Fix for one of the two vulnerabilities

To: debian-security@lists.debian.org, 383030@bugs.debian.org, control@bugs.debian.org, 383030-submitter@bugs.debian.org
Subject: Fix for one of the two vulnerabilities
From: "Martín Ferrari" <martin.ferrari@gmail.com>
Date: Tue, 22 Aug 2006 02:26:24 -0300
Message-id: <[🔎] b9800b70608212226qbb09e6eq643af224f756148e@mail.gmail.com>

tags 383030 +patch
thanks

Hi,
I think this patch fixes the first vulnerability reported. I'm CCing
debian-security as it would be good if somebody more seasoned in this
matters could take a look at it (please CC me).

--
Martín Ferrari

--- lib/http.cpp	2006-06-27 20:06:08.000000000 -0300
+++ lib/http.cpp-new	2006-08-22 02:23:37.000000000 -0300
@@ -72,6 +72,8 @@
 const unsigned short kHttpPort = 80;
 const unsigned int kMaxHostNameLen = 64;
 const unsigned int kMaxURLLen = 1024;
+const char *kHostNameFmt1 = "http://%64[^:/]:%hu";; /* Note it depends on kMaxHostNameLen */
+const char *kHostNameFmt2 = "http://%64[^:/]";; /* Ditto */
 const unsigned int kBufferSize=8192;
 const unsigned int iSleepTime = 10000; // time to sleep between selects in usec
 const unsigned int iSleepCount = 3000; // how many sleep times before timing out
@@ -233,23 +235,28 @@
 
         result = kError_NoErr;  
 
+	/* Not really needed, just for extra measure */
+	if((url.length() > kMaxURLLen) || (m_proxy.length() > kMaxURLLen))
+	    result = kError_InvalidParam;
+
+	if(IsntError(result))
+	{
+
         if(m_proxy.length() > 0)
         {
             hostname[0] = 0;
-            numFields = sscanf(m_proxy.c_str(), 
-                               "http://%[^:/]:%hu";, hostname, &port);
-            sscanf(url.c_str(), "http://%[^:/]";, targethostname);
+            numFields = sscanf(m_proxy.c_str(), kHostNameFmt1, hostname, &port);
+            sscanf(url.c_str(), kHostNameFmt2, targethostname);
 
-            strcpy(proxyname, url.c_str());
+            strncpy(proxyname, url.c_str(), kMaxURLLen);
             file = string(proxyname);
         }
         else
         {
             const char *ptr;
             hostname[0] = 0;
-            numFields = sscanf(url.c_str(), 
-                           "http://%[^:/]:%hu";, hostname, &port);
-            strcpy(targethostname, hostname);
+            numFields = sscanf(url.c_str(), kHostNameFmt1, hostname, &port);
+            strncpy(targethostname, hostname, kMaxHostNameLen);
             ptr = strchr(url.c_str() + 7, '/');
             file = string(ptr ? ptr : "");
         }
@@ -264,6 +271,7 @@
         {
             port = kHttpPort;
         }            
+	}
     }
 
     // get hostname
@@ -434,7 +442,7 @@
                         result = kError_IOError;
                     }
     
-                }while(IsntError(result) && !IsHTTPHeaderComplete(buffer, total));
+                }while(IsntError(result) && !IsHTTPHeaderComplete(buffer, total) && (total < bufferSize - 1));
                 // If this is a continue response, skip the first header
                 // and keep on truckin'
                 if (buffer[9] == '1')

Reply to:

Follow-Ups:
- Re: Bug#383030: Fix for one of the two vulnerabilities
  - From: "Jens Peter Secher" <jps@debian.org>

Prev by Date: Re: Why is portmap installed by default?
Next by Date: Re: Bug#383030: Fix for one of the two vulnerabilities
Previous by thread: Re: Why is portmap installed by default?
Next by thread: Re: Bug#383030: Fix for one of the two vulnerabilities
Index(es):
- Date
- Thread