[37244] in bugtraq
Re: [Full-Disclosure] [HV-MED] Zip/Linux long path buffer overflow
daemon@ATHENA.MIT.EDU (Josh Bressers)
Fri Nov 5 17:59:18 2004
Date: Fri, 5 Nov 2004 16:00:58 -0500
From: Josh Bressers <bressers@redhat.com>
To: martin.pitt@canonical.com
Cc: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
Message-ID: <20041105210058.GA14805@devserv.devel.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20041105132633.GA20046@box79162.elkhouse.de>
On Fri, Nov 05, 2004 at 02:26:33PM +0100, Martin Pitt wrote:
> I prepared a small fix for this (see below). It does not make zip work
> with long file names, but at least it exits cleanly with giving the
> reason, and does not segfault.
This fix will allow zip to create an archive with very long filenames.
I'm also changing the type of len from a signed int to size_t to prevent
trouble in the future.
--- zip-2.3/unix/unix.c.orig 2004-11-05 15:44:41.000000000 -0500
+++ zip-2.3/unix/unix.c 2004-11-05 15:50:28.000000000 -0500
@@ -319,8 +319,8 @@ iztimes *t; /* return value:
a file size of -1 */
{
struct stat s; /* results of stat() */
- char name[FNMAX];
- int len = strlen(f);
+ char *name;
+ size_t len = strlen(f);
if (f == label) {
if (a != NULL)
@@ -331,6 +331,11 @@ iztimes *t; /* return value:
t->atime = t->mtime = t->ctime = label_utim;
return label_time;
}
+
+ name = malloc(len+1);
+ if (!name)
+ return 0;
+
strcpy(name, f);
if (name[len - 1] == '/')
name[len - 1] = '\0';
--
JB
