1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
From 428ee988df7d6cbe6e18becffcee5cdfb0fa9d17 Mon Sep 17 00:00:00 2001
From: Amar Tumballi <amarts@redhat.com>
Date: Tue, 24 Jul 2018 13:25:12 +0530
Subject: [PATCH 1/7] dict: handle negative key/value length while unserialize
Fixes: bz#1625089
Change-Id: Ie56df0da46c242846a1ba51ccb9e011af118b119
Signed-off-by: Amar Tumballi <amarts@redhat.com>
Upstream-Status: Backport
Fix CVE-2018-10911
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
libglusterfs/src/dict.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libglusterfs/src/dict.c b/libglusterfs/src/dict.c
index 839b426..ac0a677 100644
--- a/libglusterfs/src/dict.c
+++ b/libglusterfs/src/dict.c
@@ -2751,6 +2751,13 @@ dict_unserialize (char *orig_buf, int32_t size, dict_t **fill)
vallen = ntoh32 (hostord);
buf += DICT_DATA_HDR_VAL_LEN;
+ if ((keylen < 0) || (vallen < 0)) {
+ gf_msg_callingfn ("dict", GF_LOG_ERROR, 0,
+ LG_MSG_UNDERSIZED_BUF,
+ "undersized length passed "
+ "key:%d val:%d", keylen, vallen);
+ goto out;
+ }
if ((buf + keylen) > (orig_buf + size)) {
gf_msg_callingfn ("dict", GF_LOG_ERROR, 0,
LG_MSG_UNDERSIZED_BUF,
--
2.7.4
|