open-dsi
/
clamav
mirror of https://github.com/Cisco-Talos/clamav
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix unitialized name buffer in CPIO parser

Browse Source 
Fixes a possible stack buffer overflow introduced in 0.103 development
when we added optional names to file maps (fmaps). The CPIO parser uses
a stack buffer to store the name (if present).  If no name present, then
the stack buffer was passed unitialized to the fmap scanning function
which could cause an overflow.

This fix both initializes the buffer and uses a pointer so the scan
function gets NULL instead of a buffer in the event that a name isn't
present as that's the intended way to use the API, rather than passing
an empty string name buffer.
pull/125/head
Micah Snyder (micasnyd) 5 years ago
parent 65e3394aa6
commit e830b45ca7
1 changed files with 6 additions and 1 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 7
      libclamav/cpio.c

7
libclamav/cpio.c
Unescape View File

@ -98,6 +98,7 @@ static void sanitname(char *name)
int cli_scancpio_old(cli_ctx *ctx)
{
struct cpio_hdr_old hdr_old;
char * fmap_name = NULL;
char name[513];
unsigned int file = 0, trailer = 0;
uint32_t filesize, namesize, hdr_namesize;
@ -105,6 +106,8 @@ int cli_scancpio_old(cli_ctx *ctx)
off_t pos = 0;
int virus_found = 0;
memset(name, 0, sizeof(name));
while (fmap_readn(*ctx->fmap, &hdr_old, pos, sizeof(hdr_old)) == sizeof(hdr_old)) {
pos += sizeof(hdr_old);
if (!hdr_old.magic && trailer) {
@ -144,6 +147,8 @@ int cli_scancpio_old(cli_ctx *ctx)
pos += hdr_namesize - namesize;
} else if (hdr_namesize % 2)
pos++;
fmap_name = &name;
}
filesize = (uint32_t)((uint32_t)EC16(hdr_old.filesize[0], conv) << 16 | EC16(hdr_old.filesize[1], conv));
cli_dbgmsg("CPIO: Filesize: %u\n", filesize);
@ -163,7 +168,7 @@ int cli_scancpio_old(cli_ctx *ctx)
if (ret == CL_EMAXFILES) {
goto leave;
} else if (ret == CL_SUCCESS) {
ret = cli_magic_scan_nested_fmap_type(*ctx->fmap, pos, filesize, ctx, CL_TYPE_ANY, name);
ret = cli_magic_scan_nested_fmap_type(*ctx->fmap, pos, filesize, ctx, CL_TYPE_ANY, fmap_name);
if (ret == CL_VIRUS) {
if (!SCAN_ALLMATCHES)
return ret;

Write Preview
Loading…
Cancel
Save