debian/patches/CVE-2015-8619-hmp-oob-write.patch

   1 From b0363f4c0e91671064dd7ffece8a6923c8dcaf20 Mon Sep 17 00:00:00 2001
   2 From: Prasad J Pandit <pjp@fedoraproject.org>
   3 Date: Thu, 17 Dec 2015 17:47:15 +0530
   4 Subject: [PATCH] hmp: avoid redundant null termination of buffer
   5
   6 When processing 'sendkey' command, hmp_sendkey routine null
   7 terminates the 'keyname_buf' array. This results in an OOB write
   8 issue, if 'keyname_len' was to fall outside of 'keyname_buf' array.
   9 Removed the redundant null termination, as pstrcpy routine already
  10 null terminates the target buffer.
  11
  12 Reported-by: Ling Liu <liuling-it@360.cn>
  13 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
  14 ---
  15   hmp.c | 2 --
  16   1 file changed, 2 deletions(-)
  17
  18 diff --git a/hmp.c b/hmp.c
  19 index 2140605..e530c9c 100644
  20 --- a/hmp.c
  21 +++ b/hmp.c
  22 @@ -1746,9 +1746,7 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
  23          /* Be compatible with old interface, convert user inputted "<" */
  24          if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
  25              pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
  26 -            keyname_len = 4;
  27          }
  28 -        keyname_buf[keyname_len] = 0;
  29
  30          keylist = g_malloc0(sizeof(*keylist));
  31          keylist->value = g_malloc0(sizeof(*keylist->value));
  32 --
  33 2.4.3
  34 ===