The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/src/commit/?id=91a8bed5a49eb2d1e4e096a4c68c108cebec8818
commit 91a8bed5a49eb2d1e4e096a4c68c108cebec8818 Author: Gordon Tetlow <[email protected]> AuthorDate: 2021-08-24 17:40:49 +0000 Commit: Gordon Tetlow <[email protected]> CommitDate: 2021-08-24 18:26:45 +0000 Fix remote code execution in ggatec(8). Approved by: so Security: SA-21:14.ggatec Security: CVE-2021-29630 --- sbin/ggate/ggatec/ggatec.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/sbin/ggate/ggatec/ggatec.c b/sbin/ggate/ggatec/ggatec.c index 45a93c4512fe..0695dae0dca2 100644 --- a/sbin/ggate/ggatec/ggatec.c +++ b/sbin/ggate/ggatec/ggatec.c @@ -145,7 +145,21 @@ send_thread(void *arg __unused) case BIO_WRITE: hdr.gh_cmd = GGATE_CMD_WRITE; break; + default: + g_gate_log(LOG_NOTICE, "Unknown gctl_cmd: %i", ggio.gctl_cmd); + ggio.gctl_error = EOPNOTSUPP; + g_gate_ioctl(G_GATE_CMD_DONE, &ggio); + continue; + } + + /* Don't send requests for more data than we can handle the response for! */ + if (ggio.gctl_length > MAXPHYS) { + g_gate_log(LOG_ERR, "Request too big: %zd", ggio.gctl_length); + ggio.gctl_error = EOPNOTSUPP; + g_gate_ioctl(G_GATE_CMD_DONE, &ggio); + continue; } + hdr.gh_seq = ggio.gctl_seq; hdr.gh_offset = ggio.gctl_offset; hdr.gh_length = ggio.gctl_length; @@ -219,6 +233,12 @@ recv_thread(void *arg __unused) ggio.gctl_length = hdr.gh_length; ggio.gctl_error = hdr.gh_error; + /* Do not overflow our buffer if there is a bogus response. */ + if (ggio.gctl_length > (off_t) sizeof(buf)) { + g_gate_log(LOG_ERR, "Received too big response: %zd", ggio.gctl_length); + break; + } + if (ggio.gctl_error == 0 && ggio.gctl_cmd == GGATE_CMD_READ) { data = g_gate_recv(recvfd, ggio.gctl_data, ggio.gctl_length, MSG_WAITALL); _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "[email protected]"
