lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <48B4441E.5030108@gmail.com>
Date:	Tue, 26 Aug 2008 20:57:50 +0300
From:	"Volodymyr G. Lukiianyk" <volodymyrgl@...il.com>
To:	Greg Ungerer <gerg@...inux.org>
CC:	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] uclinux: fix gzip header parsing in binfmt_flat.c

There are off-by-one errors in decompress_exec() when calculating the length of
optional "original file name" and "comment" fields: the "ret" index is not
incremented when terminating '\0' character is reached. The check of the buffer
overflow (after an "extra-field" length was taken into account) is also fixed.

Signed-off-by: Volodymyr G Lukiianyk <volodymyrgl@...il.com>
---
Sorry for repost, looks like I forgot to remove "--color" when saved diff
attached to the previous e-mail.

I've encountered this off-by-one error when tried to reuse gzip-header-parsing
part of the decompress_exec() function. There was an "original file name" field
in the payload (with miscalculated length) and zlib_inflate() returned
Z_DATA_ERROR. But after the fix similar to this one all worked fine.

WARNING: the proposed patch wasn't properly tested.

View attachment "binfmt_flat_decompress_fix.diff" of type "text/x-patch" (926 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ