patch 9.1.2148: [security]: Buffer overflow in netbeans interface

Problem:  [security]: Buffer overflow in netbeans special_keys() handling
Solution: Limit writing to max KEYBUFLEN bytes to prevent writing out of
          bounds.

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-9w5c-hwr9-hc68

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt
index a34d6c8724852474b6722a3c50ae2d8dc99d3f81..4c673bf97d9b0593fdbbbb88a5ae00609a374f7a 100644 (file)
--- a/runtime/doc/version9.txt
+++ b/runtime/doc/version9.txt
@@ -52561,4 +52561,9 @@ Patch 9.1.2147
 Problem:  Compile warning in strings.c
 Solution: Use const qualifier (John Marriott).
 
+Patch 9.1.2148
+Problem:  [security]: Buffer overflow in netbeans special_keys() handling
+Solution: Limit writing to max KEYBUFLEN bytes to prevent writing out of
+          bounds.
+
  vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable

diff --git a/src/netbeans.c b/src/netbeans.c
index 0f17c1b00a682a8f91489e53e7fd7e38030a683c..a098adc3027050c44e7ad936c11e315357c34aa9 100644 (file)
--- a/src/netbeans.c
+++ b/src/netbeans.c
@@ -2302,7 +2302,7 @@ special_keys(char_u *args)
        if ((sep = strchr(tok, '-')) != NULL)
        {
            *sep = NUL;
-           while (*tok)
+           while (*tok && i + 2 < KEYBUFLEN)
            {
                switch (*tok)
                {

diff --git a/src/testdir/test_netbeans.py b/src/testdir/test_netbeans.py
index 0d6b0968042a7d4d9408969d130e7300f6fd2b16..585886fb4054cf58b2e32824445989fb7936e6e5 100644 (file)
--- a/src/testdir/test_netbeans.py
+++ b/src/testdir/test_netbeans.py
@@ -112,7 +112,9 @@ class ThreadedTCPRequestHandler(socketserver.BaseRequestHandler):
                   'startAtomic_Test' : '0:startAtomic!94\n',
                   'endAtomic_Test' : '0:endAtomic!95\n',
                   'AnnoScale_Test' : "".join(['2:defineAnnoType!60 ' + str(i) + ' "s' + str(i) + '" "x" "=>" blue none\n' for i in range(2, 26)]),
-                  'detach_Test' : '2:close!96\n1:close!97\nDETACH\n'
+                  'detach_Test' : '2:close!96\n1:close!97\nDETACH\n',
+                  'specialKeys_overflow_Test' : '0:specialKeys!200 "' + 'A'*80 + '-X"\n'
+
                 }
                 # execute the specified test
                 if cmd not in testmap:

diff --git a/src/testdir/test_netbeans.vim b/src/testdir/test_netbeans.vim
index d3d5e8baf263495356e33eff3c82ed2a8ad10552..d1be5066ef28d7d3d809f6d079f590f1254cab47 100644 (file)
--- a/src/testdir/test_netbeans.vim
+++ b/src/testdir/test_netbeans.vim
@@ -958,6 +958,58 @@ func Nb_bwipe_buffer(port)
   sleep 10m
 endfunc
 
+func Nb_specialKeys_overflow(port)
+  call delete("Xnetbeans")
+  call writefile([], "Xnetbeans")
+
+  " Last line number in the Xnetbeans file. Used to verify the result of the
+  " communication with the netbeans server
+  let g:last = 0
+
+  " Establish the connection with the netbeans server
+  exe 'nbstart :localhost:' .. a:port .. ':bunny'
+  call WaitFor('len(ReadXnetbeans()) > (g:last + 2)')
+  let l = ReadXnetbeans()
+  call assert_equal(['AUTH bunny',
+        \ '0:version=0 "2.5"',
+        \ '0:startupDone=0'], l[-3:])
+  let g:last += 3
+
+  " Open the command buffer to communicate with the server
+  split Xcmdbuf
+  let cmdbufnr = bufnr()
+  call WaitFor('len(ReadXnetbeans()) > (g:last + 2)')
+  let l = ReadXnetbeans()
+  call assert_equal('0:fileOpened=0 "Xcmdbuf" T F',
+        \ substitute(l[-3], '".*/', '"', ''))
+  call assert_equal('send: 1:putBufferNumber!15 "Xcmdbuf"',
+        \ substitute(l[-2], '".*/', '"', ''))
+  call assert_equal('1:startDocumentListen!16', l[-1])
+  let g:last += 3
+
+  " Keep the command buffer loaded for communication
+  hide
+
+  sleep 1m
+
+  " Open the command buffer to communicate with the server
+  split Xcmdbuf
+  let cmdbufnr = bufnr()
+  call appendbufline(cmdbufnr, '$', 'specialKeys_overflow_Test')
+  call WaitFor('len(ReadXnetbeans()) >= (g:last + 6)')
+  call WaitForAssert({-> assert_match('send: 0:specialKeys!200 "A\{80}-X"',
+        \ ReadXnetbeans()[-1])})
+
+  " Verify that specialKeys test, still works after the previous junk
+  call appendbufline(cmdbufnr, '$', 'specialKeys_Test')
+  call WaitFor('len(ReadXnetbeans()) >= (g:last + 1)')
+  call WaitForAssert({-> assert_match('^send: 0:specialKeys!91 "F12 F13 C-F13"$',
+        \ ReadXnetbeans()[-1])})
+  let g:last += 1
+
+  sleep 10m
+endfunc
+
 " This test used to reference a buffer after it was freed leading to an ASAN
 " error.
 func Test_nb_bwipe_buffer()
@@ -967,4 +1019,9 @@ func Test_nb_bwipe_buffer()
   nbclose
 endfunc
 
+" Verify that the specialKeys argument does not overflow
+func Test_nb_specialKeys_overflow()
+  call s:run_server('Nb_specialKeys_overflow')
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index b521788dd145c7dbf1e0a2ad468bc3599b12703a..bd45d021654d207c71e59621dad3350dc1a04b0c 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2148,
 /**/
     2147,
 /**/