Partially fix CVE-2014-9112, part 4/5. Backported to 2.11. From fd262d116c4564c1796be9be2799619cf7785d07 Mon Sep 17 00:00:00 2001 From: Sergey Poznyakoff Date: Thu, 11 Dec 2014 10:51:21 +0000 Subject: Fix error recovery in copy-in mode * src/copyin.c (copyin_link): Fix null dereference. (read_in_header): Fix error recovery (bug introduced by 27e0ae55). * tests/symlink-bad-length.at: Test error recovery. Catch various architecture-dependent error messages (suggested by Pavel Raiskup). --- diff --git a/src/copyin.c b/src/copyin.c index 264bfcb..ca12356 100644 --- a/src/copyin.c +++ b/src/copyin.c @@ -655,7 +655,7 @@ copyin_device (struct cpio_file_stat* file_hdr) } static void -copyin_link(struct cpio_file_stat *file_hdr, int in_file_des) +copyin_link (struct cpio_file_stat *file_hdr, int in_file_des) { char *link_name = NULL; /* Name of hard and symbolic links. */ int res; /* Result of various function calls. */ @@ -666,6 +666,8 @@ copyin_link(struct cpio_file_stat *file_ if (archive_format != arf_tar && archive_format != arf_ustar) { link_name = get_link_name (file_hdr, in_file_des); + if (!link_name) + return; } else { @@ -1017,7 +1019,7 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des) file_hdr->c_tar_linkname = NULL; - tape_buffered_read (magic.str, in_des, 6L); + tape_buffered_read (magic.str, in_des, sizeof (magic.str)); while (1) { if (append_flag) @@ -1062,8 +1064,8 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des) break; } bytes_skipped++; - memmove (magic.str, magic.str + 1, 5); - tape_buffered_read (magic.str, in_des, 1L); + memmove (magic.str, magic.str + 1, sizeof (magic.str) - 1); + tape_buffered_read (magic.str + sizeof (magic.str) - 1, in_des, 1L); } } diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at index cbf4aa7..4dbeaa3 100644 --- a/tests/symlink-bad-length.at +++ b/tests/symlink-bad-length.at @@ -24,9 +24,9 @@ AT_SETUP([symlink-bad-length]) AT_KEYWORDS([symlink-long copyout]) AT_DATA([ARCHIVE.base64], -[x3EjAIBAtIEtJy8nAQAAAHRUYW0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxIwBgQ/+hLScv -JwEAAAB0VEhuBQD/////TElOSwAARklMRcdxAAAAAAAAAAAAAAEAAAAAAAAACwAAAAAAVFJBSUxF -UiEhIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +[x3ECCJ1jtIHoA2QAAQAAAIlUwl0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxAgidHv+h6ANk +AAEAAACJVHFtBQD/////TElOSwAARklMRcdxAgieHqSB6ANkAAEAAACJVDJuBgAAABIARklMRTIA +c29tZSBtb3JlIGNvbnRlbnQKx3EAAAAAAAAAAAAAAQAAAAAAAAALAAAAAABUUkFJTEVSISEhAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA @@ -37,13 +37,23 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AT_CHECK([ base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST -cpio -ntv < ARCHIVE -test $? -eq 2 +TZ=UTC cpio -ntv < ARCHIVE 2>stderr +rc=$? +cat stderr | grep -v \ + -e 'stored filename length is out of range' \ + -e 'premature end of file' \ + -e 'archive header has reverse byte-order' \ + -e 'memory exhausted' \ + >&2 +echo >&2 STDERR +test "$rc" -ne 0 ], -[0], -[-rw-rw-r-- 1 10029 10031 13 Nov 25 13:52 FILE -],[cpio: LINK: stored filename length is out of range -cpio: premature end of file +[1], +[-rw-rw-r-- 1 1000 100 13 Dec 11 09:02 FILE +-rw-r--r-- 1 1000 100 18 Dec 11 10:13 FILE2 +],[cpio: warning: skipped 4 bytes of junk +1 block +STDERR ]) AT_CLEANUP -- cgit v0.9.0.2