File libbsd-0.8.7-CVE-2019-20367.patch of Package libbsd.13768

Overview Repositories Revisions Requests Users Attributes Meta

File libbsd-0.8.7-CVE-2019-20367.patch of Package libbsd.13768

From 9d917aad37778a9f4a96ba358415f077f3f36f3b Mon Sep 17 00:00:00 2001
From: Guillem Jover <guillem@hadrons.org>
Date: Wed, 7 Aug 2019 22:58:30 +0200
Subject: [PATCH] nlist: Fix out-of-bounds read on strtab

When doing a string comparison for a symbol name from the string table,
we should make sure we do a bounded comparison, otherwise a non-NUL
terminated string might make the code read out-of-bounds.

Warned-by: coverity
---
 src/nlist.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/nlist.c b/src/nlist.c
index 8aa46a2..228c220 100644
--- a/src/nlist.c
+++ b/src/nlist.c
@@ -236,16 +236,18 @@ __fdnlist(int fd, struct nlist *list)
 		symsize -= cc;
 		for (s = sbuf; cc > 0 && nent > 0; ++s, cc -= sizeof(*s)) {
 			char *name;
+			Elf_Word size;
 			struct nlist *p;
 
 			name = strtab + s->st_name;
 			if (name[0] == '\0')
 				continue;
+			size = symstrsize - s->st_name;
 
 			for (p = list; !ISLAST(p); p++) {
 				if ((p->n_un.n_name[0] == '_' &&
-				    strcmp(name, p->n_un.n_name+1) == 0)
-				    || strcmp(name, p->n_un.n_name) == 0) {
+				     strncmp(name, p->n_un.n_name+1, size) == 0) ||
+				    strncmp(name, p->n_un.n_name, size) == 0) {
 					elf_sym_to_nlist(p, s, shdr,
 					    ehdr.e_shnum);
 					if (--nent <= 0)
-- 
2.24.1

Places

File libbsd-0.8.7-CVE-2019-20367.patch of Package libbsd.13768

Places