Fix for one of the two vulnerabilities
tags 383030 +patch
thanks
Hi,
I think this patch fixes the first vulnerability reported. I'm CCing
debian-security as it would be good if somebody more seasoned in this
matters could take a look at it (please CC me).
--
Martín Ferrari
--- lib/http.cpp 2006-06-27 20:06:08.000000000 -0300
+++ lib/http.cpp-new 2006-08-22 02:23:37.000000000 -0300
@@ -72,6 +72,8 @@
const unsigned short kHttpPort = 80;
const unsigned int kMaxHostNameLen = 64;
const unsigned int kMaxURLLen = 1024;
+const char *kHostNameFmt1 = "http://%64[^:/]:%hu"; /* Note it depends on kMaxHostNameLen */
+const char *kHostNameFmt2 = "http://%64[^:/]"; /* Ditto */
const unsigned int kBufferSize=8192;
const unsigned int iSleepTime = 10000; // time to sleep between selects in usec
const unsigned int iSleepCount = 3000; // how many sleep times before timing out
@@ -233,23 +235,28 @@
result = kError_NoErr;
+ /* Not really needed, just for extra measure */
+ if((url.length() > kMaxURLLen) || (m_proxy.length() > kMaxURLLen))
+ result = kError_InvalidParam;
+
+ if(IsntError(result))
+ {
+
if(m_proxy.length() > 0)
{
hostname[0] = 0;
- numFields = sscanf(m_proxy.c_str(),
- "http://%[^:/]:%hu", hostname, &port);
- sscanf(url.c_str(), "http://%[^:/]", targethostname);
+ numFields = sscanf(m_proxy.c_str(), kHostNameFmt1, hostname, &port);
+ sscanf(url.c_str(), kHostNameFmt2, targethostname);
- strcpy(proxyname, url.c_str());
+ strncpy(proxyname, url.c_str(), kMaxURLLen);
file = string(proxyname);
}
else
{
const char *ptr;
hostname[0] = 0;
- numFields = sscanf(url.c_str(),
- "http://%[^:/]:%hu", hostname, &port);
- strcpy(targethostname, hostname);
+ numFields = sscanf(url.c_str(), kHostNameFmt1, hostname, &port);
+ strncpy(targethostname, hostname, kMaxHostNameLen);
ptr = strchr(url.c_str() + 7, '/');
file = string(ptr ? ptr : "");
}
@@ -264,6 +271,7 @@
{
port = kHttpPort;
}
+ }
}
// get hostname
@@ -434,7 +442,7 @@
result = kError_IOError;
}
- }while(IsntError(result) && !IsHTTPHeaderComplete(buffer, total));
+ }while(IsntError(result) && !IsHTTPHeaderComplete(buffer, total) && (total < bufferSize - 1));
// If this is a continue response, skip the first header
// and keep on truckin'
if (buffer[9] == '1')
Reply to: