Browse code
bb12262 - Fix to address potential use-after-free bug in scanner code relating to the filenames for nested files.
Micah Snyder authored on 2019/01/31 05:01:59Showing 1 changed files
| ... | ... |
@@ -3845,10 +3845,15 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type) |
| 3845 | 3845 |
} |
| 3846 | 3846 |
} |
| 3847 | 3847 |
|
| 3848 |
-static int cli_base_scandesc(int desc, const char *filepath, cli_ctx *ctx, cli_file_t type) |
|
| 3848 |
+static cl_error_t cli_base_scandesc(int desc, const char *filepath, cli_ctx *ctx, cli_file_t type) |
|
| 3849 | 3849 |
{
|
| 3850 | 3850 |
STATBUF sb; |
| 3851 |
- int ret; |
|
| 3851 |
+ cl_error_t status = CL_CLEAN; |
|
| 3852 |
+ cl_error_t ret = CL_CLEAN; |
|
| 3853 |
+ |
|
| 3854 |
+ if (!ctx) {
|
|
| 3855 |
+ return CL_EARG; |
|
| 3856 |
+ } |
|
| 3852 | 3857 |
|
| 3853 | 3858 |
const char *parent_filepath = ctx->sub_filepath; |
| 3854 | 3859 |
ctx->sub_filepath = filepath; |
| ... | ... |
@@ -3861,12 +3866,18 @@ static int cli_base_scandesc(int desc, const char *filepath, cli_ctx *ctx, cli_f |
| 3861 | 3861 |
if (FSTAT(desc, &sb) == -1) |
| 3862 | 3862 |
{
|
| 3863 | 3863 |
cli_errmsg("magic_scandesc: Can't fstat descriptor %d\n", desc);
|
| 3864 |
- early_ret_from_magicscan(CL_ESTAT); |
|
| 3864 |
+ |
|
| 3865 |
+ status = CL_ESTAT; |
|
| 3866 |
+ cli_dbgmsg("cli_magic_scandesc: returning %d %s (no post, no cache)\n", status, __AT__);
|
|
| 3867 |
+ goto done; |
|
| 3865 | 3868 |
} |
| 3866 | 3869 |
if (sb.st_size <= 5) |
| 3867 | 3870 |
{
|
| 3868 | 3871 |
cli_dbgmsg("Small data (%u bytes)\n", (unsigned int)sb.st_size);
|
| 3869 |
- early_ret_from_magicscan(CL_CLEAN); |
|
| 3872 |
+ |
|
| 3873 |
+ status = CL_CLEAN; |
|
| 3874 |
+ cli_dbgmsg("cli_magic_scandesc: returning %d %s (no post, no cache)\n", status, __AT__);
|
|
| 3875 |
+ goto done; |
|
| 3870 | 3876 |
} |
| 3871 | 3877 |
|
| 3872 | 3878 |
ctx->fmap++; |
| ... | ... |
@@ -3876,18 +3887,22 @@ static int cli_base_scandesc(int desc, const char *filepath, cli_ctx *ctx, cli_f |
| 3876 | 3876 |
cli_errmsg("CRITICAL: fmap() failed\n");
|
| 3877 | 3877 |
ctx->fmap--; |
| 3878 | 3878 |
perf_stop(ctx, PERFT_MAP); |
| 3879 |
- early_ret_from_magicscan(CL_EMEM); |
|
| 3879 |
+ |
|
| 3880 |
+ status = CL_EMEM; |
|
| 3881 |
+ cli_dbgmsg("cli_magic_scandesc: returning %d %s (no post, no cache)\n", status, __AT__);
|
|
| 3882 |
+ goto done; |
|
| 3880 | 3883 |
} |
| 3881 | 3884 |
perf_stop(ctx, PERFT_MAP); |
| 3882 | 3885 |
|
| 3883 |
- ret = magic_scandesc(ctx, type); |
|
| 3886 |
+ status = magic_scandesc(ctx, type); |
|
| 3884 | 3887 |
|
| 3885 | 3888 |
funmap(*ctx->fmap); |
| 3886 | 3889 |
ctx->fmap--; |
| 3887 | 3890 |
|
| 3891 |
+done: |
|
| 3888 | 3892 |
ctx->sub_filepath = parent_filepath; |
| 3889 | 3893 |
|
| 3890 |
- return ret; |
|
| 3894 |
+ return status; |
|
| 3891 | 3895 |
} |
| 3892 | 3896 |
|
| 3893 | 3897 |
int cli_magic_scandesc(int desc, const char *filepath, cli_ctx *ctx) |