summaryrefslogtreecommitdiffstats
path: root/patches/glibc-2.18/0009-CVE-2013-4237-BZ-14699-Buffer-overflow-in-readdir_r.patch
diff options
context:
space:
mode:
Diffstat (limited to 'patches/glibc-2.18/0009-CVE-2013-4237-BZ-14699-Buffer-overflow-in-readdir_r.patch')
-rw-r--r--patches/glibc-2.18/0009-CVE-2013-4237-BZ-14699-Buffer-overflow-in-readdir_r.patch171
1 files changed, 0 insertions, 171 deletions
diff --git a/patches/glibc-2.18/0009-CVE-2013-4237-BZ-14699-Buffer-overflow-in-readdir_r.patch b/patches/glibc-2.18/0009-CVE-2013-4237-BZ-14699-Buffer-overflow-in-readdir_r.patch
deleted file mode 100644
index 526775b..0000000
--- a/patches/glibc-2.18/0009-CVE-2013-4237-BZ-14699-Buffer-overflow-in-readdir_r.patch
+++ /dev/null
@@ -1,171 +0,0 @@
-From: Florian Weimer <fweimer@redhat.com>
-Date: Fri, 16 Aug 2013 09:38:52 +0200
-Subject: [PATCH] CVE-2013-4237, BZ #14699: Buffer overflow in readdir_r
-
- * sysdeps/posix/dirstream.h (struct __dirstream): Add errcode
- member.
- * sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode
- member.
- * sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member.
- * sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit.
- Return delayed error code. Remove GETDENTS_64BIT_ALIGNED
- conditional.
- * sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define
- GETDENTS_64BIT_ALIGNED.
- * sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise.
- * manual/filesys.texi (Reading/Closing Directory): Document
- ENAMETOOLONG return value of readdir_r. Recommend readdir more
- strongly.
- * manual/conf.texi (Limits for Files): Add portability note to
- NAME_MAX, PATH_MAX.
- (Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX.
----
- sysdeps/posix/dirstream.h | 2 ++
- sysdeps/posix/opendir.c | 1 +
- sysdeps/posix/readdir_r.c | 42 ++++++++++++++++++-------
- sysdeps/posix/rewinddir.c | 1 +
- sysdeps/unix/sysv/linux/i386/readdir64_r.c | 1 -
- sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c | 1 -
- 6 files changed, 34 insertions(+), 14 deletions(-)
-
-diff --git a/sysdeps/posix/dirstream.h b/sysdeps/posix/dirstream.h
-index a7a074d..8e8570d 100644
---- a/sysdeps/posix/dirstream.h
-+++ b/sysdeps/posix/dirstream.h
-@@ -39,6 +39,8 @@ struct __dirstream
-
- off_t filepos; /* Position of next entry to read. */
-
-+ int errcode; /* Delayed error code. */
-+
- /* Directory block. */
- char data[0] __attribute__ ((aligned (__alignof__ (void*))));
- };
-diff --git a/sysdeps/posix/opendir.c b/sysdeps/posix/opendir.c
-index ddfc3a7..fc05b0f 100644
---- a/sysdeps/posix/opendir.c
-+++ b/sysdeps/posix/opendir.c
-@@ -231,6 +231,7 @@ __alloc_dir (int fd, bool close_fd, int flags, const struct stat64 *statp)
- dirp->size = 0;
- dirp->offset = 0;
- dirp->filepos = 0;
-+ dirp->errcode = 0;
-
- return dirp;
- }
-diff --git a/sysdeps/posix/readdir_r.c b/sysdeps/posix/readdir_r.c
-index b5a8e2e..8ed5c3f 100644
---- a/sysdeps/posix/readdir_r.c
-+++ b/sysdeps/posix/readdir_r.c
-@@ -40,6 +40,7 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *entry, DIRENT_TYPE **result)
- DIRENT_TYPE *dp;
- size_t reclen;
- const int saved_errno = errno;
-+ int ret;
-
- __libc_lock_lock (dirp->lock);
-
-@@ -70,10 +71,10 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *entry, DIRENT_TYPE **result)
- bytes = 0;
- __set_errno (saved_errno);
- }
-+ if (bytes < 0)
-+ dirp->errcode = errno;
-
- dp = NULL;
-- /* Reclen != 0 signals that an error occurred. */
-- reclen = bytes != 0;
- break;
- }
- dirp->size = (size_t) bytes;
-@@ -106,29 +107,46 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *entry, DIRENT_TYPE **result)
- dirp->filepos += reclen;
- #endif
-
-- /* Skip deleted files. */
-+#ifdef NAME_MAX
-+ if (reclen > offsetof (DIRENT_TYPE, d_name) + NAME_MAX + 1)
-+ {
-+ /* The record is very long. It could still fit into the
-+ caller-supplied buffer if we can skip padding at the
-+ end. */
-+ size_t namelen = _D_EXACT_NAMLEN (dp);
-+ if (namelen <= NAME_MAX)
-+ reclen = offsetof (DIRENT_TYPE, d_name) + namelen + 1;
-+ else
-+ {
-+ /* The name is too long. Ignore this file. */
-+ dirp->errcode = ENAMETOOLONG;
-+ dp->d_ino = 0;
-+ continue;
-+ }
-+ }
-+#endif
-+
-+ /* Skip deleted and ignored files. */
- }
- while (dp->d_ino == 0);
-
- if (dp != NULL)
- {
--#ifdef GETDENTS_64BIT_ALIGNED
-- /* The d_reclen value might include padding which is not part of
-- the DIRENT_TYPE data structure. */
-- reclen = MIN (reclen,
-- offsetof (DIRENT_TYPE, d_name) + sizeof (dp->d_name));
--#endif
- *result = memcpy (entry, dp, reclen);
--#ifdef GETDENTS_64BIT_ALIGNED
-+#ifdef _DIRENT_HAVE_D_RECLEN
- entry->d_reclen = reclen;
- #endif
-+ ret = 0;
- }
- else
-- *result = NULL;
-+ {
-+ *result = NULL;
-+ ret = dirp->errcode;
-+ }
-
- __libc_lock_unlock (dirp->lock);
-
-- return dp != NULL ? 0 : reclen ? errno : 0;
-+ return ret;
- }
-
- #ifdef __READDIR_R_ALIAS
-diff --git a/sysdeps/posix/rewinddir.c b/sysdeps/posix/rewinddir.c
-index 2935a8e..d4991ad 100644
---- a/sysdeps/posix/rewinddir.c
-+++ b/sysdeps/posix/rewinddir.c
-@@ -33,6 +33,7 @@ rewinddir (dirp)
- dirp->filepos = 0;
- dirp->offset = 0;
- dirp->size = 0;
-+ dirp->errcode = 0;
- #ifndef NOT_IN_libc
- __libc_lock_unlock (dirp->lock);
- #endif
-diff --git a/sysdeps/unix/sysv/linux/i386/readdir64_r.c b/sysdeps/unix/sysv/linux/i386/readdir64_r.c
-index 8ebbcfd..a7d114e 100644
---- a/sysdeps/unix/sysv/linux/i386/readdir64_r.c
-+++ b/sysdeps/unix/sysv/linux/i386/readdir64_r.c
-@@ -18,7 +18,6 @@
- #define __READDIR_R __readdir64_r
- #define __GETDENTS __getdents64
- #define DIRENT_TYPE struct dirent64
--#define GETDENTS_64BIT_ALIGNED 1
-
- #include <sysdeps/posix/readdir_r.c>
-
-diff --git a/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c b/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
-index 5ed8e95..290f2c8 100644
---- a/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
-+++ b/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
-@@ -1,5 +1,4 @@
- #define readdir64_r __no_readdir64_r_decl
--#define GETDENTS_64BIT_ALIGNED 1
- #include <sysdeps/posix/readdir_r.c>
- #undef readdir64_r
- weak_alias (__readdir_r, readdir64_r)
generated by cgit v1.2.3 (git 2.39.1) at 2024-04-24 13:47:44 +0000