Bug#148221: dpkg: Small off by one error in parseversion()
On Sun, 26 May 2002, Petter Reinholdtsen wrote:
>
> Package: dpkg
> Version: 1.9.21
> Severity: normal
> Tags: patch
>
> The following patch fixes a off by one error in dpkg. It reads one
> past the allocated buffer.
>
> I discovered it using valgrind,
> <URL:http://developer.kde.org/~sewardj/>.
>
> --- lib/parsehelp.c.orig Sun May 26 19:24:23 2002
> +++ lib/parsehelp.c Sun May 26 19:22:34 2002
> @@ -214,7 +214,7 @@
> } else {
> rversion->epoch= 0;
> }
> - rversion->version= nfstrnsave(string,end-string+1);
> + rversion->version= nfstrnsave(string,end-string);
> hyphen= strrchr(rversion->version,'-');
> if (hyphen) *hyphen++= 0;
> rversion->revision= hyphen ? hyphen : "";
This is a problem, but this is not the proper fix.
Let's say string == 0x5, and end = 0x6. This means we need to copy 2
chars(0x5 and 0x6, or 0x6 - 0x5 + 1). So, your buffer overrun does not occur
in this code.
However, if we look at nfstrnsave:
==
char *nfstrnsave(const char *string, int l) {
char *ret;
OBSTACK_INIT;
ret = obstack_copy (&db_obs, string, l + 1);
*(ret + l) = 0;
return ret;
}
==
You'll see that we add 1 to l, and this is where it occurs. We are attempting
to allocate a new memory block, with the size l, plus one byte. The issue, is
that the source buffer may not be l + 1 in length.
The solution, is to use obstack_copy0, instead of obstack_copy, and not add 1
to l.
I'm checking this fix into HEAD, for 1.10.
--
To UNSUBSCRIBE, email to debian-dpkg-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: