diff options
author | Russell Bryant <russellbryant@users.sourceforge.net> | 2008-01-06 14:20:04 +0000 |
---|---|---|
committer | Russell Bryant <russellbryant@users.sourceforge.net> | 2008-01-06 14:20:04 +0000 |
commit | 7d6f1f3c636989d9d50f1bbc9a4419f69345e514 (patch) | |
tree | af3aca56c60326670a15306db6c6f07b1581ac03 | |
parent | 7678586aa3cef8591249fe4369f942ecb342300d (diff) |
Fix a security issue.
streamin~ was vulnerable to a remotely exploitable heap buffer overflow that
could potentially allow an attacker to execute arbitrary code on a machine
that is using streamin~. The issue is that the defined frame header includes
a field for frame size which indicates how much additional data is available.
However, this frame size was not checked to ensure that it was smaller than
the size of the buffer that was allocated to store this data.
(one of my patches from issue #1848356)
svn path=/trunk/externals/ggee/; revision=9133
-rwxr-xr-x | signal/streamin~.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/signal/streamin~.c b/signal/streamin~.c index 39446c9..147b732 100755 --- a/signal/streamin~.c +++ b/signal/streamin~.c @@ -156,6 +156,12 @@ static void streamin_datapoll(t_streamin *x) }
ret = recv(x->x_socket, (char*) &x->frames[x->framein].tag,sizeof(t_tag),0);
+ if ((x->frames[x->framein].tag.framesize - sizeof(t_tag)) > MAXFRAMESIZE) {
+ error("streamin~: got an invalid frame size of %d, maximum is %d\n",
+ x->frames[x->framein].tag.framesize, MAXFRAMESIZE);
+ x->frames[x->framein].tag.framesize = MAXFRAMESIZE + sizeof(t_tag);
+ }
+
x->nbytes = n = x->frames[x->framein].tag.framesize;
}
|