From: Jon Trulson Date: Sun, 27 May 2012 00:39:51 +0000 (-0600) Subject: tt_isam_record.C/tt_isam_record.C: fix CERT VU#387387 part 3 X-Git-Tag: 2.2.0a~26^2~34 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=70128313e981743bff58474a631c4699c4327d91;p=oweals%2Fcde.git tt_isam_record.C/tt_isam_record.C: fix CERT VU#387387 part 3 --- diff --git a/cde/lib/tt/bin/ttdbserverd/dm_server.C b/cde/lib/tt/bin/ttdbserverd/dm_server.C index 7e550668..bd099272 100644 --- a/cde/lib/tt/bin/ttdbserverd/dm_server.C +++ b/cde/lib/tt/bin/ttdbserverd/dm_server.C @@ -927,15 +927,33 @@ _tt_isclose_1(int *isfd, SVCXPRT * /* transp */) _tt_syslog(errstr, LOG_ERR, "%s: _tt_check_stale_isfd() == 0", here ); } else { - res.result = cached_isclose(*isfd); - if (res.result != -1) { - _tt_db_table[*isfd].db_path = 0; - _tt_db_table[*isfd].opener_uid = (uid_t)-1; - } else { - _tt_syslog(errstr, LOG_ERR, "%s: isclose(): %d", - here, iserrno); - } - res.iserrno = iserrno; + // JET - 06/12/2002 + // VU#975403 - CERT TT vulnerability. By passing an invalid isfd + // a local or remote attacker can zero out 4 bytes at any location, + // thereby allowing other exploits (items 2 & 3 - delete or + // overwrite any file on the system.) + // Here, we will just check to make sure: 0 >= isfd < _TT_MAX_ISFD + + if (*isfd < 0 || *isfd >= _TT_MAX_ISFD) + { // some trickery going on? + res.result = -1; + res.iserrno = ERPC; + _tt_syslog(errstr, LOG_ERR, "%s: _tt_isclose_1: Invalid file descriptor. This may be an attempted exploit.", + here ); + } + else + { + + res.result = cached_isclose(*isfd); + if (res.result != -1) { + _tt_db_table[*isfd].db_path = 0; + _tt_db_table[*isfd].opener_uid = (uid_t)-1; + } else { + _tt_syslog(errstr, LOG_ERR, "%s: isclose(): %d", + here, iserrno); + } + res.iserrno = iserrno; + } } return (&res); } @@ -1482,6 +1500,8 @@ _tt_transaction_error(int fd) _Tt_isam_results * _tt_transaction_1(_Tt_transaction_args* args, SVCXPRT * /* transp */) { + struct stat buf; // JET - VU#975403/VU#299816 + static const char *here = "_tt_transaction_1()"; /* check for stale NetISAM file descriptor */ if (!_tt_check_stale_isfd(args->isfd)) { diff --git a/cde/lib/tt/bin/ttdbserverd/tt_isam_record.C b/cde/lib/tt/bin/ttdbserverd/tt_isam_record.C index 5d635e2e..d47d1901 100644 --- a/cde/lib/tt/bin/ttdbserverd/tt_isam_record.C +++ b/cde/lib/tt/bin/ttdbserverd/tt_isam_record.C @@ -147,8 +147,8 @@ void _Tt_isam_record::setBytes (int start, const _Tt_string &value) if (bavail <= 0) return; - if (bavail > length) - bcp = length; + if (bavail > value.len()) + bcp = value.len(); else bcp = bavail;