[PATCH] uclinux: fix gzip header parsing in binfmt_flat.c

From: "Volodymyr G. Lukiianyk" <volodymyrgl@xxxxxxxxx>
Date: Tue, 26 Aug 2008 20:52:03 +0300

There are off-by-one errors in decompress_exec() when calculating the length of
optional "original file name" and "comment" fields: the "ret" index is not
incremented when terminating '\0' character is reached. The check of the buffer
overflow (after an "extra-field" length was taken into account) is also fixed.

Signed-off-by: Volodymyr G Lukiianyk <volodymyrgl@xxxxxxxxx>
---

I've encountered this off-by-one error when tried to reuse gzip-header-parsing
part of the decompress_exec() function. There was an "original file name" field
in the payload (with miscalculated length) and zlib_inflate() returned
Z_DATA_ERROR. But after the fix similar to this one all worked fine.

WARNING: the proposed patch wasn't properly tested.
[1mdiff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c[m
[1mindex dfc0197..ccb781a 100644[m
[1m--- a/fs/binfmt_flat.c[m
[1m+++ b/fs/binfmt_flat.c[m
[36m@@ -229,13 +229,13 @@ static int decompress_exec(
[m ret = 10;
[m if (buf[3] & EXTRA_FIELD) {
[m ret += 2 + buf[10] + (buf[11] << 8);
[m[31m- if (unlikely(LBUFSIZE == ret)) {
[m[32m+[m [32mif (unlikely(LBUFSIZE <= ret)) {[m
DBG_FLT("binfmt_flat: buffer overflow (EXTRA)?\n");
[m goto out_free_buf;
[m }
[m }
[m if (buf[3] & ORIG_NAME) {
[m[31m- for (; ret < LBUFSIZE && (buf[ret] != 0); ret++)
[m[32m+[m [32mwhile (ret < LBUFSIZE && buf[ret++] != 0)[m
;
[m if (unlikely(LBUFSIZE == ret)) {
[m DBG_FLT("binfmt_flat: buffer overflow (ORIG_NAME)?\n");
[m[36m@@ -243,7 +243,7 @@ static int decompress_exec(
[m }
[m }
[m if (buf[3] & COMMENT) {
[m[31m- for (; ret < LBUFSIZE && (buf[ret] != 0); ret++)
[m[32m+[m [32mwhile (ret < LBUFSIZE && buf[ret++] != 0)[m
;
[m if (unlikely(LBUFSIZE == ret)) {
[m DBG_FLT("binfmt_flat: buffer overflow (COMMENT)?\n");
[m

Follow-Ups:
- Re: [PATCH] uclinux: fix gzip header parsing in binfmt_flat.c
  - From: Volodymyr G. Lukiianyk

Prev by Date: (e)poll and (rd)hup questions
Next by Date: Re: [PATCH 6/6] sched: disabled rt-bandwidth by default
Previous by thread: (e)poll and (rd)hup questions
Next by thread: Re: [PATCH] uclinux: fix gzip header parsing in binfmt_flat.c
Index(es):
- Date
- Thread

Relevant Pages

Re: _stprintf
... It won't overflow the buffer, ... StringCchPrintf will format the string, which is one character plus a terminal null ...
(microsoft.public.vc.mfc)
Re: [patch 2/2] track and print last unloaded module in the oops trace
... Why use sprintf? ... If a module name contains the % character we could ... overflow the buffer. ...
(Linux-Kernel)
Re: [PATCH] uclinux: fix gzip header parsing in binfmt_flat.c
... The check of the buffer ... overflow (after an "extra-field" length was taken into account) is also fixed. ... ret = 10; ...
(Linux-Kernel)
renee.rtf.xaa
... renee is RTF parser/macro processor I wrote. ... Character Stream\ ... Write Output Buffer to Files\ ...
(comp.lang.tcl)
Re: input & output in assembly
... [As you've not specified OS or assembler, ... using individual character I/O and handling the rest yourself in your ... it finds in that string, ... ENTER key is pressed (maximum buffer size: ...
(comp.lang.asm.x86)