backups: fix buffer overflow in tar2qfile

Buffer for directory headers history was too small. This can be exploitable by some attacker capable of controlling backup stream, but it isn't any security problem. We don't assume this part of backup system to be trusted, the attacker can at most prevent user from restoring some data, but will neither gain access to them, or compromise any other Qubes component. This is equivalent to bug in any other tool used in backup vm (like FTP client) and the Qubes backup system is designed specifically to minimize impact of such bugs.
2014-02-05 15:02:34 +01:00 · 2014-02-05 15:02:34 +01:00 · 7953af970d
commit 7953af970d
parent e9eb43e026
1 changed files with 1 additions and 1 deletions
--- a/qubes-rpc/tar2qfile.c
+++ b/qubes-rpc/tar2qfile.c
@ -756,7 +756,7 @@ ustar_rd (int fd, struct file_header * untrusted_hdr, char *buf, struct stat * s
 #ifdef DEBUG
 			fprintf(stderr,"Inserting %s into register\n",path);
 #endif
-			dirs_headers_sent = realloc(dirs_headers_sent, sizeof (char*) * n_dirs++);
+			dirs_headers_sent = realloc(dirs_headers_sent, sizeof (char*) * (++n_dirs));
 			if (dirs_headers_sent == NULL)
 				return MEMORY_ALLOC_FAILED;
 			dirs_headers_sent[n_dirs-1] = malloc(sizeof (char) * (strlen(path)+1));