Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: [HV-MED] Zip/Linux long path buffer overflow
From: Josh Bressers <bressers () redhat com>
Date: Fri, 5 Nov 2004 16:00:58 -0500

On Fri, Nov 05, 2004 at 02:26:33PM +0100, Martin Pitt wrote:
I prepared a small fix for this (see below). It does not make zip work
with long file names, but at least it exits cleanly with giving the
reason, and does not segfault.

This fix will allow zip to create an archive with very long filenames.

I'm also changing the type of len from a signed int to size_t to prevent
trouble in the future.

--- zip-2.3/unix/unix.c.orig    2004-11-05 15:44:41.000000000 -0500
+++ zip-2.3/unix/unix.c 2004-11-05 15:50:28.000000000 -0500
@@ -319,8 +319,8 @@ iztimes *t;             /* return value:
    a file size of -1 */
 {
   struct stat s;        /* results of stat() */
-  char name[FNMAX];
-  int len = strlen(f);
+  char *name;
+  size_t len = strlen(f);
 
   if (f == label) {
     if (a != NULL)
@@ -331,6 +331,11 @@ iztimes *t;             /* return value:
       t->atime = t->mtime = t->ctime = label_utim;
     return label_time;
   }
+
+  name = malloc(len+1);
+  if (!name)
+    return 0;
+
   strcpy(name, f);
   if (name[len - 1] == '/')
     name[len - 1] = '\0';

-- 
    JB

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]