Blob Blame History Raw
From 4cd35a8db2c6a0b94218a89cb183f50e8550de0e Mon Sep 17 00:00:00 2001
From: David Zeuthen <zeuthen@gmail.com>
Date: Wed, 12 Feb 2014 20:01:41 -0800
Subject: [PATCH] CVE-2014-0004: Stack-based buffer overflow when handling long
 path names

Fix this by being more careful when parsing strings.

Acknowledgements: This issue was discovered by Florian Weimer of the
Red Hat Product Security Team.

Signed-off-by: David Zeuthen <zeuthen@gmail.com>
---
 src/udisksmountmonitor.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/src/udisksmountmonitor.c b/src/udisksmountmonitor.c
index 8af1028..77cf94c 100644
--- a/src/udisksmountmonitor.c
+++ b/src/udisksmountmonitor.c
@@ -416,8 +416,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
       guint mount_id;
       guint parent_id;
       guint major, minor;
-      gchar encoded_root[PATH_MAX];
-      gchar encoded_mount_point[PATH_MAX];
+      gchar encoded_root[4096];
+      gchar encoded_mount_point[4096];
       gchar *mount_point;
       dev_t dev;
 
@@ -425,7 +425,7 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
         continue;
 
       if (sscanf (lines[n],
-                  "%d %d %d:%d %s %s",
+                  "%d %d %d:%d %4095s %4095s",
                   &mount_id,
                   &parent_id,
                   &major,
@@ -436,6 +436,8 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
           udisks_warning ("Error parsing line '%s'", lines[n]);
           continue;
         }
+      encoded_root[sizeof encoded_root - 1] = '\0';
+      encoded_mount_point[sizeof encoded_mount_point - 1] = '\0';
 
       /* Temporary work-around for btrfs, see
        *
@@ -450,15 +452,17 @@ udisks_mount_monitor_get_mountinfo (UDisksMountMonitor  *monitor,
           sep = strstr (lines[n], " - ");
           if (sep != NULL)
             {
-              gchar fstype[PATH_MAX];
-              gchar mount_source[PATH_MAX];
+              gchar fstype[4096];
+              gchar mount_source[4096];
               struct stat statbuf;
 
-              if (sscanf (sep + 3, "%s %s", fstype, mount_source) != 2)
+              if (sscanf (sep + 3, "%4095s %4095s", fstype, mount_source) != 2)
                 {
                   udisks_warning ("Error parsing things past - for '%s'", lines[n]);
                   continue;
                 }
+              fstype[sizeof fstype - 1] = '\0';
+              mount_source[sizeof mount_source - 1] = '\0';
 
               if (g_strcmp0 (fstype, "btrfs") != 0)
                 continue;
@@ -546,7 +550,7 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor  *monitor,
   lines = g_strsplit (contents, "\n", 0);
   for (n = 0; lines[n] != NULL; n++)
     {
-      gchar filename[PATH_MAX];
+      gchar filename[4096];
       struct stat statbuf;
       dev_t dev;
 
@@ -557,11 +561,12 @@ udisks_mount_monitor_get_swaps (UDisksMountMonitor  *monitor,
       if (strlen (lines[n]) == 0)
         continue;
 
-      if (sscanf (lines[n], "%s", filename) != 1)
+      if (sscanf (lines[n], "%4095s", filename) != 1)
         {
           udisks_warning ("Error parsing line '%s'", lines[n]);
           continue;
         }
+      filename[sizeof filename - 1] = '\0';
 
       if (stat (filename, &statbuf) != 0)
         {
-- 
1.8.5.3