[evolution-patches] camel lock helper security fix
- From: Not Zed <notzed ximian com>
- To: asdf <evolution-patches lists ximian com>
- Subject: [evolution-patches] camel lock helper security fix
- Date: Thu, 20 Jan 2005 13:49:12 +0800
This should apply to all versions of evolution.
Index: camel/ChangeLog
===================================================================
RCS file: /cvs/gnome/evolution/camel/Attic/ChangeLog,v
retrieving revision 1.2251.2.31
diff -u -p -r1.2251.2.31 ChangeLog
--- camel/ChangeLog 11 Jan 2005 05:15:51 -0000 1.2251.2.31
+++ camel/ChangeLog 20 Jan 2005 05:49:30 -0000
@@ -1,3 +1,10 @@
+2005-01-20 Not Zed <NotZed Ximian com>
+
+ * camel-lock-helper.c (main): since malloc(MAXINT+1) returns a
+ valid pointer, validate the length of the path before using it.
+ set maximum path to 65000 characters. Spotted by Max Vozeler
+ <max hinterhof net>
+
2005-01-11 Not Zed <NotZed Ximian com>
** See bug #70919.
Index: camel/camel-lock-helper.c
===================================================================
RCS file: /cvs/gnome/evolution/camel/Attic/camel-lock-helper.c,v
retrieving revision 1.5
diff -u -p -r1.5 camel-lock-helper.c
--- camel/camel-lock-helper.c 27 Oct 2001 16:59:27 -0000 1.5
+++ camel/camel-lock-helper.c 20 Jan 2005 05:49:30 -0000
@@ -360,8 +360,9 @@ int main(int argc, char **argv)
switch(msg.id) {
case CAMEL_LOCK_HELPER_LOCK:
res = CAMEL_LOCK_HELPER_STATUS_NOMEM;
- path = malloc(msg.data+1);
- if (path != NULL) {
+ if (msg.data > 0xffff) {
+ res = CAMEL_LOCK_HELPER_STATUS_PROTOCOL;
+ } else if ((path = malloc(msg.data+1)) != NULL) {
res = CAMEL_LOCK_HELPER_STATUS_PROTOCOL;
len = read_n(STDIN_FILENO, path, msg.data);
if (len == msg.data) {
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]