psyc-mirrors/psyclpc
1
0
Fork 0
mirror of git://git.psyced.org/git/psyclpc synced 2024-08-15 03:20:16 +00:00
Code Issues Releases Wiki Activity

tommie found some buffer overflows in erq

Browse source
This commit is contained in:
psyc://psyced.org/~lynX 2009-11-28 13:43:46 +01:00
parent c0325c31e6
commit 1be5683de1
5 changed files with 28 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
CHANGELOG → CHANGELOG-psyclpc
View file

9
src/pkg-idna.c
View file

@ -117,13 +117,6 @@ f_idna_stringprep (svalue_t *sp)
* profile is one of the stringprep profiles defined in ldmuds idn.h * profile is one of the stringprep profiles defined in ldmuds idn.h
* str is assumed to be in utf-8 charset (see convert_charset) * str is assumed to be in utf-8 charset (see convert_charset)
* flags is one of the stringprep flags defined in LDMud's idn.h . * flags is one of the stringprep flags defined in LDMud's idn.h .
*
* funny plan to use it only for comparison:
* maybe we should modify ldmuds string structure so that applying
* stringprep will create a pointer to the normalized form which
* is then used for string comparisons rather than the non-normalized
* form
*
*/ */
{ {
char *buf; char *buf;
@ -216,7 +209,7 @@ f_idna_stringprep (svalue_t *sp)
{ {
errorf("stringprep(): Error %s", stringprep_strerror(ret)); errorf("stringprep(): Error %s", stringprep_strerror(ret));
/* NOTREACHED */ /* NOTREACHED */
} }
else else
{ {
// free the string argument // free the string argument

5
src/string_spec
View file

@ -49,7 +49,6 @@ PERCENT "%"
PERCENT_S "%s" PERCENT_S "%s"
PERIOD "." PERIOD "."
PGSQL "pgsql" PGSQL "pgsql"
LDAP "ldap"
PROG_DEALLOCATED "program deallocated" PROG_DEALLOCATED "program deallocated"
PTMALLOC "ptmalloc" PTMALLOC "ptmalloc"
RESERVE "reserve" RESERVE "reserve"
@ -236,8 +235,4 @@ SQLITE_OPEN "sl_open"
SQLITE_PRAGMA "sqlite_pragma" SQLITE_PRAGMA "sqlite_pragma"
#endif #endif
#ifdef USE_EXPAT
#endif
/***************************************************************************/ /***************************************************************************/

29
src/util/erq/erq.c
View file

@ -146,6 +146,11 @@ typedef int length_t;
#define MAX_REPLY ERQ_MAX_REPLY #define MAX_REPLY ERQ_MAX_REPLY
/* don't know about the rfcs but here
* hostnames are limited to 128 chars --lynX */
#define MAX_HOSTNAME 128
#if MAX_REPLY >= ERQ_BUFSIZE #if MAX_REPLY >= ERQ_BUFSIZE
# undef MAX_REPLY # undef MAX_REPLY
# define MAX_REPLY (ERQ_BUFSIZE - 1) # define MAX_REPLY (ERQ_BUFSIZE - 1)
@ -819,7 +824,9 @@ start_subserver (long server_num, long seed)
{ {
union ticket_u ticket; union ticket_u ticket;
char header[16]; /* actually, this has always been used as outgoing buffer.
* surprising, it didn't crash! */
char header[MAX_HOSTNAME + 16];
long num, msglen; long num, msglen;
int request; int request;
pid_t child = 0; pid_t child = 0;
@ -1004,7 +1011,7 @@ start_subserver (long server_num, long seed)
if (msglen > sizeof(buf)) if (msglen > sizeof(buf))
{ {
/* Prevent a buffer overflow */ /* Prevent a buffer overflow */
fprintf(stderr, "%s ERROR: Read %ld > buffer size %ld\n", time_stamp(), msglen, sizeof(buf)); fprintf(stderr, "%s ERROR: Read %ld > buffer size %ld\n", time_stamp(), msglen, (long) sizeof(buf));
num = readn(0, buf, sizeof(buf)); num = readn(0, buf, sizeof(buf));
/* Discard the rest of the input from the channel */ /* Discard the rest of the input from the channel */
@ -1079,6 +1086,14 @@ start_subserver (long server_num, long seed)
struct hostent *hp; struct hostent *hp;
if (msglen >= MAX_HOSTNAME) {
#if 1 || ERQ_DEBUG > 0
msglen = MAX_HOSTNAME-1;
buf[msglen] = '\0';
fprintf(stderr, "%s: ERQ_LOOKUP dropping too long hostname '%s'\n", time_stamp(), buf);
#endif
break;
}
/* handle stays in header[4..7] */ /* handle stays in header[4..7] */
header[8] = CHILD_FREE; header[8] = CHILD_FREE;
memcpy(header+9, buf, msglen); /* copy address */ memcpy(header+9, buf, msglen); /* copy address */
@ -1200,6 +1215,14 @@ start_subserver (long server_num, long seed)
int counter; int counter;
char srvbuf[MAX_REPLY]; char srvbuf[MAX_REPLY];
if (msglen >= MAX_HOSTNAME) {
#if 1 || ERQ_DEBUG > 0
msglen = MAX_HOSTNAME-1;
buf[msglen] = '\0';
fprintf(stderr, "%s: ERQ_LOOKUP_SRV dropping too long hostname '%s'\n", time_stamp(), buf);
#endif
break;
}
header[8] = CHILD_FREE; header[8] = CHILD_FREE;
counter = 0; counter = 0;
srvbuf[0] = '\0'; srvbuf[0] = '\0';
@ -1543,7 +1566,7 @@ die:
memcpy(header+4, child_handle, 4); memcpy(header+4, child_handle, 4);
header[9] = ERQ_E_UNKNOWN; header[9] = ERQ_E_UNKNOWN;
header[10] = 0; header[10] = 0;
write(1, header, 11); /* releases handle */ write1(header, 11); /* releases handle */
} }
#if ERQ_DEBUG > 0 #if ERQ_DEBUG > 0

2
src/version.sh
View file

@ -17,7 +17,7 @@ version_longtype="stable"
# A timestamp, to be used by bumpversion and other scripts. # A timestamp, to be used by bumpversion and other scripts.
# It can be used, for example, to 'touch' this file on every build, thus # It can be used, for example, to 'touch' this file on every build, thus
# forcing revision control systems to add it on every checkin automatically. # forcing revision control systems to add it on every checkin automatically.
version_stamp="Thu May 21 23:49:43 CEST 2009" version_stamp="Fri May 22 11:28:32 CEST 2009"
# Okay, LDMUD is using 3.x.x so to avoid conflicts let's just use 4.x.x # Okay, LDMUD is using 3.x.x so to avoid conflicts let's just use 4.x.x
version_major=4 version_major=4