HBSD: Fix "libarchive vulnerability 2"

Around a week or so ago, a report[2] was made public showing FreeBSD susceptible to numerous vulnerabilities in freebsd-update, portsnap, libarchive, bsdtar, and bspatch. At least one of the vulnerabilities has been fixed due to libarchive being updated to 3.2.1 in both HEAD, 11-STABLE, and 10-STABLE. This commit addresses one of the vulnerabilities in libarchive/bsdtar. As I validate more vulnerabilities, more fixes may come. [1]: https://hardenedbsd.org/~shawn/vulns/freebsd/2016-07-29/libarchive.txt Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org> Reported-by: Some anonymous person MFC-to: 11-STABLE MFC-to: 10-STABLE
HardenedBSD · Aug 3, 2016 · acc5eae · acc5eae
1 parent 6295aad
commit acc5eae
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/contrib/libarchive/libarchive/archive_write_disk_posix.c b/contrib/libarchive/libarchive/archive_write_disk_posix.c
@@ -1796,7 +1796,7 @@ edit_deep_directories(struct archive_write_disk *a)
 	char *tail = a->name;
 
 	/* If path is short, avoid the open() below. */
-	if (strlen(tail) <= PATH_MAX)
+	if (strlen(tail) < PATH_MAX)
 		return;
 
 	/* Try to record our starting dir. */
@@ -1806,7 +1806,7 @@ edit_deep_directories(struct archive_write_disk *a)
 		return;
 
 	/* As long as the path is too long... */
-	while (strlen(tail) > PATH_MAX) {
+	while (strlen(tail) >= PATH_MAX) {
 		/* Locate a dir prefix shorter than PATH_MAX. */
 		tail += PATH_MAX - 8;
 		while (tail > a->name && *tail != '/')
@@ -2403,6 +2403,8 @@ check_symlinks(struct archive_write_disk *a)
 			/* We've hit a dir that doesn't exist; stop now. */
 			if (errno == ENOENT)
 				break;
+			else
+				return (ARCHIVE_FAILED);
 		} else if (S_ISLNK(st.st_mode)) {
 			if (c == '\0') {
 				/*