Commit 42896939 authored by Olaf Meeuwissen's avatar Olaf Meeuwissen

Address memory corruption and information leakage.

Addresses CVE-2017-6318, Alioth#315576 and Debian's BTS#854804.
parent eaa4d440
Pipeline #7140229 passed with stage
......@@ -1992,6 +1992,38 @@ process_request (Wire * w)
return 1;
}
/* Addresses CVE-2017-6318 (#315576, Debian BTS #853804) */
/* This is done here (rather than in sanei/sanei_wire.c where
* it should be done) to minimize scope of impact and amount
* of code change.
*/
if (w->direction == WIRE_DECODE
&& req.value_type == SANE_TYPE_STRING
&& req.action == SANE_ACTION_GET_VALUE)
{
if (req.value)
{
/* FIXME: If req.value contains embedded NUL
* characters, this is wrong but we do not have
* access to the amount of memory allocated in
* sanei/sanei_wire.c at this point.
*/
w->allocated_memory -= (1 + strlen (req.value));
free (req.value);
}
req.value = malloc (req.value_size);
if (!req.value)
{
w->status = ENOMEM;
DBG (DBG_ERR,
"process_request: (control_option) "
"h=%d (%s)\n", req.handle, strerror (w->status));
return 1;
}
memset (req.value, 0, req.value_size);
w->allocated_memory += req.value_size;
}
can_authorize = 1;
memset (&reply, 0, sizeof (reply)); /* avoid leaking bits */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment