From: Eric Bollengier <eric@baculasystems.com>
Date: Fri, 1 May 2020 12:50:00 +0000 (+0200)
Subject: Fix overflow from malicious FD reported by Pasi Saarinen
X-Git-Tag: Release-9.6.4~49
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f9472227317b8e1d26a781d042e0efdf432a633f;p=thirdparty%2Fbacula.git

Fix overflow from malicious FD reported by Pasi Saarinen
---

diff --git a/bacula/src/dird/fd_cmds.c b/bacula/src/dird/fd_cmds.c
index 3fd03688c..e1e8ea78e 100644
--- a/bacula/src/dird/fd_cmds.c
+++ b/bacula/src/dird/fd_cmds.c
@@ -937,7 +937,7 @@ int get_attributes_and_put_in_catalog(JCR *jcr)
    BSOCK   *fd;
    int n = 0;
    ATTR_DBR *ar = NULL;
-   char digest[MAXSTRING];
+   char digest[2*(MAXSTRING+1)+1];  /* escaped version of Digest */
 
    fd = jcr->file_bsock;
    jcr->jr.FirstIndex = 1;
@@ -952,7 +952,7 @@ int get_attributes_and_put_in_catalog(JCR *jcr)
       int32_t file_index;
       int stream, len;
       char *p, *fn;
-      char Digest[MAXSTRING];      /* either Verify opts or MD5/SHA1 digest */
+      char Digest[MAXSTRING+1];      /* either Verify opts or MD5/SHA1 digest */
 
       /* Stop here if canceled */
       if (jcr->is_job_canceled()) {
@@ -960,7 +960,7 @@ int get_attributes_and_put_in_catalog(JCR *jcr)
          return 0;
       }
 
-      if ((len = sscanf(fd->msg, "%ld %d %s", &file_index, &stream, Digest)) != 3) {
+      if ((len = sscanf(fd->msg, "%ld %d %500s", &file_index, &stream, Digest)) != 3) { /* MAXSTRING */
          Jmsg(jcr, M_FATAL, 0, _("<filed: bad attributes, expected 3 fields got %d\n"
 "msglen=%d msg=%s\n"), len, fd->msglen, fd->msg);
          jcr->setJobStatus(JS_ErrorTerminated);