| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 26 Aug 2008 20:57:50 +0300
From: "Volodymyr G. Lukiianyk" <volodymyrgl@...il.com>
To: Greg Ungerer <gerg@...inux.org>
CC: linux-kernel@...r.kernel.org
Subject: Re: [PATCH] uclinux: fix gzip header parsing in binfmt_flat.c
There are off-by-one errors in decompress_exec() when calculating the length of
optional "original file name" and "comment" fields: the "ret" index is not
incremented when terminating '\0' character is reached. The check of the buffer
overflow (after an "extra-field" length was taken into account) is also fixed.
Signed-off-by: Volodymyr G Lukiianyk <volodymyrgl@...il.com>
---
Sorry for repost, looks like I forgot to remove "--color" when saved diff
attached to the previous e-mail.
I've encountered this off-by-one error when tried to reuse gzip-header-parsing
part of the decompress_exec() function. There was an "original file name" field
in the payload (with miscalculated length) and zlib_inflate() returned
Z_DATA_ERROR. But after the fix similar to this one all worked fine.
WARNING: the proposed patch wasn't properly tested.
View attachment "binfmt_flat_decompress_fix.diff" of type "text/x-patch" (926 bytes)
Powered by blists - more mailing lists