From a2cc16ab89f452e0c8b21f00d2cdd704e98decbc Mon Sep 17 00:00:00 2001
From: naddy <naddy@FreeBSD.org>
Date: Wed, 24 Mar 2010 18:46:46 +0000
Subject: Fix a buffer overflow in the rmt client functionality. From upstream.

Security:	c175d72f-3773-11df-8bb8-0211d880e350
---
 archivers/gtar/Makefile                   |  2 +-
 archivers/gtar/files/patch-lib_rtapelib.c | 28 ++++++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 archivers/gtar/files/patch-lib_rtapelib.c

diff --git a/archivers/gtar/Makefile b/archivers/gtar/Makefile
index fedcea4be192..5aceaf271bd0 100644
--- a/archivers/gtar/Makefile
+++ b/archivers/gtar/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	tar
 PORTVERSION=	1.22
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	archivers sysutils
 MASTER_SITES=	${MASTER_SITE_GNU}
 MASTER_SITE_SUBDIR=	${PORTNAME}
diff --git a/archivers/gtar/files/patch-lib_rtapelib.c b/archivers/gtar/files/patch-lib_rtapelib.c
new file mode 100644
index 000000000000..e6c81e14a0aa
--- /dev/null
+++ b/archivers/gtar/files/patch-lib_rtapelib.c
@@ -0,0 +1,28 @@
+
+$FreeBSD$
+
+--- lib/rtapelib.c.orig
++++ lib/rtapelib.c
+@@ -570,7 +570,8 @@
+ 
+   sprintf (command_buffer, "R%lu\n", (unsigned long) length);
+   if (do_command (handle, command_buffer) == -1
+-      || (status = get_status (handle)) == SAFE_READ_ERROR)
++      || (status = get_status (handle)) == SAFE_READ_ERROR
++      || status > length)
+     return SAFE_READ_ERROR;
+ 
+   for (counter = 0; counter < status; counter += rlen, buffer += rlen)
+@@ -706,6 +707,12 @@
+ 	    || (status = get_status (handle), status == -1))
+ 	  return -1;
+ 
++	if (status > sizeof (struct mtop))
++	  {
++	    errno = EOVERFLOW;
++	    return -1;
++	  }
++	
+ 	for (; status > 0; status -= counter, argument += counter)
+ 	  {
+ 	    counter = safe_read (READ_SIDE (handle), argument, status);
-- 
cgit