From 7d6f1f3c636989d9d50f1bbc9a4419f69345e514 Mon Sep 17 00:00:00 2001 From: Russell Bryant Date: Sun, 6 Jan 2008 14:20:04 +0000 Subject: Fix a security issue. streamin~ was vulnerable to a remotely exploitable heap buffer overflow that could potentially allow an attacker to execute arbitrary code on a machine that is using streamin~. The issue is that the defined frame header includes a field for frame size which indicates how much additional data is available. However, this frame size was not checked to ensure that it was smaller than the size of the buffer that was allocated to store this data. (one of my patches from issue #1848356) svn path=/trunk/externals/ggee/; revision=9133 --- signal/streamin~.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'signal') diff --git a/signal/streamin~.c b/signal/streamin~.c index 39446c9..147b732 100755 --- a/signal/streamin~.c +++ b/signal/streamin~.c @@ -156,6 +156,12 @@ static void streamin_datapoll(t_streamin *x) } ret = recv(x->x_socket, (char*) &x->frames[x->framein].tag,sizeof(t_tag),0); + if ((x->frames[x->framein].tag.framesize - sizeof(t_tag)) > MAXFRAMESIZE) { + error("streamin~: got an invalid frame size of %d, maximum is %d\n", + x->frames[x->framein].tag.framesize, MAXFRAMESIZE); + x->frames[x->framein].tag.framesize = MAXFRAMESIZE + sizeof(t_tag); + } + x->nbytes = n = x->frames[x->framein].tag.framesize; } -- cgit v1.2.1