jimzah/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src.git synced 2024-11-30 04:22:44 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Fix remote code execution in ggatec(8).

Browse Source 
Approved by:    so
Security:       SA-21:14.ggatec
Security:       CVE-2021-29630
This commit is contained in:
Gordon Tetlow 2021-08-24 10:40:19 -07:00
parent b6dad073f5
commit 14ba78b3f8
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
sbin/ggate/ggatec/ggatec.c
View File

@ -144,7 +144,21 @@ send_thread(void *arg __unused)
case BIO_WRITE:
hdr.gh_cmd = GGATE_CMD_WRITE;
break;
default:
g_gate_log(LOG_NOTICE, "Unknown gctl_cmd: %i", ggio.gctl_cmd);
ggio.gctl_error = EOPNOTSUPP;
g_gate_ioctl(G_GATE_CMD_DONE, &ggio);
continue;
}
/* Don't send requests for more data than we can handle the response for! */
if (ggio.gctl_length > MAXPHYS) {
g_gate_log(LOG_ERR, "Request too big: %zd", ggio.gctl_length);
ggio.gctl_error = EOPNOTSUPP;
g_gate_ioctl(G_GATE_CMD_DONE, &ggio);
continue;
}
hdr.gh_seq = ggio.gctl_seq;
hdr.gh_offset = ggio.gctl_offset;
hdr.gh_length = ggio.gctl_length;
@ -217,6 +231,12 @@ recv_thread(void *arg __unused)
ggio.gctl_length = hdr.gh_length;
ggio.gctl_error = hdr.gh_error;
/* Do not overflow our buffer if there is a bogus response. */
if (ggio.gctl_length > (off_t) sizeof(buf)) {
g_gate_log(LOG_ERR, "Received too big response: %zd", ggio.gctl_length);
break;
}
if (ggio.gctl_error == 0 && ggio.gctl_cmd == GGATE_CMD_READ) {
data = g_gate_recv(recvfd, ggio.gctl_data,
ggio.gctl_length, MSG_WAITALL);