mirror of
git://git.psyced.org/git/psyclpc
synced 2024-08-15 03:20:16 +00:00
tommie found some buffer overflows in erq
This commit is contained in:
parent
c0325c31e6
commit
1be5683de1
5 changed files with 28 additions and 17 deletions
|
@ -117,13 +117,6 @@ f_idna_stringprep (svalue_t *sp)
|
|||
* profile is one of the stringprep profiles defined in ldmuds idn.h
|
||||
* str is assumed to be in utf-8 charset (see convert_charset)
|
||||
* flags is one of the stringprep flags defined in LDMud's idn.h .
|
||||
*
|
||||
* funny plan to use it only for comparison:
|
||||
* maybe we should modify ldmuds string structure so that applying
|
||||
* stringprep will create a pointer to the normalized form which
|
||||
* is then used for string comparisons rather than the non-normalized
|
||||
* form
|
||||
*
|
||||
*/
|
||||
{
|
||||
char *buf;
|
||||
|
|
|
@ -49,7 +49,6 @@ PERCENT "%"
|
|||
PERCENT_S "%s"
|
||||
PERIOD "."
|
||||
PGSQL "pgsql"
|
||||
LDAP "ldap"
|
||||
PROG_DEALLOCATED "program deallocated"
|
||||
PTMALLOC "ptmalloc"
|
||||
RESERVE "reserve"
|
||||
|
@ -236,8 +235,4 @@ SQLITE_OPEN "sl_open"
|
|||
SQLITE_PRAGMA "sqlite_pragma"
|
||||
#endif
|
||||
|
||||
#ifdef USE_EXPAT
|
||||
|
||||
#endif
|
||||
|
||||
/***************************************************************************/
|
||||
|
|
|
@ -146,6 +146,11 @@ typedef int length_t;
|
|||
#define MAX_REPLY ERQ_MAX_REPLY
|
||||
|
||||
|
||||
/* don't know about the rfcs but here
|
||||
* hostnames are limited to 128 chars --lynX */
|
||||
#define MAX_HOSTNAME 128
|
||||
|
||||
|
||||
#if MAX_REPLY >= ERQ_BUFSIZE
|
||||
# undef MAX_REPLY
|
||||
# define MAX_REPLY (ERQ_BUFSIZE - 1)
|
||||
|
@ -819,7 +824,9 @@ start_subserver (long server_num, long seed)
|
|||
|
||||
{
|
||||
union ticket_u ticket;
|
||||
char header[16];
|
||||
/* actually, this has always been used as outgoing buffer.
|
||||
* surprising, it didn't crash! */
|
||||
char header[MAX_HOSTNAME + 16];
|
||||
long num, msglen;
|
||||
int request;
|
||||
pid_t child = 0;
|
||||
|
@ -1004,7 +1011,7 @@ start_subserver (long server_num, long seed)
|
|||
if (msglen > sizeof(buf))
|
||||
{
|
||||
/* Prevent a buffer overflow */
|
||||
fprintf(stderr, "%s ERROR: Read %ld > buffer size %ld\n", time_stamp(), msglen, sizeof(buf));
|
||||
fprintf(stderr, "%s ERROR: Read %ld > buffer size %ld\n", time_stamp(), msglen, (long) sizeof(buf));
|
||||
num = readn(0, buf, sizeof(buf));
|
||||
|
||||
/* Discard the rest of the input from the channel */
|
||||
|
@ -1079,6 +1086,14 @@ start_subserver (long server_num, long seed)
|
|||
|
||||
struct hostent *hp;
|
||||
|
||||
if (msglen >= MAX_HOSTNAME) {
|
||||
#if 1 || ERQ_DEBUG > 0
|
||||
msglen = MAX_HOSTNAME-1;
|
||||
buf[msglen] = '\0';
|
||||
fprintf(stderr, "%s: ERQ_LOOKUP dropping too long hostname '%s'\n", time_stamp(), buf);
|
||||
#endif
|
||||
break;
|
||||
}
|
||||
/* handle stays in header[4..7] */
|
||||
header[8] = CHILD_FREE;
|
||||
memcpy(header+9, buf, msglen); /* copy address */
|
||||
|
@ -1200,6 +1215,14 @@ start_subserver (long server_num, long seed)
|
|||
int counter;
|
||||
char srvbuf[MAX_REPLY];
|
||||
|
||||
if (msglen >= MAX_HOSTNAME) {
|
||||
#if 1 || ERQ_DEBUG > 0
|
||||
msglen = MAX_HOSTNAME-1;
|
||||
buf[msglen] = '\0';
|
||||
fprintf(stderr, "%s: ERQ_LOOKUP_SRV dropping too long hostname '%s'\n", time_stamp(), buf);
|
||||
#endif
|
||||
break;
|
||||
}
|
||||
header[8] = CHILD_FREE;
|
||||
counter = 0;
|
||||
srvbuf[0] = '\0';
|
||||
|
@ -1543,7 +1566,7 @@ die:
|
|||
memcpy(header+4, child_handle, 4);
|
||||
header[9] = ERQ_E_UNKNOWN;
|
||||
header[10] = 0;
|
||||
write(1, header, 11); /* releases handle */
|
||||
write1(header, 11); /* releases handle */
|
||||
}
|
||||
|
||||
#if ERQ_DEBUG > 0
|
||||
|
|
|
@ -17,7 +17,7 @@ version_longtype="stable"
|
|||
# A timestamp, to be used by bumpversion and other scripts.
|
||||
# It can be used, for example, to 'touch' this file on every build, thus
|
||||
# forcing revision control systems to add it on every checkin automatically.
|
||||
version_stamp="Thu May 21 23:49:43 CEST 2009"
|
||||
version_stamp="Fri May 22 11:28:32 CEST 2009"
|
||||
|
||||
# Okay, LDMUD is using 3.x.x so to avoid conflicts let's just use 4.x.x
|
||||
version_major=4
|
||||
|
|
Loading…
Reference in a new issue