David James wrote:
>Right now, if you pass in a really long list of valid arguments into
>the command-line client, you can overflow its buffer of command-line
>options and execute arbitrary code. The impact of this bug is
>mitigated by the fact that users who have access to the command-line
>client can usually already execute arbitrary code.
>
>To see this bug in action, type the following command:
> yes --old | head -n 300 | xargs svn
>
>Before the patch:
> james@syntax% yes --old | head -n 300 | xargs svn
> xargs: svn: terminated by signal 11
>
>After the patch:
> james@syntax% yes --old | head -n 300 | xargs subversion/clients/cmdline/svn
> svn: Too many options
>
>clients/cmdline/main.c
>(main): Prevent buffer overflow when list of command-line options is very long
>
>Cheers,
>
>David
>
>
>------------------------------------------------------------------------
>
>Index: subversion/clients/cmdline/main.c
>===================================================================
>--- subversion/clients/cmdline/main.c (revision 15136)
>+++ subversion/clients/cmdline/main.c (working copy)
>@@ -879,6 +879,12 @@
> svn_pool_destroy (pool);
> return EXIT_FAILURE;
> }
>+ else if (num_opts >= SVN_OPT_MAX_OPTIONS)
>+ {
>+ err = svn_error_create (SVN_ERR_CL_ARG_PARSING_ERROR, NULL,
>+ _("Too many options"));
>+ return error_exit (err, stderr, FALSE, pool);
>+ }
>
> /* Stash the option code in an array before parsing it. */
> received_opts[num_opts] = opt_id;
>
>
Actually, the use of a statically-sized array to hold options is wrong
in the first place. I'd prefer a fix that changes the type of received_opts.
-- Brane
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Jul 3 23:35:34 2005