| Upstream-status: Backport |
| CVE: CVE-2020-29394 |
| From 7f5cd5404a03fa330e192084f6bdafb2dc9bdcb7 Mon Sep 17 00:00:00 2001 |
| From: GwanYeong Kim <gy741.kim@gmail.com> |
| Date: Sat, 28 Nov 2020 12:24:46 +0900 |
| Subject: [PATCH] dlt_common: Fix buffer overflow in dlt_filter_load |
| |
| A buffer overflow in the dlt_filter_load function in dlt_common.c in dlt-daemon allows arbitrary code execution via an unsafe usage of fscanf, because it does not limit the number of characters to be read in a format argument. |
| |
| Fixed: #274 |
| |
| Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> |
| --- |
| src/shared/dlt_common.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| diff --git a/src/shared/dlt_common.c b/src/shared/dlt_common.c |
| index 254f4ce4..d15b1cec 100644 |
| --- a/src/shared/dlt_common.c |
| +++ b/src/shared/dlt_common.c |
| @@ -404,7 +404,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb |
| while (!feof(handle)) { |
| str1[0] = 0; |
| |
| - if (fscanf(handle, "%s", str1) != 1) |
| + if (fscanf(handle, "%254s", str1) != 1) |
| break; |
| |
| if (str1[0] == 0) |
| @@ -419,7 +419,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb |
| |
| str1[0] = 0; |
| |
| - if (fscanf(handle, "%s", str1) != 1) |
| + if (fscanf(handle, "%254s", str1) != 1) |
| break; |
| |
| if (str1[0] == 0) |