hidden>
>
>         More removal of support for -perm +MODE.
> diff --git a/NEWS b/NEWS
> index 4349a21..010ba6e 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -30,6 +30,8 @@ The documentation for xargs now warns about parallel 
> processes (xargs
>  Some bugs in 4.5.11 were fixed without adding them to the bug
>  database, though they are in the ChangeLog:
>
> +*** find -execdir/-okdir potential buffer overflow.
> +
>  *** Use of [[ ... ]] in find/testsuite/sv-bug-32043.sh
>
>  *** Don't delete header files in "lib/" for "make clean".
> diff --git a/lib/buildcmd.c b/lib/buildcmd.c
> index d135692..2616ed6 100644
> --- a/lib/buildcmd.c
> +++ b/lib/buildcmd.c
> @@ -364,7 +364,7 @@ bc_push_arg (struct buildcmd_control *ctl,
>
>    if (!terminate)
>      {
> -      if (state->cmd_argv_chars + len > ctl->arg_max)
> +      if (state->cmd_argv_chars + len + pfxlen > ctl->arg_max)
>          {
>            if (initial_args || state->cmd_argc == ctl->initial_argc)
>              error (EXIT_FAILURE, 0,
>
> --
> ldv



-- 
--
This email is intended solely for the use of its addressee, sender,
and any readers of a mailing list archive in which it happens to
appear.   If you have received this email in error, please say or type
three times, "I believe in the utility of email disclaimers," and then
reply to the author correcting any spellings (and, optionally, any
incorrect spellings), accompanying these with humorous jests about the
author's parentage.   If you are not the addressee, you are
nevertheless permitted to both copy and forward this email since
without such permissions email systems are unable to transmit email to
anybody, intended recipient or not.  To those still reading by this
point, the author would like to apologise for being unable to maintain
a consistent level of humour throughout this disclaimer.  Contents may
settle during transit.  Do not feed the animals.