1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
From bf9776123b854ce30a21403e4df4d4f5deb6af91 Mon Sep 17 00:00:00 2001
From: "yanjun.zhu" <yanjun.zhu@windriver.com>
Date: Wed, 20 May 2015 18:14:12 +0200
Subject: [PATCH 3/4] Fix CVE-2012-4024
Upstream-Status: Backport
Reference:
https://github.com/plougher/squashfs-tools/commit/19c38fba0be1ce949ab44310d7f49887576cc123
Fix potential stack overflow in get_component() where an individual
pathname component in an extract file (specified on the command line
or in an extract file) could exceed the 1024 byte sized targname
allocated on the stack.
Fix by dynamically allocating targname rather than storing it as
a fixed size on the stack.
Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
Signed-off-by: Martin Jansa <martin.jansa@lge.com>
---
squashfs-tools/unsquashfs.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/unsquashfs.c b/unsquashfs.c
index d532486..4fc04e8 100644
--- a/unsquashfs.c
+++ b/unsquashfs.c
@@ -1076,15 +1076,18 @@ void squashfs_closedir(struct dir *dir)
}
-char *get_component(char *target, char *targname)
+char *get_component(char *target, char **targname)
{
+ char *start;
+
while(*target == '/')
target ++;
+ start = target;
while(*target != '/' && *target!= '\0')
- *targname ++ = *target ++;
+ target ++;
- *targname = '\0';
+ *targname = strndup(start, target - start);
return target;
}
@@ -1110,12 +1113,12 @@ void free_path(struct pathname *paths)
struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
{
- char targname[1024];
+ char *targname;
int i, error;
TRACE("add_path: adding \"%s\" extract file\n", target);
- target = get_component(target, targname);
+ target = get_component(target, &targname);
if(paths == NULL) {
paths = malloc(sizeof(struct pathname));
@@ -1139,7 +1142,7 @@ struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
sizeof(struct path_entry));
if(paths->name == NULL)
EXIT_UNSQUASH("Out of memory in add_path\n");
- paths->name[i].name = strdup(targname);
+ paths->name[i].name = targname;
paths->name[i].paths = NULL;
if(use_regex) {
paths->name[i].preg = malloc(sizeof(regex_t));
@@ -1172,6 +1175,8 @@ struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
/*
* existing matching entry
*/
+ free(targname);
+
if(paths->name[i].paths == NULL) {
/*
* No sub-directory which means this is the leaf
--
2.1.4
|
