lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <48B442C3.2000309@gmail.com>
Date:	Tue, 26 Aug 2008 20:52:03 +0300
From:	"Volodymyr G. Lukiianyk" <volodymyrgl@...il.com>
To:	Greg Ungerer <gerg@...inux.org>
CC:	linux-kernel@...r.kernel.org
Subject: [PATCH] uclinux: fix gzip header parsing in binfmt_flat.c

There are off-by-one errors in decompress_exec() when calculating the length of
optional "original file name" and "comment" fields: the "ret" index is not
incremented when terminating '\0' character is reached. The check of the buffer
overflow (after an "extra-field" length was taken into account) is also fixed.

Signed-off-by: Volodymyr G Lukiianyk <volodymyrgl@...il.com>
---

I've encountered this off-by-one error when tried to reuse gzip-header-parsing
part of the decompress_exec() function. There was an "original file name" field
in the payload (with miscalculated length) and zlib_inflate() returned
Z_DATA_ERROR. But after the fix similar to this one all worked fine.

WARNING: the proposed patch wasn't properly tested.

View attachment "binfmt_flat_decompress_fix.diff" of type "text/x-patch" (1092 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ