Stanislav Brabec
c2e5ede603
- Fix random network data crash (bnc#764699, CVE-2012-2944). OBS-URL: https://build.opensuse.org/request/show/131064 OBS-URL: https://build.opensuse.org/package/show/hardware/nut?expand=0&rev=31
38 lines
1.1 KiB
Diff
38 lines
1.1 KiB
Diff
Timestamp:
|
|
05/29/12 18:19:38
|
|
Author:
|
|
aquette
|
|
Message:
|
|
|
|
Fix CVE-2012-2944: upsd can be remotely crashed
|
|
|
|
NUT server (upsd), from versions 2.4.0 to 2.6.3, are exposed to
|
|
crashes when receiving random data from the network.
|
|
|
|
This issue is related to the way NUT parses characters, especially
|
|
from the network. Non printable characters were missed from strings
|
|
operation (such as strlen), but still copied to the buffer, causing
|
|
an overflow.
|
|
|
|
Thus, fix NUT parser, to only allow the subset Ascii charset from
|
|
Space to ~
|
|
|
|
(Reported by Sebastian Pohle, Alioth bug #313636, CVE-2012-2944)
|
|
|
|
Index: /trunk/common/parseconf.c
|
|
===================================================================
|
|
--- /trunk/common/parseconf.c (revision 3487)
|
|
+++ /trunk/common/parseconf.c (revision 3633)
|
|
@@ -171,4 +171,11 @@
|
|
|
|
wbuflen = strlen(ctx->wordbuf);
|
|
+
|
|
+ /* CVE-2012-2944: only allow the subset Ascii charset from Space to ~ */
|
|
+ if ((ctx->ch < 0x20) || (ctx->ch > 0x7f)) {
|
|
+ fprintf(stderr, "addchar: discarding invalid character (0x%02x)!\n",
|
|
+ ctx->ch);
|
|
+ return;
|
|
+ }
|
|
|
|
if (ctx->wordlen_limit != 0) {
|