Timestamp:
    05/29/12 18:19:38
Author:
    aquette
Message:

    Fix CVE-2012-2944: upsd can be remotely crashed

    NUT server (upsd), from versions 2.4.0 to 2.6.3, are exposed to
    crashes when receiving random data from the network.

    This issue is related to the way NUT parses characters, especially
    from the network. Non printable characters were missed from strings
    operation (such as strlen), but still copied to the buffer, causing
    an overflow.

    Thus, fix NUT parser, to only allow the subset Ascii charset from
    Space to ~

    (Reported by Sebastian Pohle, Alioth bug #313636, CVE-2012-2944)

Index: /trunk/common/parseconf.c
===================================================================
--- /trunk/common/parseconf.c	(revision 3487)
+++ /trunk/common/parseconf.c	(revision 3633)
@@ -171,4 +171,11 @@
 
 	wbuflen = strlen(ctx->wordbuf);
+
+	/* CVE-2012-2944: only allow the subset Ascii charset from Space to ~ */
+	if ((ctx->ch < 0x20) || (ctx->ch > 0x7f)) {
+		fprintf(stderr, "addchar: discarding invalid character (0x%02x)!\n",
+				ctx->ch);
+		return;
+	}
 
 	if (ctx->wordlen_limit != 0) {