diff options
Diffstat (limited to 'recipes-extended/glusterfs/files/0001-dict-handle-negative-key-value-length-while-unserial.patch')
-rw-r--r-- | recipes-extended/glusterfs/files/0001-dict-handle-negative-key-value-length-while-unserial.patch | 39 |
1 files changed, 0 insertions, 39 deletions
diff --git a/recipes-extended/glusterfs/files/0001-dict-handle-negative-key-value-length-while-unserial.patch b/recipes-extended/glusterfs/files/0001-dict-handle-negative-key-value-length-while-unserial.patch deleted file mode 100644 index cb3400b..0000000 --- a/recipes-extended/glusterfs/files/0001-dict-handle-negative-key-value-length-while-unserial.patch +++ /dev/null | |||
@@ -1,39 +0,0 @@ | |||
1 | From 428ee988df7d6cbe6e18becffcee5cdfb0fa9d17 Mon Sep 17 00:00:00 2001 | ||
2 | From: Amar Tumballi <amarts@redhat.com> | ||
3 | Date: Tue, 24 Jul 2018 13:25:12 +0530 | ||
4 | Subject: [PATCH 1/7] dict: handle negative key/value length while unserialize | ||
5 | |||
6 | Fixes: bz#1625089 | ||
7 | Change-Id: Ie56df0da46c242846a1ba51ccb9e011af118b119 | ||
8 | Signed-off-by: Amar Tumballi <amarts@redhat.com> | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | |||
12 | Fix CVE-2018-10911 | ||
13 | |||
14 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
15 | --- | ||
16 | libglusterfs/src/dict.c | 7 +++++++ | ||
17 | 1 file changed, 7 insertions(+) | ||
18 | |||
19 | diff --git a/libglusterfs/src/dict.c b/libglusterfs/src/dict.c | ||
20 | index 839b426..ac0a677 100644 | ||
21 | --- a/libglusterfs/src/dict.c | ||
22 | +++ b/libglusterfs/src/dict.c | ||
23 | @@ -2751,6 +2751,13 @@ dict_unserialize (char *orig_buf, int32_t size, dict_t **fill) | ||
24 | vallen = ntoh32 (hostord); | ||
25 | buf += DICT_DATA_HDR_VAL_LEN; | ||
26 | |||
27 | + if ((keylen < 0) || (vallen < 0)) { | ||
28 | + gf_msg_callingfn ("dict", GF_LOG_ERROR, 0, | ||
29 | + LG_MSG_UNDERSIZED_BUF, | ||
30 | + "undersized length passed " | ||
31 | + "key:%d val:%d", keylen, vallen); | ||
32 | + goto out; | ||
33 | + } | ||
34 | if ((buf + keylen) > (orig_buf + size)) { | ||
35 | gf_msg_callingfn ("dict", GF_LOG_ERROR, 0, | ||
36 | LG_MSG_UNDERSIZED_BUF, | ||
37 | -- | ||
38 | 2.7.4 | ||
39 | |||