Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:11.4
openslp
openslp.audit.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openslp.audit.diff of Package openslp
--- ./common/slp_dhcp.c.orig 2005-02-15 18:28:19.332759386 +0000 +++ ./common/slp_dhcp.c 2005-02-15 18:30:52.797854324 +0000 @@ -598,6 +598,7 @@ cpysz = optdatasz < sizeof(ctxp->scopelist)? optdatasz: sizeof(ctxp->scopelist); strncpy(ctxp->scopelist, (char*)p, cpysz); + ctxp->scopelist[sizeof(ctxp->scopelist) - 1] = 0; } else { @@ -622,6 +623,7 @@ cpysz = optdatasz < sizeof(ctxp->scopelist)? optdatasz: sizeof(ctxp->scopelist); strncpy(ctxp->scopelist, (char*)p, cpysz); + ctxp->scopelist[sizeof(ctxp->scopelist) - 1] = 0; } } break; --- ./common/slp_message.c.orig 2005-02-15 16:48:20.243994238 +0000 +++ ./common/slp_message.c 2005-02-15 18:17:16.217402037 +0000 @@ -68,6 +68,10 @@ /* header (IN/OUT) pointer to the header structure to fill out */ /*=========================================================================*/ { + if (buffer->end - buffer->start < 2) + { + return SLP_ERROR_PARSE_ERROR; + } header->version = *(buffer->curpos); header->functionid = *(buffer->curpos + 1); @@ -75,6 +79,11 @@ { return SLP_ERROR_VER_NOT_SUPPORTED; } + /* check for invalid length 18 bytes is the smallest v2 message*/ + if (buffer->end - buffer->start < 18) + { + return SLP_ERROR_PARSE_ERROR; + } header->length = AsUINT24(buffer->curpos + 2); header->flags = AsUINT16(buffer->curpos + 5); header->encoding = 0; /* not used for SLPv2 */ @@ -89,9 +98,7 @@ return SLP_ERROR_PARSE_ERROR; } - /* check for invalid length 18 bytes is the smallest v2 message*/ - if(header->length != buffer->end - buffer->start || - header->length < 18) + if(header->length != buffer->end - buffer->start) { return SLP_ERROR_PARSE_ERROR; } @@ -187,7 +194,7 @@ /* parse out url */ urlentry->urllen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(urlentry->urllen > buffer->end - buffer->curpos) + if(urlentry->urllen + 1 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -235,7 +242,7 @@ /* parse the prlist */ srvrqst->prlistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(srvrqst->prlistlen > buffer->end - buffer->curpos) + if(srvrqst->prlistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -246,7 +253,7 @@ /* parse the service type */ srvrqst->srvtypelen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(srvrqst->srvtypelen > buffer->end - buffer->curpos) + if(srvrqst->srvtypelen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -257,7 +264,7 @@ /* parse the scope list */ srvrqst->scopelistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(srvrqst->scopelistlen > buffer->end - buffer->curpos) + if(srvrqst->scopelistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -269,7 +276,7 @@ srvrqst->predicatever = 2; /* SLPv2 predicate (LDAPv3) */ srvrqst->predicatelen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(srvrqst->predicatelen > buffer->end - buffer->curpos) + if(srvrqst->predicatelen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -358,10 +365,14 @@ return result; } + if(buffer->end - buffer->curpos < 2) + { + return SLP_ERROR_PARSE_ERROR; + } /* parse the service type */ srvreg->srvtypelen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(srvreg->srvtypelen > buffer->end - buffer->curpos) + if(srvreg->srvtypelen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -372,7 +383,7 @@ /* parse the scope list */ srvreg->scopelistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(srvreg->scopelistlen > buffer->end - buffer->curpos) + if(srvreg->scopelistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -383,7 +394,7 @@ /* parse the attribute list*/ srvreg->attrlistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(srvreg->attrlistlen > buffer->end - buffer->curpos) + if(srvreg->attrlistlen + 1 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -447,6 +458,10 @@ } /* parse the tag list */ + if(buffer->end - buffer->curpos < 2) + { + return SLP_ERROR_PARSE_ERROR; + } srvdereg->taglistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; if(srvdereg->taglistlen > buffer->end - buffer->curpos) @@ -482,7 +497,7 @@ /* parse the prlist */ attrrqst->prlistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(attrrqst->prlistlen > buffer->end - buffer->curpos) + if(attrrqst->prlistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -492,7 +507,7 @@ /* parse the url */ attrrqst->urllen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(attrrqst->urllen > buffer->end - buffer->curpos) + if(attrrqst->urllen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -503,7 +518,7 @@ /* parse the scope list */ attrrqst->scopelistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(attrrqst->scopelistlen > buffer->end - buffer->curpos) + if(attrrqst->scopelistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -514,7 +529,7 @@ /* parse the taglist string */ attrrqst->taglistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(attrrqst->taglistlen > buffer->end - buffer->curpos) + if(attrrqst->taglistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -563,7 +578,7 @@ /* parse out the attrlist */ attrrply->attrlistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(attrrply->attrlistlen > buffer->end - buffer->curpos) + if(attrrply->attrlistlen + 1 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -619,13 +634,17 @@ buffer->curpos = buffer->curpos + 2; /* parse out the bootstamp */ + if(buffer->end - buffer->curpos < 6) + { + return SLP_ERROR_PARSE_ERROR; + } daadvert->bootstamp = AsUINT32(buffer->curpos); buffer->curpos = buffer->curpos + 4; /* parse out the url */ daadvert->urllen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(daadvert->urllen > buffer->end - buffer->curpos) + if(daadvert->urllen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -635,7 +654,7 @@ /* parse the scope list */ daadvert->scopelistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(daadvert->scopelistlen > buffer->end - buffer->curpos) + if(daadvert->scopelistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -645,7 +664,7 @@ /* parse the attr list */ daadvert->attrlistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(daadvert->attrlistlen > buffer->end - buffer->curpos) + if(daadvert->attrlistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -655,7 +674,7 @@ /* parse the SPI list */ daadvert->spilistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(daadvert->spilistlen > buffer->end - buffer->curpos) + if(daadvert->spilistlen + 1 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -704,7 +723,7 @@ /* parse out the url */ saadvert->urllen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(saadvert->urllen > buffer->end - buffer->curpos) + if(saadvert->urllen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -714,7 +733,7 @@ /* parse the scope list */ saadvert->scopelistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(saadvert->scopelistlen > buffer->end - buffer->curpos) + if(saadvert->scopelistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -724,7 +743,7 @@ /* parse the attr list */ saadvert->attrlistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(saadvert->attrlistlen > buffer->end - buffer->curpos) + if(saadvert->attrlistlen + 1 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -769,7 +788,7 @@ /* parse the prlist */ srvtyperqst->prlistlen = AsUINT16(buffer->curpos); buffer->curpos += 2; - if(srvtyperqst->prlistlen > buffer->end - buffer->curpos) + if(srvtyperqst->prlistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -794,6 +813,10 @@ } /* parse the scope list */ + if(buffer->end - buffer->curpos < 2) + { + return SLP_ERROR_PARSE_ERROR; + } srvtyperqst->scopelistlen = AsUINT16(buffer->curpos); buffer->curpos += 2; if(srvtyperqst->scopelistlen > buffer->end - buffer->curpos) --- ./common/slp_network.c.orig 2005-02-15 17:48:00.831814261 +0000 +++ ./common/slp_network.c 2005-02-15 17:51:29.856000181 +0000 @@ -300,7 +300,7 @@ /* EINVAL parse error */ /*=========================================================================*/ { - int xferbytes; + int xferbytes, recvlen; fd_set readfds; char peek[16]; int peeraddrlen = sizeof(struct sockaddr_in); @@ -359,10 +359,14 @@ /* Read the rest of the message */ /*------------------------------*/ /* check the version */ - if(*peek == 2) + if(xferbytes >= 5 && *peek == 2) { /* allocate the recvmsg big enough for the whole message */ - *buf = SLPBufferRealloc(*buf, AsUINT24(peek + 2)); + recvlen = AsUINT24(peek + 2); + /* one byte is minimum */ + if (recvlen <= 0) + recvlen = 1; + *buf = SLPBufferRealloc(*buf, recvlen); if(*buf) { while((*buf)->curpos < (*buf)->end) --- ./common/slp_v1message.c.orig 2005-02-15 16:52:12.613798586 +0000 +++ ./common/slp_v1message.c 2005-02-15 18:26:47.632848004 +0000 @@ -60,6 +60,11 @@ /* SLP_ERROR_PARSE_ERROR. */ /*=========================================================================*/ { + if (buffer->end - buffer->start < 12) + { + /* invalid length 12 bytes is the smallest v1 message*/ + return SLP_ERROR_PARSE_ERROR; + } header->version = *(buffer->curpos); header->functionid = *(buffer->curpos + 1); @@ -85,10 +90,8 @@ return SLP_ERROR_CHARSET_NOT_UNDERSTOOD; } - if(header->length != buffer->end - buffer->start || - header->length < 12) + if(header->length != buffer->end - buffer->start) { - /* invalid length 12 bytes is the smallest v1 message*/ return SLP_ERROR_PARSE_ERROR; } @@ -114,7 +117,7 @@ int result; /* make sure that min size is met */ - if(buffer->end - buffer->curpos < 6) + if(buffer->end - buffer->curpos < 4) { return SLP_ERROR_PARSE_ERROR; } @@ -160,7 +163,7 @@ int result; /* make sure that min size is met */ - if(buffer->end - buffer->curpos < 10) + if(buffer->end - buffer->curpos < 4) { return SLP_ERROR_PARSE_ERROR; } @@ -168,7 +171,7 @@ /* parse the prlist */ srvrqst->prlistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(srvrqst->prlistlen > buffer->end - buffer->curpos) + if(srvrqst->prlistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -272,6 +275,10 @@ srvreg->srvtypelen = tmp - srvreg->srvtype; /* parse the attribute list */ + if(buffer->end - buffer->curpos < 2) + { + return SLP_ERROR_PARSE_ERROR; + } srvreg->attrlistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; if(srvreg->attrlistlen > buffer->end - buffer->curpos) @@ -335,7 +342,7 @@ srvdereg->urlentry.lifetime = 0; /* not present in SLPv1 */ srvdereg->urlentry.urllen = AsUINT16(buffer->curpos); buffer->curpos += 2; - if(srvdereg->urlentry.urllen > buffer->end - buffer->curpos) + if(srvdereg->urlentry.urllen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -381,7 +388,7 @@ /* parse the prlist */ attrrqst->prlistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(attrrqst->prlistlen > buffer->end - buffer->curpos) + if(attrrqst->prlistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -396,7 +403,7 @@ /* parse the url */ attrrqst->urllen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(attrrqst->urllen > buffer->end - buffer->curpos) + if(attrrqst->urllen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -411,7 +418,7 @@ /* parse the scope list */ attrrqst->scopelistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(attrrqst->scopelistlen > buffer->end - buffer->curpos) + if(attrrqst->scopelistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -469,7 +476,7 @@ /* parse the prlist */ srvtyperqst->prlistlen = AsUINT16(buffer->curpos); buffer->curpos += 2; - if(srvtyperqst->prlistlen > buffer->end - buffer->curpos) + if(srvtyperqst->prlistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -504,6 +511,10 @@ } /* parse the scope list */ + if(buffer->end - buffer->curpos < 2) + { + return SLP_ERROR_PARSE_ERROR; + } srvtyperqst->scopelistlen = AsUINT16(buffer->curpos); buffer->curpos += 2; if(srvtyperqst->scopelistlen > buffer->end - buffer->curpos) --- ./libslp/libslp_parse.c.orig 2005-02-15 18:39:01.505072256 +0000 +++ ./libslp/libslp_parse.c 2005-02-15 18:41:21.510075488 +0000 @@ -168,7 +168,10 @@ if((isTag) && strchr(ATTRIBUTE_BAD_TAG, *current_inbuf)) return(SLP_PARSE_ERROR); - if(strchr(ATTRIBUTE_RESERVE_STRING, *current_inbuf)) + if((strchr(ATTRIBUTE_RESERVE_STRING, *current_inbuf)) || + ((*current_inbuf >= 0x00) && (*current_inbuf <= 0x1F)) || + (*current_inbuf == 0x7F) + ) amount_of_escape_characters++; current_inbuf++; --- ./slpd/slpd_incoming.c.orig 2005-02-15 17:01:07.456383345 +0000 +++ ./slpd/slpd_incoming.c 2005-02-15 17:47:18.244888341 +0000 @@ -189,13 +189,16 @@ MSG_PEEK, (struct sockaddr *)&(sock->peeraddr), &peeraddrlen); - if (bytesread > 0) + if (bytesread > 0 && bytesread >= (*peek == 2 ? 5 : 4)) { if (*peek == 2) recvlen = AsUINT24(peek + 2); else if (*peek == 1) /* SLPv1 packet */ recvlen = AsUINT16(peek + 2); + /* one byte is minimum */ + if (recvlen <= 0) + recvlen = 1; /* allocate the recvbuf big enough for the whole message */ sock->recvbuf = SLPBufferRealloc(sock->recvbuf,recvlen); if (sock->recvbuf) @@ -249,7 +252,7 @@ } else { - /* error in recv() */ + /* error in recv() or eof */ sock->state = SOCKET_CLOSE; } } --- ./slpd/slpd_outgoing.c.orig 2005-02-15 17:29:22.366303963 +0000 +++ ./slpd/slpd_outgoing.c 2005-02-15 17:46:47.727240947 +0000 @@ -190,7 +190,7 @@ void OutgoingStreamRead(SLPList* socklist, SLPDSocket* sock) /*-------------------------------------------------------------------------*/ { - int bytesread; + int bytesread, recvlen; char peek[16]; int peeraddrlen = sizeof(struct sockaddr_in); @@ -205,10 +205,14 @@ MSG_PEEK, (struct sockaddr *)&(sock->peeraddr), &peeraddrlen); - if ( bytesread > 0 ) + if ( bytesread >= 5 && *peek == 2 ) { + recvlen = AsUINT24(peek + 2); + /* one byte is minimum */ + if (recvlen <= 0) + recvlen = 1; /* allocate the recvbuf big enough for the whole message */ - sock->recvbuf = SLPBufferRealloc(sock->recvbuf,AsUINT24(peek+2)); + sock->recvbuf = SLPBufferRealloc(sock->recvbuf, recvlen); if ( sock->recvbuf ) { sock->state = STREAM_READ; @@ -219,7 +223,7 @@ sock->state = SOCKET_CLOSE; } } - else + else if ( bytesread == -1 ) { #ifdef _WIN32 if ( WSAEWOULDBLOCK != WSAGetLastError() ) @@ -232,6 +236,10 @@ OutgoingStreamReconnect(socklist,sock); } } + else + { + sock->state = SOCKET_CLOSE; + } } if ( sock->state == STREAM_READ ) --- ./slpd/slpd_v1process.c.orig 2005-02-15 17:05:42.710057099 +0000 +++ ./slpd/slpd_v1process.c 2005-02-15 17:29:06.518563216 +0000 @@ -808,11 +808,16 @@ { /* SLPv1 messages are handled only by DAs */ errorcode = SLP_ERROR_VER_NOT_SUPPORTED; + return errorcode; } /* Parse just the message header the reset the buffer "curpos" pointer */ recvbuf->curpos = recvbuf->start; errorcode = SLPv1MessageParseHeader(recvbuf, &header); + if (errorcode != 0) + { + return errorcode; + } /* TRICKY: Duplicate SRVREG recvbufs *before* parsing them */ /* it because we are going to keep them in the */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
