upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-03-03 05:41:01 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

In r268924 __fflush was modified so that when write(2) was not successful,

Browse source 
_p and _w are adjusted to account for the partial write (if any).

However, _p and _w should not be unconditionally adjusted and should only
be changed when we actually wrote some bytes, or the accumulated accounting
error will eventually result in a heap buffer overflow.

Reported by:	adrian and alfred (Norse Corporation)
Security:	FreeBSD-SA-14:27.stdio
Security:	CVE-2014-8611
This commit is contained in:
Xin LI 2014-12-10 08:18:22 +00:00
parent 7f353dddc8
commit 805288c2f0
1 changed files with 6 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
lib/libc/stdio/fflush.c
View file

@ -124,11 +124,13 @@ __sflush(FILE *fp)
t = _swrite(fp, (char *)p, n);
if (t <= 0) {
/* Reset _p and _w. */
if (p > fp->_p) /* Some was written. */
if (p > fp->_p) {
/* Some was written. */
memmove(fp->_p, p, n);
fp->_p += n;
if ((fp->_flags & (__SLBF | __SNBF)) == 0)
fp->_w -= n;
fp->_p += n;
if ((fp->_flags & (__SLBF | __SNBF)) == 0)
fp->_w -= n;
}
fp->_flags |= __SERR;
return (EOF);
}