Update guest OS strings in guest_os.h:

  - Update "Other Linux 3.x kernel" to "Other Linux 3.x or later kernel".

Add checks to services/plugins/dndcp/dnd/dndCPMsgV4.c to validate packet
and payload size to prevent out-of-bounds  read and writes.

Correct the requestNextCmd parameter used when asking for the next piece
of a big binary transfer in RpcV4Util::RequestNextPacket().

Common header file change; not applicable to open-vm-tools.

diff --git a/open-vm-tools/lib/include/guest_os.h b/open-vm-tools/lib/include/guest_os.h
index 72f8e2393f68d7bf29b8171dad1f658d424656ae..e80a75e1bc3cc6f9ad277f4eb0dbff1695bbfcdc 100644 (file)
--- a/open-vm-tools/lib/include/guest_os.h
+++ b/open-vm-tools/lib/include/guest_os.h
@@ -261,7 +261,7 @@ Bool Gos_InSetArray(uint32 gos, const uint32 *set);
 #define STR_OS_OTHER_26           "other26xlinux"
 #define STR_OS_OTHER_26_FULL      "Other Linux 2.6.x kernel"
 #define STR_OS_OTHER_3X           "other3xlinux"
-#define STR_OS_OTHER_3X_FULL      "Other Linux 3.x kernel"
+#define STR_OS_OTHER_3X_FULL      "Other Linux 3.x or later kernel"
 #define STR_OS_PHOTON             "vmware-photon"
 #define STR_OS_PHOTON_FULL        "VMware Photon OS"
 #define STR_OS_PLD                "PLD"

diff --git a/open-vm-tools/lib/include/vm_product_versions.h b/open-vm-tools/lib/include/vm_product_versions.h
index a72ab9240091b6b0a77ae1d2afd6a73990ef3628..86388f893412538189a7ec9074592b09cf7761e2 100644 (file)
--- a/open-vm-tools/lib/include/vm_product_versions.h
+++ b/open-vm-tools/lib/include/vm_product_versions.h
@@ -471,6 +471,7 @@
 #define PRODUCT_VERSION_SCALABLE_SERVER_51 PRODUCT_ESXI_BRIEF_NAME " 5.1"
 #define PRODUCT_VERSION_SCALABLE_SERVER_55 PRODUCT_ESXI_BRIEF_NAME " 5.5"
 #define PRODUCT_VERSION_SCALABLE_SERVER_60 PRODUCT_ESXI_BRIEF_NAME " 6.0"
+#define PRODUCT_VERSION_SCALABLE_SERVER_65 PRODUCT_ESXI_BRIEF_NAME " 6.5"
 #define PRODUCT_VERSION_WGS_1 "Server 1.x"
 #define PRODUCT_VERSION_WGS_2 "Server 2.x"
 #define PRODUCT_VERSION_GSX_3 "GSX Server 3.x"
@@ -484,6 +485,7 @@
 #define PRODUCT_VERSION_WORKSTATION_100 PRODUCT_WORKSTATION_BRIEF_NAME " 10.x"
 #define PRODUCT_VERSION_WORKSTATION_110 PRODUCT_WORKSTATION_BRIEF_NAME " 11.x"
 #define PRODUCT_VERSION_WORKSTATION_120 PRODUCT_WORKSTATION_BRIEF_NAME " 12.0"
+#define PRODUCT_VERSION_WORKSTATION_130 PRODUCT_WORKSTATION_BRIEF_NAME " 2017"
 #define PRODUCT_VERSION_WORKSTATION_ENTERPRISE_1 "ACE 1.x"
 #define PRODUCT_VERSION_WORKSTATION_ENTERPRISE_2 "ACE 2.0"
 #define PRODUCT_VERSION_WORKSTATION_ENTERPRISE_25 "ACE 2.5"
@@ -496,4 +498,5 @@
 #define PRODUCT_VERSION_MAC_DESKTOP_60 PRODUCT_MAC_DESKTOP_BRIEF_NAME " 6.x"
 #define PRODUCT_VERSION_MAC_DESKTOP_70 PRODUCT_MAC_DESKTOP_BRIEF_NAME " 7.x"
 #define PRODUCT_VERSION_MAC_DESKTOP_80 PRODUCT_MAC_DESKTOP_BRIEF_NAME " 8.x"
+#define PRODUCT_VERSION_MAC_DESKTOP_90 PRODUCT_MAC_DESKTOP_BRIEF_NAME " 2017"
 #endif

diff --git a/open-vm-tools/services/plugins/dndcp/dnd/dndCPMsgV4.c b/open-vm-tools/services/plugins/dndcp/dnd/dndCPMsgV4.c
index 690b06451993ea4be6d819c0b4c79558f47abdc3..68f5a7f376fb497673d5f25d7546ea0e8330d07a 100644 (file)
--- a/open-vm-tools/services/plugins/dndcp/dnd/dndCPMsgV4.c
+++ b/open-vm-tools/services/plugins/dndcp/dnd/dndCPMsgV4.c
@@ -56,6 +56,11 @@ DnDCPMsgV4IsPacketValid(const uint8 *packet,
       return FALSE;
    }
 
+   /* Payload size plus header size should not be greater than packet size. */
+   if (msgHdr->payloadSize + DND_CP_MSG_HEADERSIZE_V4 > packetSize) {
+      return FALSE;
+   }
+
    /* Binary size is not valid. */
    if (msgHdr->binarySize > DND_CP_MSG_MAX_BINARY_SIZE_V4) {
       return FALSE;
@@ -284,6 +289,16 @@ DnDCPMsgV4_UnserializeMultiple(DnDCPMsgV4 *msg,
       msg->binary = Util_SafeMalloc(msg->hdr.binarySize);
    }
 
+   /*
+    * Please notice msg->hdr may be different from msgHdr if this is not the
+    * first packet. We need to make sure we have sufficient buffer to contain
+    * the payload indicated by the new header(msgHdr), which may have been
+    * faked. Otherwise heap overflow will occur.
+    */
+   if (msg->hdr.binarySize < msg->hdr.payloadOffset + msgHdr->payloadSize) {
+      return FALSE;
+   }
+
    /* msg->hdr.payloadOffset is used as received binary size. */
    memcpy(msg->binary + msg->hdr.payloadOffset,
           packet + DND_CP_MSG_HEADERSIZE_V4,

diff --git a/open-vm-tools/services/plugins/dndcp/dndGuest/rpcV4Util.cpp b/open-vm-tools/services/plugins/dndcp/dndGuest/rpcV4Util.cpp
index b5f49afd07d36888681d83ec7b623de7d71db488..e97be6929fc9e42fb5fd5d6c88372c3bd1ddaa9f 100644 (file)
--- a/open-vm-tools/services/plugins/dndcp/dndGuest/rpcV4Util.cpp
+++ b/open-vm-tools/services/plugins/dndcp/dndGuest/rpcV4Util.cpp
@@ -313,8 +313,8 @@ RpcV4Util::RequestNextPacket(void)
    params.cmd = DNDCP_CMD_REQUEST_NEXT;
    params.sessionId = mBigMsgIn.hdr.sessionId;
    params.optional.requestNextCmd.cmd = mBigMsgIn.hdr.cmd;
-   params.optional.requestNextCmd.cmd = mBigMsgIn.hdr.binarySize;
-   params.optional.requestNextCmd.cmd = mBigMsgIn.hdr.payloadOffset;
+   params.optional.requestNextCmd.binarySize = mBigMsgIn.hdr.binarySize;
+   params.optional.requestNextCmd.payloadOffset = mBigMsgIn.hdr.payloadOffset;
 
    return SendMsg(&params);
 }