From 7953af970d9a4c3e767f6dc4a89657644dfb5b5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Wed, 5 Feb 2014 15:02:34 +0100 Subject: [PATCH] backups: fix buffer overflow in tar2qfile Buffer for directory headers history was too small. This can be exploitable by some attacker capable of controlling backup stream, but it isn't any security problem. We don't assume this part of backup system to be trusted, the attacker can at most prevent user from restoring some data, but will neither gain access to them, or compromise any other Qubes component. This is equivalent to bug in any other tool used in backup vm (like FTP client) and the Qubes backup system is designed specifically to minimize impact of such bugs. --- qubes-rpc/tar2qfile.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qubes-rpc/tar2qfile.c b/qubes-rpc/tar2qfile.c index 4762a2b..d508a1f 100644 --- a/qubes-rpc/tar2qfile.c +++ b/qubes-rpc/tar2qfile.c @@ -756,7 +756,7 @@ ustar_rd (int fd, struct file_header * untrusted_hdr, char *buf, struct stat * s #ifdef DEBUG fprintf(stderr,"Inserting %s into register\n",path); #endif - dirs_headers_sent = realloc(dirs_headers_sent, sizeof (char*) * n_dirs++); + dirs_headers_sent = realloc(dirs_headers_sent, sizeof (char*) * (++n_dirs)); if (dirs_headers_sent == NULL) return MEMORY_ALLOC_FAILED; dirs_headers_sent[n_dirs-1] = malloc(sizeof (char) * (strlen(path)+1));