summaryrefslogtreecommitdiff
path: root/debian/patches/0500-CVE-2017-6318.patch
blob: e79388864641f4f285887ecf15c93641305e097a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Description: Address memory corruption and information leakage
 cheery-pick from upstream git commit 42896939822b44f44ecd1b6d35afdfa4473ed35d
Author: Jörg Frings-Fürst <debian@jff-webhosting.net>
Origin: https://anonscm.debian.org/cgit/sane/sane-backends.git/commit/frontend/saned.c?id=42896939822b44f44ecd1b6d35afdfa4473ed35d
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854804
Forwarded: not-needed
Last-Update: 2017-04-19
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: 1.0.25-3x/frontend/saned.c
===================================================================
--- 1.0.25-3x.orig/frontend/saned.c
+++ 1.0.25-3x/frontend/saned.c
@@ -1987,6 +1987,38 @@ process_request (Wire * w)
 	    return 1;
 	  }
 
+        /* Addresses CVE-2017-6318 (#315576, Debian BTS #853804) */
+        /* This is done here (rather than in sanei/sanei_wire.c where
+         * it should be done) to minimize scope of impact and amount
+         * of code change.
+         */
+        if (w->direction == WIRE_DECODE
+            && req.value_type == SANE_TYPE_STRING
+            && req.action     == SANE_ACTION_GET_VALUE)
+          {
+            if (req.value)
+              {
+                /* FIXME: If req.value contains embedded NUL
+                 *        characters, this is wrong but we do not have
+                 *        access to the amount of memory allocated in
+                 *        sanei/sanei_wire.c at this point.
+                 */
+                w->allocated_memory -= (1 + strlen (req.value));
+                free (req.value);
+              }
+            req.value = malloc (req.value_size);
+            if (!req.value)
+              {
+                w->status = ENOMEM;
+                DBG (DBG_ERR,
+                     "process_request: (control_option) "
+                     "h=%d (%s)\n", req.handle, strerror (w->status));
+                return 1;
+              }
+            memset (req.value, 0, req.value_size);
+            w->allocated_memory += req.value_size;
+          }
+
 	can_authorize = 1;
 
 	memset (&reply, 0, sizeof (reply));	/* avoid leaking bits */