opensourcemirror
/
opnsense-src
mirror of https://github.com/opnsense/src.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix remote code execution in ggatec(8). 

Approved by:    so
Security:       SA-21:14.ggatec
Security:       CVE-2021-29630
This commit is contained in:
Gordon Tetlow 2021-08-24 10:40:19 -07:00 committed by Franco Fichtner
parent d93d96c88f
commit 202e7f1ac7
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
sbin/ggate/ggatec/ggatec.c
View File

@ -144,7 +144,21 @@ send_thread(void *arg __unused)
case BIO_WRITE:
hdr.gh_cmd = GGATE_CMD_WRITE;
break;
default:
g_gate_log(LOG_NOTICE, "Unknown gctl_cmd: %i", ggio.gctl_cmd);
ggio.gctl_error = EOPNOTSUPP;
g_gate_ioctl(G_GATE_CMD_DONE, &ggio);
continue;
}
/* Don't send requests for more data than we can handle the response for! */
if (ggio.gctl_length > MAXPHYS) {
g_gate_log(LOG_ERR, "Request too big: %zd", ggio.gctl_length);
ggio.gctl_error = EOPNOTSUPP;
g_gate_ioctl(G_GATE_CMD_DONE, &ggio);
continue;
}
hdr.gh_seq = ggio.gctl_seq;
hdr.gh_offset = ggio.gctl_offset;
hdr.gh_length = ggio.gctl_length;
@ -217,6 +231,12 @@ recv_thread(void *arg __unused)
ggio.gctl_length = hdr.gh_length;
ggio.gctl_error = hdr.gh_error;
/* Do not overflow our buffer if there is a bogus response. */
if (ggio.gctl_length > (off_t) sizeof(buf)) {
g_gate_log(LOG_ERR, "Received too big response: %zd", ggio.gctl_length);
break;
}
if (ggio.gctl_error == 0 && ggio.gctl_cmd == GGATE_CMD_READ) {
data = g_gate_recv(recvfd, ggio.gctl_data,
ggio.gctl_length, MSG_WAITALL);