43 lines
1.7 KiB
Diff
43 lines
1.7 KiB
Diff
diff -up sane-backends-1.0.25/frontend/saned.c.CVE-2017-6318 sane-backends-1.0.25/frontend/saned.c
|
|
--- sane-backends-1.0.25/frontend/saned.c.CVE-2017-6318 2017-03-22 09:05:09.884788366 +0100
|
|
+++ sane-backends-1.0.25/frontend/saned.c 2017-03-22 16:58:20.393869129 +0100
|
|
@@ -1986,6 +1986,38 @@ process_request (Wire * w)
|
|
return 1;
|
|
}
|
|
|
|
+ /* Addresses CVE-2017-6318 (#315576, Debian BTS #853804) */
|
|
+ /* This is done here (rather than in sanei/sanei_wire.c where
|
|
+ * it should be done) to minimize scope of impact and amount
|
|
+ * of code change.
|
|
+ */
|
|
+ if (w->direction == WIRE_DECODE
|
|
+ && req.value_type == SANE_TYPE_STRING
|
|
+ && req.action == SANE_ACTION_GET_VALUE)
|
|
+ {
|
|
+ if (req.value)
|
|
+ {
|
|
+ /* FIXME: If req.value contains embedded NUL
|
|
+ * characters, this is wrong but we do not have
|
|
+ * access to the amount of memory allocated in
|
|
+ * sanei/sanei_wire.c at this point.
|
|
+ */
|
|
+ w->allocated_memory -= (1 + strlen (req.value));
|
|
+ free (req.value);
|
|
+ }
|
|
+ req.value = malloc (req.value_size);
|
|
+ if (!req.value)
|
|
+ {
|
|
+ w->status = ENOMEM;
|
|
+ DBG (DBG_ERR,
|
|
+ "process_request: (control_option) "
|
|
+ "h=%d (%s)\n", req.handle, strerror (w->status));
|
|
+ return 1;
|
|
+ }
|
|
+ memset (req.value, 0, req.value_size);
|
|
+ w->allocated_memory += req.value_size;
|
|
+ }
|
|
+
|
|
can_authorize = 1;
|
|
|
|
memset (&reply, 0, sizeof (reply)); /* avoid leaking bits */
|