diff options
| author | Phillip Lougher <phillip@squashfs.org.uk> | 2012-12-11 01:20:57 +0000 |
|---|---|---|
| committer | Phillip Lougher <phillip@squashfs.org.uk> | 2012-12-11 01:20:57 +0000 |
| commit | 39b1e3a7a347ee5a468148cad59fd17b164d79c0 (patch) | |
| tree | 66bde24efeed09407b4315e127eac0e8e4042476 /squashfs-tools/pseudo.c | |
| parent | a7fd92547c09d4192acf40de34a7658d5be73469 (diff) | |
| download | squashfs-tools-39b1e3a7a347ee5a468148cad59fd17b164d79c0.tar.gz | |
pseudo: fix potential stack overflow in get_component()
This fix is similar to the fix for CVE-2012-4024 raised against
unsquashfs, except mksquashfs was not covered by CVE-2012-4024
Fix potential stack overflow in get_component() where an individual
pathname component in a pseudo file (specified on the command line
or in a pseudo file) could exceed the 1024 byte sized targname
allocated on the stack.
Fix by dynamically allocating targname rather than storing it as
a fixed size on the stack.
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Diffstat (limited to 'squashfs-tools/pseudo.c')
| -rw-r--r-- | squashfs-tools/pseudo.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/squashfs-tools/pseudo.c b/squashfs-tools/pseudo.c index 844d70f..ccd3062 100644 --- a/squashfs-tools/pseudo.c +++ b/squashfs-tools/pseudo.c @@ -68,15 +68,18 @@ static void dump_pseudo(struct pseudo *pseudo, char *string) } -static char *get_component(char *target, char *targname) +static char *get_component(char *target, char **targname) { + char *start; + while(*target == '/') target ++; + start = target; while(*target != '/' && *target!= '\0') - *targname ++ = *target ++; + target ++; - *targname = '\0'; + *targname = strndup(start, target - start); return target; } @@ -89,10 +92,10 @@ static char *get_component(char *target, char *targname) struct pseudo *add_pseudo(struct pseudo *pseudo, struct pseudo_dev *pseudo_dev, char *target, char *alltarget) { - char targname[1024]; + char *targname; int i; - target = get_component(target, targname); + target = get_component(target, &targname); if(pseudo == NULL) { pseudo = malloc(sizeof(struct pseudo)); @@ -115,7 +118,7 @@ struct pseudo *add_pseudo(struct pseudo *pseudo, struct pseudo_dev *pseudo_dev, sizeof(struct pseudo_entry)); if(pseudo->name == NULL) BAD_ERROR("failed to allocate pseudo file\n"); - pseudo->name[i].name = strdup(targname); + pseudo->name[i].name = targname; if(target[0] == '\0') { /* at leaf pathname component */ @@ -130,6 +133,8 @@ struct pseudo *add_pseudo(struct pseudo *pseudo, struct pseudo_dev *pseudo_dev, } } else { /* existing matching entry */ + free(targname); + if(pseudo->name[i].pseudo == NULL) { /* No sub-directory which means this is the leaf * component of a pre-existing pseudo file. |