Ticket #3437 (closed defect: fixed)

Opened 7 years ago

Last modified 7 years ago

[patch] fix heap-buffer-overflow in custom_canonicalize_pathname()

Reported by: and Owned by:
Priority: major Milestone: 4.8.15
Component: mc-core Version: master
Keywords: Cc:
Blocked By: Blocking:
Branch state: no branch Votes for changeset: committed-master

Description

fix heap-buffer-overflow in lib/utilunix.c:custom_canonicalize_pathname()
only use strncmp when path has enough room (greater then url_delim_len size)
overflow happen when path = './'

(found by AddressSanitizer?)

==7448==ERROR: AddressSanitizer?: heap-buffer-overflow on address 0x602000079d6f at pc 0x000000458ebe bp 0x7fffc02b6580 sp 0x7fffc02b5d38
READ of size 1 at 0x602000079d6f thread T0

#0 0x458ebd in interceptor_strncmp (/tmp/portage/app-misc/mc-9999/work/mc-9999/src/mc+0x458ebd)
#1 0x644312 in custom_canonicalize_pathname /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/utilunix.c:897:20
#2 0x64594f in mc_build_filenamev /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/utilunix.c:1335:13
#3 0x645fc1 in mc_build_filename /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/utilunix.c:1373:11
#4 0x5e07a0 in vfs_canon /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/vfs/path.c:159:21
#5 0x5e064a in vfs_path_from_str_flags /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/vfs/path.c:736:16
#6 0x7c036b in panel_operate /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/file.c:2725:22
#7 0x79c4ce in rename_cmd /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/cmd.c:810:9
#8 0x5a43e2 in midnight_execute_cmd /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/midnight.c:1312:9
#9 0x519607 in buttonbar_callback /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/buttonbar.c:172:42
#10 0x5307d5 in dlg_try_hotkey /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:465:23
#11 0x52efba in dlg_key_event /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:510:19
#12 0x52f906 in frontend_dlg_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:571:9
#13 0x52f525 in dlg_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:1268:5
#14 0x59fc1a in do_nc /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/midnight.c:1763:9
#15 0x4fa648 in main /tmp/portage/app-misc/mc-9999/work/mc-9999/src/main.c:418:21
#16 0x7f5d3f202133 in
libc_start_main (/lib64/libc.so.6+0x20133)
#17 0x44eff6 in _start (/tmp/portage/app-misc/mc-9999/work/mc-9999/src/mc+0x44eff6)

Signed-off-by: Andreas Mohr <and@…>

Attachments

mc-3437-fix-overflow-custom_canonicalize_pathname.patch (2.6 KB) - added by and 7 years ago.

Change History

comment:1 Changed 7 years ago by andrew_b

  • Blocked By 3420 added

comment:2 Changed 7 years ago by andrew_b

  • Blocked By 3420 removed

comment:3 Changed 7 years ago by andrew_b

  • Status changed from new to closed
  • Votes for changeset set to committed-master
  • Resolution set to fixed
  • Milestone changed from Future Releases to 4.8.15
Note: See TracTickets for help on using tickets.