Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 9 Oct 2013 22:43:47 -0700
From: Chris Palmer <snackypants@...il.com>
To: oss-security@...ts.openwall.com
Cc: timo.warns@...il.com, cdfrey@...rsquare.net
Subject: Re: Integer overflow in libtar (<= 1.2.19)

On Wed, Oct 9, 2013 at 9:36 PM, Huzaifa Sidhpurwala <huzaifas@...hat.com> wrote:

> http://repo.or.cz/w/libtar.git/commit/45448e8bae671c2f7e80b860ae0fc0cedf2bdc04

I haven't read all the ultimate callees, but it might be that some
internal/external APIs should change too. If these:

146 /* macros for reading/writing tarchive blocks */
147 #define tar_block_read(t, buf) \
148     (*((t)->type->readfunc))((t)->fd, (char *)(buf), T_BLOCKSIZE)
149 #define tar_block_write(t, buf) \
150     (*((t)->type->writefunc))((t)->fd, (char *)(buf), T_BLOCKSIZE)

boil down to functions that implement the same interface as read(2)
and write(2), and it sure seems like it, then the |int i| in this:

 int
 th_read(TAR *t)
 {
-       int i, j;
-       size_t sz;
+       int i;
+       size_t sz, j, blocks;
        char *ptr;

— and the callees, and their declared interfaces — should use ssize_t, not int.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ