external/cde
1
0
Fork 0
mirror of git://git.code.sf.net/p/cdesktopenv/code synced 2025-03-09 15:50:02 +00:00
Code Issues Releases Wiki Activity

tt_isam_record.C/tt_isam_record.C: fix CERT VU#387387 part 3

Browse source
This commit is contained in:
Jon Trulson 2012-05-26 18:39:51 -06:00
parent 95e6fd42cc
commit 70128313e9
2 changed files with 31 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

38
cde/lib/tt/bin/ttdbserverd/dm_server.C
View file

@ -927,15 +927,33 @@ _tt_isclose_1(int *isfd, SVCXPRT * /* transp */)
_tt_syslog(errstr, LOG_ERR, "%s: _tt_check_stale_isfd() == 0", _tt_syslog(errstr, LOG_ERR, "%s: _tt_check_stale_isfd() == 0",
here ); here );
} else { } else {
res.result = cached_isclose(*isfd); // JET - 06/12/2002
if (res.result != -1) { // VU#975403 - CERT TT vulnerability. By passing an invalid isfd
_tt_db_table[*isfd].db_path = 0; // a local or remote attacker can zero out 4 bytes at any location,
_tt_db_table[*isfd].opener_uid = (uid_t)-1; // thereby allowing other exploits (items 2 & 3 - delete or
} else { // overwrite any file on the system.)
_tt_syslog(errstr, LOG_ERR, "%s: isclose(): %d", // Here, we will just check to make sure: 0 >= isfd < _TT_MAX_ISFD
here, iserrno);
} if (*isfd < 0 || *isfd >= _TT_MAX_ISFD)
res.iserrno = iserrno; { // some trickery going on?
res.result = -1;
res.iserrno = ERPC;
_tt_syslog(errstr, LOG_ERR, "%s: _tt_isclose_1: Invalid file descriptor. This may be an attempted exploit.",
here );
}
else
{
res.result = cached_isclose(*isfd);
if (res.result != -1) {
_tt_db_table[*isfd].db_path = 0;
_tt_db_table[*isfd].opener_uid = (uid_t)-1;
} else {
_tt_syslog(errstr, LOG_ERR, "%s: isclose(): %d",
here, iserrno);
}
res.iserrno = iserrno;
}
} }
return (&res); return (&res);
} }
@ -1482,6 +1500,8 @@ _tt_transaction_error(int fd)
_Tt_isam_results * _Tt_isam_results *
_tt_transaction_1(_Tt_transaction_args* args, SVCXPRT * /* transp */) _tt_transaction_1(_Tt_transaction_args* args, SVCXPRT * /* transp */)
{ {
struct stat buf; // JET - VU#975403/VU#299816
static const char *here = "_tt_transaction_1()"; static const char *here = "_tt_transaction_1()";
/* check for stale NetISAM file descriptor */ /* check for stale NetISAM file descriptor */
if (!_tt_check_stale_isfd(args->isfd)) { if (!_tt_check_stale_isfd(args->isfd)) {

4
cde/lib/tt/bin/ttdbserverd/tt_isam_record.C
View file

@ -147,8 +147,8 @@ void _Tt_isam_record::setBytes (int start, const _Tt_string &value)
if (bavail <= 0) if (bavail <= 0)
return; return;
if (bavail > length) if (bavail > value.len())
bcp = length; bcp = value.len();
else else
bcp = bavail; bcp = bavail;