Andrew Geissler | 8fc454f | 2020-12-11 16:27:59 -0600 | [diff] [blame] | 1 | Upstream-status: Backport |
| 2 | CVE: CVE-2020-29394 |
| 3 | From 7f5cd5404a03fa330e192084f6bdafb2dc9bdcb7 Mon Sep 17 00:00:00 2001 |
| 4 | From: GwanYeong Kim <gy741.kim@gmail.com> |
| 5 | Date: Sat, 28 Nov 2020 12:24:46 +0900 |
| 6 | Subject: [PATCH] dlt_common: Fix buffer overflow in dlt_filter_load |
| 7 | |
| 8 | A buffer overflow in the dlt_filter_load function in dlt_common.c in dlt-daemon allows arbitrary code execution via an unsafe usage of fscanf, because it does not limit the number of characters to be read in a format argument. |
| 9 | |
| 10 | Fixed: #274 |
| 11 | |
| 12 | Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> |
| 13 | --- |
| 14 | src/shared/dlt_common.c | 4 ++-- |
| 15 | 1 file changed, 2 insertions(+), 2 deletions(-) |
| 16 | |
| 17 | diff --git a/src/shared/dlt_common.c b/src/shared/dlt_common.c |
| 18 | index 254f4ce4..d15b1cec 100644 |
| 19 | --- a/src/shared/dlt_common.c |
| 20 | +++ b/src/shared/dlt_common.c |
| 21 | @@ -404,7 +404,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb |
| 22 | while (!feof(handle)) { |
| 23 | str1[0] = 0; |
| 24 | |
| 25 | - if (fscanf(handle, "%s", str1) != 1) |
| 26 | + if (fscanf(handle, "%254s", str1) != 1) |
| 27 | break; |
| 28 | |
| 29 | if (str1[0] == 0) |
| 30 | @@ -419,7 +419,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb |
| 31 | |
| 32 | str1[0] = 0; |
| 33 | |
| 34 | - if (fscanf(handle, "%s", str1) != 1) |
| 35 | + if (fscanf(handle, "%254s", str1) != 1) |
| 36 | break; |
| 37 | |
| 38 | if (str1[0] == 0) |