Fix two memory corruption crashes.

* Use-after-free in afpd's Time Machine Code [1] * Memory overrun in extended attributes [2] PR: 251203 [1] 244191 [2] Submitted by: Jose Quinteiro <freebsd@quinteiro.org>
author: Joe Marcus Clarke <marcus@FreeBSD.org> 2020-11-22 22:08:38 +0000
committer: Joe Marcus Clarke <marcus@FreeBSD.org> 2020-11-22 22:08:38 +0000
commit: 0c1b18d2bd6211dd2c6cc3f3b9f85b2a9b60cb77 (patch)
tree: f31af51c53f85682cf96750679a17e09d2c94bf6 /net/netatalk3/files/patch-libatalk_vfs_extattr.c
parent: Update to 0.6.12 (diff)
1 files changed, 19 insertions, 0 deletions
diff --git a/net/netatalk3/files/patch-libatalk_vfs_extattr.c b/net/netatalk3/files/patch-libatalk_vfs_extattr.c
new file mode 100644
index 000000000000..ec0a9937a1f6
--- /dev/null
+++ b/net/netatalk3/files/patch-libatalk_vfs_extattr.c
@@ -0,0 +1,19 @@
+--- libatalk/vfs/extattr.c	2020-11-17 04:20:13 UTC
++++ libatalk/vfs/extattr.c	
+@@ -353,13 +353,13 @@ static ssize_t bsd_attr_list (int type, extattr_arg ar
+     }
+ 
+     /* Convert from pascal strings to C strings */
+-    len = list[0];
+-    memmove(list, list + 1, list_size);
++    len = (unsigned char)list[0];
++    memmove(list, list + 1, list_size - 1);
+ 
+     for(i = len; i < list_size; ) {
+         LOG(log_maxdebug, logtype_afpd, "len: %d, i: %d", len, i);
+ 
+-        len = list[i];
++        len = (unsigned char)list[i];
+         list[i] = '\0';
+         i += len + 1;
+     }
author	Joe Marcus Clarke <marcus@FreeBSD.org>	2020-11-22 22:08:38 +0000
committer	Joe Marcus Clarke <marcus@FreeBSD.org>	2020-11-22 22:08:38 +0000
commit	0c1b18d2bd6211dd2c6cc3f3b9f85b2a9b60cb77 (patch)
tree	f31af51c53f85682cf96750679a17e09d2c94bf6 /net/netatalk3/files/patch-libatalk_vfs_extattr.c
parent	Update to 0.6.12 (diff)