Description: Address memory corruption and information leakage cheery-pick from upstream git commit 42896939822b44f44ecd1b6d35afdfa4473ed35d Author: Jörg Frings-Fürst Origin: https://anonscm.debian.org/cgit/sane/sane-backends.git/commit/frontend/saned.c?id=42896939822b44f44ecd1b6d35afdfa4473ed35d Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854804 Forwarded: not-needed Last-Update: 2017-04-19 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ Index: 1.0.25-3x/frontend/saned.c =================================================================== --- 1.0.25-3x.orig/frontend/saned.c +++ 1.0.25-3x/frontend/saned.c @@ -1987,6 +1987,38 @@ process_request (Wire * w) return 1; } + /* Addresses CVE-2017-6318 (#315576, Debian BTS #853804) */ + /* This is done here (rather than in sanei/sanei_wire.c where + * it should be done) to minimize scope of impact and amount + * of code change. + */ + if (w->direction == WIRE_DECODE + && req.value_type == SANE_TYPE_STRING + && req.action == SANE_ACTION_GET_VALUE) + { + if (req.value) + { + /* FIXME: If req.value contains embedded NUL + * characters, this is wrong but we do not have + * access to the amount of memory allocated in + * sanei/sanei_wire.c at this point. + */ + w->allocated_memory -= (1 + strlen (req.value)); + free (req.value); + } + req.value = malloc (req.value_size); + if (!req.value) + { + w->status = ENOMEM; + DBG (DBG_ERR, + "process_request: (control_option) " + "h=%d (%s)\n", req.handle, strerror (w->status)); + return 1; + } + memset (req.value, 0, req.value_size); + w->allocated_memory += req.value_size; + } + can_authorize = 1; memset (&reply, 0, sizeof (reply)); /* avoid leaking bits */