From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <musl-return-15493-ml=inbox.vuxu.org@lists.openwall.com>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no
	version=3.4.2
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by inbox.vuxu.org (OpenSMTPD) with SMTP id 8a900fd4
	for <ml@inbox.vuxu.org>;
	Sat, 22 Feb 2020 22:01:36 +0000 (UTC)
Received: (qmail 19634 invoked by uid 550); 22 Feb 2020 22:01:28 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Reply-To: musl@lists.openwall.com
Received: (qmail 19562 invoked from network); 22 Feb 2020 22:01:27 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sholland.org; h=
	from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding; s=fm2; bh=egLwVOhXPN0kjajj571UM43Xka
	WYfQZ7AB+WTLZsgwI=; b=RWx6JXlIpaoCgoz9w92L3917jJoWRUK0YMa2KrCMAD
	7HfE19WsjBIaDvmJNmzV5urc9jDpUUO+YjzQ9DpZyNSJdkeLaNVRDVd8mau1VPqK
	hcaYM/k8zs5iF0ix69XW9WnqbILcr5M5AE5VztDaLsaGH7EfIC8xdqVRwRAHzWDf
	SdcsybjZVM8Nu16BWDbnz/S0J51DNgTmlM04IsAVUCsM/7kJAnGefvsrDMRKtHLw
	7yTV2caTEyY5B+pqZXugDInZ6Jn5otvBco60UPN/IcIqa3aT96irvjXTnVRMek31
	a/5O1FK1WSSqvyZR5gNH2zdkY7rus7cM5K72zPOfHFVg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:date:from
	:message-id:mime-version:subject:to:x-me-proxy:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=egLwVOhXPN0kjajj5
	71UM43XkaWYfQZ7AB+WTLZsgwI=; b=IRhGl3FBYISypzj54QHHZpno6BqlYOrSx
	MosG+oIuzZ9At23bmHXtfKhR2y5Jewa+ZSysqxy2pJx12aVcTUG//7Hlqhmz/ypb
	vehGKenb9EiAewldFSdPiT1KKr3ZFHyl01GDs6/znH6RwHKiOBjvmIlyv3qka9Ha
	AFals+Jm8w8kBmsqS9eC6bh9gElAfQgZxKUb8QpcUcaD20HObCABIZBAnwn67/s9
	TORkVyOHMhV2zpp+JuCRmysIhSQXZyewFTY3mY+dvkMxAE4CkznyB53Q1RpAszFr
	ryxYaH8VDRWg8zGJaZ0icOxHCcTATOLm3PO/IBPzLBYVxmr43KjDg==
X-ME-Sender: <xms:qaRRXk6gp9qTszodfGtSd2fs8i1fbXfUDICQ1kUT6DOEPsCFyBf6QA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrkeeigdduheejucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkofgggfestdekredtre
    dttdenucfhrhhomhepufgrmhhuvghlucfjohhllhgrnhguuceoshgrmhhuvghlsehshhho
    lhhlrghnugdrohhrgheqnecukfhppeejtddrudefhedrudegkedrudehudenucevlhhush
    htvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehsrghmuhgvlhesshhh
    ohhllhgrnhgurdhorhhg
X-ME-Proxy: <xmx:qaRRXiNC-OCmlkiQ9gZcP69FKzwMA2VMhsrQbQqaXMHKmJImueLDsA>
    <xmx:qaRRXmOkYjZwuPibc0OB9g5kMkvl7ncp47GR2RC1F0xZ5cBzWWTYNA>
    <xmx:qaRRXq-PiAU0JAkux1DbU0DNjfS--1efBQ3X2AN0ft69-ZBUb-0Dsw>
    <xmx:qqRRXrtc1mLLFxjSBhjurhZ-wemD88ICpJtR9mfBvLcTUFOFQAr8dA>
From: Samuel Holland <samuel@sholland.org>
To: musl@lists.openwall.com
Cc: Samuel Holland <samuel@sholland.org>
Date: Sat, 22 Feb 2020 16:01:12 -0600
Message-Id: <20200222220113.55710-1-samuel@sholland.org>
X-Mailer: git-send-email 2.24.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [musl] [PATCH 1/2] Avoid out-of-bounds read for invalid quoted timezone

Parsing the timezone name must stop when reaching the null terminator.
In that case, there is no '>' to skip.
---

This was found while investigating the bug fixed by patch 2.

# env -i TZ="<" date
Sat Feb 22 22:34:06 ate 2020
# env -i TZ="UTC0" date
Sat Feb 22 21:34:09 UTC 2020

---
 src/time/__tz.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/time/__tz.c b/src/time/__tz.c
index 185642e8..a962960e 100644
--- a/src/time/__tz.c
+++ b/src/time/__tz.c
@@ -86,9 +86,9 @@ static void getname(char *d, const char **p)
 	int i;
 	if (**p == '<') {
 		++*p;
-		for (i=0; (*p)[i]!='>' && i<TZNAME_MAX; i++)
+		for (i=0; (*p)[i] && (*p)[i]!='>' && i<TZNAME_MAX; i++)
 			d[i] = (*p)[i];
-		++*p;
+		if ((*p)[i]) ++*p;
 	} else {
 		for (i=0; ((*p)[i]|32)-'a'<26U && i<TZNAME_MAX; i++)
 			d[i] = (*p)[i];
-- 
2.24.1