mirror of
https://github.com/pbatard/rufus.git
synced 2024-08-14 23:57:05 +00:00
[iso] fix a buffer overflow in syslinux.c
* p[safe_strlen(p)] = 0; was pointless and could lead to a buffer overflow if the string was not already NUL terminated, so remove it and make sure we process a buffer that either contains legitimate Syslinux version strings (that are NUL terminated always) or that has been read through read_file() (that always adds a NUL terminator to the buffer). * Also fix some whitespaces in related code sections and switch to using read_file() for GRUB version lookup. * Vulnerability discovered and reported by Mansour Gashasbi (@gashasbi).
This commit is contained in:
parent
34e6e43a97
commit
f813eb05d8
4 changed files with 22 additions and 34 deletions
20
src/iso.c
20
src/iso.c
|
@ -1233,18 +1233,9 @@ out:
|
|||
char isolinux_tmp[MAX_PATH];
|
||||
static_sprintf(isolinux_tmp, "%sisolinux.tmp", temp_dir);
|
||||
size = (size_t)ExtractISOFile(src_iso, isolinux_path.String[i], isolinux_tmp, FILE_ATTRIBUTE_NORMAL);
|
||||
if (size == 0) {
|
||||
if ((size == 0) || (read_file(isolinux_tmp, &buf) != size)) {
|
||||
uprintf(" Could not access %s", isolinux_path.String[i]);
|
||||
} else {
|
||||
buf = (char*)calloc(size, 1);
|
||||
if (buf == NULL) break;
|
||||
fd = fopen(isolinux_tmp, "rb");
|
||||
if (fd == NULL) {
|
||||
free(buf);
|
||||
continue;
|
||||
}
|
||||
fread(buf, 1, size, fd);
|
||||
fclose(fd);
|
||||
sl_version = GetSyslinuxVersion(buf, size, &ext);
|
||||
if (img_report.sl_version == 0) {
|
||||
static_strcpy(img_report.sl_version_ext, ext);
|
||||
|
@ -1315,15 +1306,10 @@ out:
|
|||
// coverity[swapped_arguments]
|
||||
if (GetTempFileNameU(temp_dir, APPLICATION_NAME, 0, path) != 0) {
|
||||
size = (size_t)ExtractISOFile(src_iso, grub_path, path, FILE_ATTRIBUTE_NORMAL);
|
||||
buf = (char*)calloc(size, 1);
|
||||
fd = fopen(path, "rb");
|
||||
if ((size == 0) || (buf == NULL) || (fd == NULL)) {
|
||||
if ((size == 0) || (read_file(path, &buf) != size))
|
||||
uprintf(" Could not read Grub version from '%s'", grub_path);
|
||||
} else {
|
||||
fread(buf, 1, size, fd);
|
||||
fclose(fd);
|
||||
else
|
||||
GetGrubVersion(buf, size);
|
||||
}
|
||||
free(buf);
|
||||
DeleteFileU(path);
|
||||
}
|
||||
|
|
|
@ -2032,7 +2032,7 @@ static void InitDialog(HWND hDlg)
|
|||
len = 0;
|
||||
buf = (char*)GetResource(hMainInstance, resource[i], _RT_RCDATA, "ldlinux_sys", &len, TRUE);
|
||||
if (buf == NULL) {
|
||||
uprintf("Warning: could not read embedded Syslinux v%d version", i+4);
|
||||
uprintf("Warning: could not read embedded Syslinux v%d version", i + 4);
|
||||
} else {
|
||||
embedded_sl_version[i] = GetSyslinuxVersion(buf, len, &ext);
|
||||
static_sprintf(embedded_sl_version_str[i], "%d.%02d", SL_MAJOR(embedded_sl_version[i]), SL_MINOR(embedded_sl_version[i]));
|
||||
|
|
10
src/rufus.rc
10
src/rufus.rc
|
@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
|
|||
IDD_DIALOG DIALOGEX 12, 12, 232, 326
|
||||
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
|
||||
EXSTYLE WS_EX_ACCEPTFILES
|
||||
CAPTION "Rufus 4.5.2127"
|
||||
CAPTION "Rufus 4.5.2128"
|
||||
FONT 9, "Segoe UI Symbol", 400, 0, 0x0
|
||||
BEGIN
|
||||
LTEXT "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP
|
||||
|
@ -397,8 +397,8 @@ END
|
|||
//
|
||||
|
||||
VS_VERSION_INFO VERSIONINFO
|
||||
FILEVERSION 4,5,2127,0
|
||||
PRODUCTVERSION 4,5,2127,0
|
||||
FILEVERSION 4,5,2128,0
|
||||
PRODUCTVERSION 4,5,2128,0
|
||||
FILEFLAGSMASK 0x3fL
|
||||
#ifdef _DEBUG
|
||||
FILEFLAGS 0x1L
|
||||
|
@ -416,13 +416,13 @@ BEGIN
|
|||
VALUE "Comments", "https://rufus.ie"
|
||||
VALUE "CompanyName", "Akeo Consulting"
|
||||
VALUE "FileDescription", "Rufus"
|
||||
VALUE "FileVersion", "4.5.2127"
|
||||
VALUE "FileVersion", "4.5.2128"
|
||||
VALUE "InternalName", "Rufus"
|
||||
VALUE "LegalCopyright", "<22> 2011-2024 Pete Batard (GPL v3)"
|
||||
VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html"
|
||||
VALUE "OriginalFilename", "rufus-4.5.exe"
|
||||
VALUE "ProductName", "Rufus"
|
||||
VALUE "ProductVersion", "4.5.2127"
|
||||
VALUE "ProductVersion", "4.5.2128"
|
||||
END
|
||||
END
|
||||
BLOCK "VarFileInfo"
|
||||
|
|
|
@ -411,28 +411,30 @@ uint16_t GetSyslinuxVersion(char* buf, size_t buf_size, char** ext)
|
|||
return 0;
|
||||
|
||||
// Start at 64 to avoid the short incomplete version at the beginning of ldlinux.sys
|
||||
for (i=64; i<buf_size-64; i++) {
|
||||
for (i = 64; i < buf_size - 64; i++) {
|
||||
if (memcmp(&buf[i], LINUX, sizeof(LINUX)) == 0) {
|
||||
// Check for ISO or SYS prefix
|
||||
if (!( ((buf[i-3] == 'I') && (buf[i-2] == 'S') && (buf[i-1] == 'O'))
|
||||
|| ((buf[i-3] == 'S') && (buf[i-2] == 'Y') && (buf[i-1] == 'S')) ))
|
||||
if (!( ((buf[i - 3] == 'I') && (buf[i - 2] == 'S') && (buf[i - 1] == 'O'))
|
||||
|| ((buf[i - 3] == 'S') && (buf[i - 2] == 'Y') && (buf[i - 1] == 'S')) ))
|
||||
continue;
|
||||
i += sizeof(LINUX);
|
||||
version = (((uint8_t)strtoul(&buf[i], &p, 10))<<8) + (uint8_t)strtoul(&p[1], &p, 10);
|
||||
version = (((uint8_t)strtoul(&buf[i], &p, 10)) << 8) + (uint8_t)strtoul(&p[1], &p, 10);
|
||||
// Our buffer is either from our internal legit syslinux (i.e. with a NUL terminated
|
||||
// version string) or from a buffer that has been NUL-terminated through read_file(),
|
||||
// so the string we work with in p is always NUL terminated at this stage.
|
||||
if (version == 0)
|
||||
continue;
|
||||
p[safe_strlen(p)] = 0;
|
||||
// Ensure that our extra version string starts with a slash
|
||||
*p = '/';
|
||||
// Remove the x.yz- duplicate if present
|
||||
for (j=0; (buf[i+j] == p[1+j]) && (buf[i+j] != ' '); j++);
|
||||
if (p[j+1] == '-')
|
||||
for (j = 0; (buf[i + j] == p[1 + j]) && (buf[i + j] != ' '); j++);
|
||||
if (p[j + 1] == '-')
|
||||
j++;
|
||||
if (j >= 4) {
|
||||
p[j] = '/';
|
||||
p = &p[j];
|
||||
}
|
||||
for (j=safe_strlen(p)-1; j>0; j--) {
|
||||
for (j = safe_strlen(p) - 1; j > 0; j--) {
|
||||
// Arch Linux affixes a star for their version - who knows what else is out there...
|
||||
if ((p[j] == ' ') || (p[j] == '*'))
|
||||
p[j] = 0;
|
||||
|
@ -440,15 +442,15 @@ uint16_t GetSyslinuxVersion(char* buf, size_t buf_size, char** ext)
|
|||
break;
|
||||
}
|
||||
// Sanitize the string
|
||||
for (j=1; j<safe_strlen(p); j++) {
|
||||
for (j = 1; j < safe_strlen(p); j++) {
|
||||
// Some people are bound to have invalid chars in their date strings
|
||||
for (k=0; k<sizeof(unauthorized); k++) {
|
||||
for (k = 0; k < sizeof(unauthorized); k++) {
|
||||
if (p[j] == unauthorized[k])
|
||||
p[j] = '_';
|
||||
}
|
||||
}
|
||||
// If all we have is a slash, return the empty string for the extra version
|
||||
*ext = (p[1] == 0)?nullstr:p;
|
||||
*ext = (p[1] == 0) ? nullstr : p;
|
||||
return version;
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue