aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRussell Bryant <russellbryant@users.sourceforge.net>2008-01-06 14:20:04 +0000
committerRussell Bryant <russellbryant@users.sourceforge.net>2008-01-06 14:20:04 +0000
commit7d6f1f3c636989d9d50f1bbc9a4419f69345e514 (patch)
treeaf3aca56c60326670a15306db6c6f07b1581ac03
parent7678586aa3cef8591249fe4369f942ecb342300d (diff)
Fix a security issue.
streamin~ was vulnerable to a remotely exploitable heap buffer overflow that could potentially allow an attacker to execute arbitrary code on a machine that is using streamin~. The issue is that the defined frame header includes a field for frame size which indicates how much additional data is available. However, this frame size was not checked to ensure that it was smaller than the size of the buffer that was allocated to store this data. (one of my patches from issue #1848356) svn path=/trunk/externals/ggee/; revision=9133
-rwxr-xr-xsignal/streamin~.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/signal/streamin~.c b/signal/streamin~.c
index 39446c9..147b732 100755
--- a/signal/streamin~.c
+++ b/signal/streamin~.c
@@ -156,6 +156,12 @@ static void streamin_datapoll(t_streamin *x)
}
ret = recv(x->x_socket, (char*) &x->frames[x->framein].tag,sizeof(t_tag),0);
+ if ((x->frames[x->framein].tag.framesize - sizeof(t_tag)) > MAXFRAMESIZE) {
+ error("streamin~: got an invalid frame size of %d, maximum is %d\n",
+ x->frames[x->framein].tag.framesize, MAXFRAMESIZE);
+ x->frames[x->framein].tag.framesize = MAXFRAMESIZE + sizeof(t_tag);
+ }
+
x->nbytes = n = x->frames[x->framein].tag.framesize;
}