When we are reading in a word from an options file, we maintain a count
of the length we have seen so far in 'len', which is an int. When len
exceeds MAXWORDLEN - 1 (i.e. 1023) we cease storing characters in the
buffer but we continue to increment len. Since len is an int, it will
wrap around to -
2147483648 after it reaches
2147483647. At that point
our test of (len < MAXWORDLEN-1) will succeed and we will start writing
characters to memory again.
This may enable an attacker to overwrite the heap and thereby corrupt
security-relevant variables. For this reason it has been assigned a
CVE identifier, CVE-2014-3158.
This fixes the bug by ceasing to increment len once it reaches MAXWORDLEN.
Reported-by: Lee Campbell <leecam@google.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>
/*
* Store the resulting character for the escape sequence.
*/
- if (len < MAXWORDLEN-1)
+ if (len < MAXWORDLEN) {
word[len] = value;
- ++len;
+ ++len;
+ }
if (!got)
c = getc(f);
/*
* An ordinary character: store it in the word and get another.
*/
- if (len < MAXWORDLEN-1)
+ if (len < MAXWORDLEN) {
word[len] = c;
- ++len;
+ ++len;
+ }
c = getc(f);
}