From 1faaffa409ec367683a3e6ef0ce123aea68be355 Mon Sep 17 00:00:00 2001
From: Andreas Rogge <andreas.rogge@bareos.com>
Date: Wed, 29 Apr 2020 12:20:06 +0200
Subject: [PATCH] dir: avoid heap-overflow during verify job

Fixes #1210: Security vulnerability results in heap overflow in director
             when doing a Verify job against a file daemon.

Previously the code did not check that the target buffer that scanf()
wrote into was big enough to fit the data.
This patch now resizes the buffer to the size of the message buffer that
is being parsed ensuring that there is no heap overflow anymore.

(cherry picked from commit 86c6fa479a21a1464366babb74e6cf33770ed7ae)
---
 core/src/dird/fd_cmds.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/dird/fd_cmds.cc b/core/src/dird/fd_cmds.cc
index cd4cd83f893..68f8fa3d60e 100644
--- a/core/src/dird/fd_cmds.cc
+++ b/core/src/dird/fd_cmds.cc
@@ -1115,7 +1115,7 @@ int GetAttributesAndPutInCatalog(JobControlRecord* jcr)
     int stream, len;
     char *p, *fn;
     PoolMem Digest(PM_MESSAGE); /* Either Verify opts or MD5/SHA1 digest */
-
+    Digest.check_size(fd->message_length);
     if ((len = sscanf(fd->msg, "%ld %d %s", &file_index, &stream,
                       Digest.c_str())) != 3) {
       Jmsg(jcr, M_FATAL, 0,