tt_isam_record.C/tt_isam_record.C: fix CERT VU#387387 part 3

2025-03-09 15:50:02 +00:00 · 2012-05-26 18:39:51 -06:00 · 2012-05-26 18:39:51 -06:00 · 70128313e9
commit 70128313e9
parent 95e6fd42cc
2 changed files with 31 additions and 11 deletions
--- a/cde/lib/tt/bin/ttdbserverd/dm_server.C
+++ b/cde/lib/tt/bin/ttdbserverd/dm_server.C
@ -927,15 +927,33 @@ _tt_isclose_1(int *isfd, SVCXPRT * /* transp */)
 		_tt_syslog(errstr, LOG_ERR, "%s: _tt_check_stale_isfd() == 0",
 			   here );
 	} else {
-		res.result = cached_isclose(*isfd);
-		if (res.result != -1) {
-			_tt_db_table[*isfd].db_path = 0;
-			_tt_db_table[*isfd].opener_uid = (uid_t)-1;
-		} else {
-			_tt_syslog(errstr, LOG_ERR, "%s: isclose(): %d",
-				   here, iserrno);
-		}
-		res.iserrno = iserrno;
+	  // JET - 06/12/2002
+	  // VU#975403 - CERT TT vulnerability.  By passing an invalid isfd
+	  // a local or remote attacker can zero out 4 bytes at any location,
+	  // thereby allowing other exploits (items 2 & 3 - delete or
+	  // overwrite any file on the system.)
+	  // Here, we will just check to make sure: 0 >= isfd < _TT_MAX_ISFD
+
+	  if (*isfd < 0 || *isfd >= _TT_MAX_ISFD)
+	    {			// some trickery going on?
+	      res.result = -1;
+	      res.iserrno = ERPC;
+	      _tt_syslog(errstr, LOG_ERR, "%s: _tt_isclose_1: Invalid file descriptor.  This may be an attempted exploit.",
+			 here );
+	    }
+	  else
+	    {
+	      
+	      res.result = cached_isclose(*isfd);
+	      if (res.result != -1) {
+		_tt_db_table[*isfd].db_path = 0;
+		_tt_db_table[*isfd].opener_uid = (uid_t)-1;
+	      } else {
+		_tt_syslog(errstr, LOG_ERR, "%s: isclose(): %d",
+			   here, iserrno);
+	      }
+	      res.iserrno = iserrno;
+	    }
 	}
 	return (&res);
 }
@ -1482,6 +1500,8 @@ _tt_transaction_error(int fd)
 _Tt_isam_results *
 _tt_transaction_1(_Tt_transaction_args* args, SVCXPRT * /* transp */)
 {
+        struct stat buf; // JET - VU#975403/VU#299816
+
 	static const char *here = "_tt_transaction_1()";
 	/* check for stale NetISAM file descriptor */
 	if (!_tt_check_stale_isfd(args->isfd)) {
--- a/cde/lib/tt/bin/ttdbserverd/tt_isam_record.C
+++ b/cde/lib/tt/bin/ttdbserverd/tt_isam_record.C
@ -147,8 +147,8 @@ void _Tt_isam_record::setBytes (int start, const _Tt_string &value)
  if (bavail <= 0)
    return;

-  if (bavail > length)
-    bcp = length;
+  if (bavail > value.len())
+    bcp = value.len();
  else
    bcp = bavail;