[evolution-patches] camel lock helper security fix




This should apply to all versions of evolution.

--
Michael Zucchi <notzed ximian com>
"Ride, Work, Sleep. Beer."
Novell's Evolution and Free Software Developer
Index: camel/ChangeLog
===================================================================
RCS file: /cvs/gnome/evolution/camel/Attic/ChangeLog,v
retrieving revision 1.2251.2.31
diff -u -p -r1.2251.2.31 ChangeLog
--- camel/ChangeLog	11 Jan 2005 05:15:51 -0000	1.2251.2.31
+++ camel/ChangeLog	20 Jan 2005 05:49:30 -0000
@@ -1,3 +1,10 @@
+2005-01-20  Not Zed  <NotZed Ximian com>
+
+	* camel-lock-helper.c (main): since malloc(MAXINT+1) returns a
+	valid pointer, validate the length of the path before using it.
+	set maximum path to 65000 characters.  Spotted by Max Vozeler
+	<max hinterhof net>
+
 2005-01-11  Not Zed  <NotZed Ximian com>
 
 	** See bug #70919.
Index: camel/camel-lock-helper.c
===================================================================
RCS file: /cvs/gnome/evolution/camel/Attic/camel-lock-helper.c,v
retrieving revision 1.5
diff -u -p -r1.5 camel-lock-helper.c
--- camel/camel-lock-helper.c	27 Oct 2001 16:59:27 -0000	1.5
+++ camel/camel-lock-helper.c	20 Jan 2005 05:49:30 -0000
@@ -360,8 +360,9 @@ int main(int argc, char **argv)
 			switch(msg.id) {
 			case CAMEL_LOCK_HELPER_LOCK:
 				res = CAMEL_LOCK_HELPER_STATUS_NOMEM;
-				path = malloc(msg.data+1);
-				if (path != NULL) {
+				if (msg.data > 0xffff) {
+					res = CAMEL_LOCK_HELPER_STATUS_PROTOCOL;
+				} else if ((path = malloc(msg.data+1)) != NULL) {
 					res = CAMEL_LOCK_HELPER_STATUS_PROTOCOL;
 					len = read_n(STDIN_FILENO, path, msg.data);
 					if (len == msg.data) {


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]