Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:yukoff:openSUSE:Leap:42.1:Backports
quagga
quagga-CVE-2017-5495-limit-vty-buffer-to-4096-b...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File quagga-CVE-2017-5495-limit-vty-buffer-to-4096-bytes.patch of Package quagga
Upstream: yes References: CVE-2017-5495,bsc#1021669 From b7ceefea77a246fe5c1dcd1b91bf6079d1b97c02 Mon Sep 17 00:00:00 2001 From: Quentin Young <qlyoung@cumulusnetworks.com> Date: Tue, 10 Jan 2017 23:33:50 +0000 Subject: [PATCH] lib: limit size of vty buffer to 4096 bytes This removes the automatic resizing of the vty input buffer and places a hard size cap of 4096 bytes. It also fixes a potentially unsafe strcpy. [Edits by Paul Jakma, paul@jakma.org] diff --git a/lib/command.c b/lib/command.c index ab46fc4..242c98b 100644 --- a/lib/command.c +++ b/lib/command.c @@ -2769,7 +2769,7 @@ *line_num = 0; vector vline; - while (fgets (vty->buf, VTY_BUFSIZ, fp)) + while (fgets (vty->buf, vty->max, fp)) { ++(*line_num); vline = cmd_make_strvec (vty->buf); diff --git a/lib/vty.c b/lib/vty.c index 7ba277f..6d64797 100644 --- a/lib/vty.c +++ b/lib/vty.c @@ -39,6 +39,8 @@ #include <arpa/telnet.h> +#define VTY_BUFSIZ 4096 + /* Vty events */ enum event { @@ -470,17 +472,6 @@ buffer_put (vty->obuf, buf, nbytes); } -/* Ensure length of input buffer. Is buffer is short, double it. */ -static void -vty_ensure (struct vty *vty, int length) -{ - if (vty->max <= length) - { - vty->max *= 2; - vty->buf = XREALLOC (MTYPE_VTY, vty->buf, vty->max); - } -} - /* Basic function to insert character into vty. */ static void vty_self_insert (struct vty *vty, char c) @@ -488,7 +479,9 @@ int i; int length; - vty_ensure (vty, vty->length + 1); + if (vty->length + 1 > VTY_BUFSIZ) + return; + length = vty->length - vty->cp; memmove (&vty->buf[vty->cp + 1], &vty->buf[vty->cp], length); vty->buf[vty->cp] = c; @@ -505,26 +498,29 @@ static void vty_self_insert_overwrite (struct vty *vty, char c) { - vty_ensure (vty, vty->length + 1); - vty->buf[vty->cp++] = c; - - if (vty->cp > vty->length) - vty->length++; - - if ((vty->node == AUTH_NODE) || (vty->node == AUTH_ENABLE_NODE)) - return; + if (vty->cp == vty->length) + { + vty_self_insert (vty, c); + return; + } + vty->buf[vty->cp++] = c; vty_write (vty, &c, 1); } -/* Insert a word into vty interface with overwrite mode. */ +/** + * Insert a string into vty->buf at the current cursor position. + * + * If the resultant string would be larger than VTY_BUFSIZ it is + * truncated to fit. + */ static void vty_insert_word_overwrite (struct vty *vty, char *str) { - int len = strlen (str); - vty_write (vty, str, len); - strcpy (&vty->buf[vty->cp], str); - vty->cp += len; + size_t nwrite = MIN ((int) strlen (str), VTY_BUFSIZ - vty->cp); + vty_write (vty, str, nwrite); + strncpy (&vty->buf[vty->cp], str, nwrite); + vty->cp += nwrite; vty->length = vty->cp; } @@ -2091,12 +2087,21 @@ printf ("line: %.*s\n", nbytes, buf); #endif /* VTYSH_DEBUG */ + if (vty->length + nbytes > VTY_BUFSIZ) + { + /* Clear command line buffer. */ + vty->cp = vty->length = 0; + vty_clear_buf (vty); + vty_out (vty, "%% Command is too long.%s", VTY_NEWLINE); + goto out; + } + for (p = buf; p < buf+nbytes; p++) { - vty_ensure(vty, vty->length+1); vty->buf[vty->length++] = *p; if (*p == '\0') { + /* Pass this line to parser. */ ret = vty_execute (vty); /* Note that vty_execute clears the command buffer and resets @@ -2117,6 +2122,7 @@ } } +out: vty_event (VTYSH_READ, sock, vty); return 0; diff --git a/lib/vty.h b/lib/vty.h index 806f2c6..1e3b124 100644 --- a/lib/vty.h +++ b/lib/vty.h @@ -25,7 +25,6 @@ #include "log.h" #include "sockunion.h" -#define VTY_BUFSIZ 512 #define VTY_MAXHIST 20 /* VTY struct. */ diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c index 2e2203d..7068ea3 100644 --- a/vtysh/vtysh.c +++ b/vtysh/vtysh.c @@ -460,7 +460,7 @@ vector vline; struct cmd_element *cmd; - while (fgets (vty->buf, VTY_BUFSIZ, fp)) + while (fgets (vty->buf, vty->max, fp)) { if (vty->buf[0] == '!' || vty->buf[1] == '#') continue; -- 2.10.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor