Fix overflow from malicious FD reported by Pasi Saarinen

diff --git a/bacula/src/dird/fd_cmds.c b/bacula/src/dird/fd_cmds.c
index 3fd03688c067717e132588973697c4815fa98a2d..e1e8ea78ee1c0fea512950aa53a4219633e74d5c 100644 (file)
--- a/bacula/src/dird/fd_cmds.c
+++ b/bacula/src/dird/fd_cmds.c
@@ -937,7 +937,7 @@ int get_attributes_and_put_in_catalog(JCR *jcr)
    BSOCK   *fd;
    int n = 0;
    ATTR_DBR *ar = NULL;
-   char digest[MAXSTRING];
+   char digest[2*(MAXSTRING+1)+1];  /* escaped version of Digest */
 
    fd = jcr->file_bsock;
    jcr->jr.FirstIndex = 1;
@@ -952,7 +952,7 @@ int get_attributes_and_put_in_catalog(JCR *jcr)
       int32_t file_index;
       int stream, len;
       char *p, *fn;
-      char Digest[MAXSTRING];      /* either Verify opts or MD5/SHA1 digest */
+      char Digest[MAXSTRING+1];      /* either Verify opts or MD5/SHA1 digest */
 
       /* Stop here if canceled */
       if (jcr->is_job_canceled()) {
@@ -960,7 +960,7 @@ int get_attributes_and_put_in_catalog(JCR *jcr)
          return 0;
       }
 
-      if ((len = sscanf(fd->msg, "%ld %d %s", &file_index, &stream, Digest)) != 3) {
+      if ((len = sscanf(fd->msg, "%ld %d %500s", &file_index, &stream, Digest)) != 3) { /* MAXSTRING */
          Jmsg(jcr, M_FATAL, 0, _("<filed: bad attributes, expected 3 fields got %d\n"
 "msglen=%d msg=%s\n"), len, fd->msglen, fd->msg);
          jcr->setJobStatus(JS_ErrorTerminated);