diff options
author | Gordon Tetlow <gordon@FreeBSD.org> | 2021-08-24 17:40:49 +0000 |
---|---|---|
committer | Gordon Tetlow <gordon@FreeBSD.org> | 2021-08-24 18:26:45 +0000 |
commit | 91a8bed5a49eb2d1e4e096a4c68c108cebec8818 (patch) | |
tree | 468184f4cdef6b92fc94a386094bd42f21795928 | |
parent | a48416f844e3007b4e9f6df125e25cf3a1daad62 (diff) | |
download | src-91a8bed5a49eb2d1e4e096a4c68c108cebec8818.tar.gz src-91a8bed5a49eb2d1e4e096a4c68c108cebec8818.zip |
Fix remote code execution in ggatec(8).
Approved by: so
Security: SA-21:14.ggatec
Security: CVE-2021-29630
-rw-r--r-- | sbin/ggate/ggatec/ggatec.c | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/sbin/ggate/ggatec/ggatec.c b/sbin/ggate/ggatec/ggatec.c index 45a93c4512fe..0695dae0dca2 100644 --- a/sbin/ggate/ggatec/ggatec.c +++ b/sbin/ggate/ggatec/ggatec.c @@ -145,7 +145,21 @@ send_thread(void *arg __unused) case BIO_WRITE: hdr.gh_cmd = GGATE_CMD_WRITE; break; + default: + g_gate_log(LOG_NOTICE, "Unknown gctl_cmd: %i", ggio.gctl_cmd); + ggio.gctl_error = EOPNOTSUPP; + g_gate_ioctl(G_GATE_CMD_DONE, &ggio); + continue; + } + + /* Don't send requests for more data than we can handle the response for! */ + if (ggio.gctl_length > MAXPHYS) { + g_gate_log(LOG_ERR, "Request too big: %zd", ggio.gctl_length); + ggio.gctl_error = EOPNOTSUPP; + g_gate_ioctl(G_GATE_CMD_DONE, &ggio); + continue; } + hdr.gh_seq = ggio.gctl_seq; hdr.gh_offset = ggio.gctl_offset; hdr.gh_length = ggio.gctl_length; @@ -219,6 +233,12 @@ recv_thread(void *arg __unused) ggio.gctl_length = hdr.gh_length; ggio.gctl_error = hdr.gh_error; + /* Do not overflow our buffer if there is a bogus response. */ + if (ggio.gctl_length > (off_t) sizeof(buf)) { + g_gate_log(LOG_ERR, "Received too big response: %zd", ggio.gctl_length); + break; + } + if (ggio.gctl_error == 0 && ggio.gctl_cmd == GGATE_CMD_READ) { data = g_gate_recv(recvfd, ggio.gctl_data, ggio.gctl_length, MSG_WAITALL); |