541 lines
18 KiB
Diff
541 lines
18 KiB
Diff
|
--- ./common/slp_dhcp.c.orig 2005-02-15 18:28:19.332759386 +0000
|
||
|
|
+++ ./common/slp_dhcp.c 2005-02-15 18:30:52.797854324 +0000
|
||
|
|
@@ -598,6 +598,7 @@
|
||
|
|
cpysz = optdatasz < sizeof(ctxp->scopelist)?
|
||
|
|
optdatasz: sizeof(ctxp->scopelist);
|
||
|
|
strncpy(ctxp->scopelist, (char*)p, cpysz);
|
||
|
|
+ ctxp->scopelist[sizeof(ctxp->scopelist) - 1] = 0;
|
||
|
|
}
|
||
|
|
else
|
||
|
|
{
|
||
|
|
@@ -622,6 +623,7 @@
|
||
|
|
cpysz = optdatasz < sizeof(ctxp->scopelist)?
|
||
|
|
optdatasz: sizeof(ctxp->scopelist);
|
||
|
|
strncpy(ctxp->scopelist, (char*)p, cpysz);
|
||
|
|
+ ctxp->scopelist[sizeof(ctxp->scopelist) - 1] = 0;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
break;
|
||
|
|
--- ./common/slp_message.c.orig 2005-02-15 16:48:20.243994238 +0000
|
||
|
|
+++ ./common/slp_message.c 2005-02-15 18:17:16.217402037 +0000
|
||
|
|
@@ -68,6 +68,10 @@
|
||
|
|
/* header (IN/OUT) pointer to the header structure to fill out */
|
||
|
|
/*=========================================================================*/
|
||
|
|
{
|
||
|
|
+ if (buffer->end - buffer->start < 2)
|
||
|
|
+ {
|
||
|
|
+ return SLP_ERROR_PARSE_ERROR;
|
||
|
|
+ }
|
||
|
|
header->version = *(buffer->curpos);
|
||
|
|
header->functionid = *(buffer->curpos + 1);
|
||
|
|
|
||
|
|
@@ -75,6 +79,11 @@
|
||
|
|
{
|
||
|
|
return SLP_ERROR_VER_NOT_SUPPORTED;
|
||
|
|
}
|
||
|
|
+ /* check for invalid length 18 bytes is the smallest v2 message*/
|
||
|
|
+ if (buffer->end - buffer->start < 18)
|
||
|
|
+ {
|
||
|
|
+ return SLP_ERROR_PARSE_ERROR;
|
||
|
|
+ }
|
||
|
|
header->length = AsUINT24(buffer->curpos + 2);
|
||
|
|
header->flags = AsUINT16(buffer->curpos + 5);
|
||
|
|
header->encoding = 0; /* not used for SLPv2 */
|
||
|
|
@@ -89,9 +98,7 @@
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
|
||
|
|
- /* check for invalid length 18 bytes is the smallest v2 message*/
|
||
|
|
- if(header->length != buffer->end - buffer->start ||
|
||
|
|
- header->length < 18)
|
||
|
|
+ if(header->length != buffer->end - buffer->start)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -187,7 +194,7 @@
|
||
|
|
/* parse out url */
|
||
|
|
urlentry->urllen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(urlentry->urllen > buffer->end - buffer->curpos)
|
||
|
|
+ if(urlentry->urllen + 1 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -235,7 +242,7 @@
|
||
|
|
/* parse the prlist */
|
||
|
|
srvrqst->prlistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(srvrqst->prlistlen > buffer->end - buffer->curpos)
|
||
|
|
+ if(srvrqst->prlistlen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -246,7 +253,7 @@
|
||
|
|
/* parse the service type */
|
||
|
|
srvrqst->srvtypelen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(srvrqst->srvtypelen > buffer->end - buffer->curpos)
|
||
|
|
+ if(srvrqst->srvtypelen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -257,7 +264,7 @@
|
||
|
|
/* parse the scope list */
|
||
|
|
srvrqst->scopelistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(srvrqst->scopelistlen > buffer->end - buffer->curpos)
|
||
|
|
+ if(srvrqst->scopelistlen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -269,7 +276,7 @@
|
||
|
|
srvrqst->predicatever = 2; /* SLPv2 predicate (LDAPv3) */
|
||
|
|
srvrqst->predicatelen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(srvrqst->predicatelen > buffer->end - buffer->curpos)
|
||
|
|
+ if(srvrqst->predicatelen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -358,10 +365,14 @@
|
||
|
|
return result;
|
||
|
|
}
|
||
|
|
|
||
|
|
+ if(buffer->end - buffer->curpos < 2)
|
||
|
|
+ {
|
||
|
|
+ return SLP_ERROR_PARSE_ERROR;
|
||
|
|
+ }
|
||
|
|
/* parse the service type */
|
||
|
|
srvreg->srvtypelen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(srvreg->srvtypelen > buffer->end - buffer->curpos)
|
||
|
|
+ if(srvreg->srvtypelen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -372,7 +383,7 @@
|
||
|
|
/* parse the scope list */
|
||
|
|
srvreg->scopelistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(srvreg->scopelistlen > buffer->end - buffer->curpos)
|
||
|
|
+ if(srvreg->scopelistlen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -383,7 +394,7 @@
|
||
|
|
/* parse the attribute list*/
|
||
|
|
srvreg->attrlistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(srvreg->attrlistlen > buffer->end - buffer->curpos)
|
||
|
|
+ if(srvreg->attrlistlen + 1 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -447,6 +458,10 @@
|
||
|
|
}
|
||
|
|
|
||
|
|
/* parse the tag list */
|
||
|
|
+ if(buffer->end - buffer->curpos < 2)
|
||
|
|
+ {
|
||
|
|
+ return SLP_ERROR_PARSE_ERROR;
|
||
|
|
+ }
|
||
|
|
srvdereg->taglistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
if(srvdereg->taglistlen > buffer->end - buffer->curpos)
|
||
|
|
@@ -482,7 +497,7 @@
|
||
|
|
/* parse the prlist */
|
||
|
|
attrrqst->prlistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(attrrqst->prlistlen > buffer->end - buffer->curpos)
|
||
|
|
+ if(attrrqst->prlistlen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -492,7 +507,7 @@
|
||
|
|
/* parse the url */
|
||
|
|
attrrqst->urllen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(attrrqst->urllen > buffer->end - buffer->curpos)
|
||
|
|
+ if(attrrqst->urllen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -503,7 +518,7 @@
|
||
|
|
/* parse the scope list */
|
||
|
|
attrrqst->scopelistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(attrrqst->scopelistlen > buffer->end - buffer->curpos)
|
||
|
|
+ if(attrrqst->scopelistlen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -514,7 +529,7 @@
|
||
|
|
/* parse the taglist string */
|
||
|
|
attrrqst->taglistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(attrrqst->taglistlen > buffer->end - buffer->curpos)
|
||
|
|
+ if(attrrqst->taglistlen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -563,7 +578,7 @@
|
||
|
|
/* parse out the attrlist */
|
||
|
|
attrrply->attrlistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(attrrply->attrlistlen > buffer->end - buffer->curpos)
|
||
|
|
+ if(attrrply->attrlistlen + 1 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -619,13 +634,17 @@
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
|
||
|
|
/* parse out the bootstamp */
|
||
|
|
+ if(buffer->end - buffer->curpos < 6)
|
||
|
|
+ {
|
||
|
|
+ return SLP_ERROR_PARSE_ERROR;
|
||
|
|
+ }
|
||
|
|
daadvert->bootstamp = AsUINT32(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 4;
|
||
|
|
|
||
|
|
/* parse out the url */
|
||
|
|
daadvert->urllen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(daadvert->urllen > buffer->end - buffer->curpos)
|
||
|
|
+ if(daadvert->urllen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -635,7 +654,7 @@
|
||
|
|
/* parse the scope list */
|
||
|
|
daadvert->scopelistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(daadvert->scopelistlen > buffer->end - buffer->curpos)
|
||
|
|
+ if(daadvert->scopelistlen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -645,7 +664,7 @@
|
||
|
|
/* parse the attr list */
|
||
|
|
daadvert->attrlistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(daadvert->attrlistlen > buffer->end - buffer->curpos)
|
||
|
|
+ if(daadvert->attrlistlen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -655,7 +674,7 @@
|
||
|
|
/* parse the SPI list */
|
||
|
|
daadvert->spilistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(daadvert->spilistlen > buffer->end - buffer->curpos)
|
||
|
|
+ if(daadvert->spilistlen + 1 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -704,7 +723,7 @@
|
||
|
|
/* parse out the url */
|
||
|
|
saadvert->urllen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(saadvert->urllen > buffer->end - buffer->curpos)
|
||
|
|
+ if(saadvert->urllen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -714,7 +733,7 @@
|
||
|
|
/* parse the scope list */
|
||
|
|
saadvert->scopelistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(saadvert->scopelistlen > buffer->end - buffer->curpos)
|
||
|
|
+ if(saadvert->scopelistlen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -724,7 +743,7 @@
|
||
|
|
/* parse the attr list */
|
||
|
|
saadvert->attrlistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(saadvert->attrlistlen > buffer->end - buffer->curpos)
|
||
|
|
+ if(saadvert->attrlistlen + 1 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -769,7 +788,7 @@
|
||
|
|
/* parse the prlist */
|
||
|
|
srvtyperqst->prlistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos += 2;
|
||
|
|
- if(srvtyperqst->prlistlen > buffer->end - buffer->curpos)
|
||
|
|
+ if(srvtyperqst->prlistlen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -794,6 +813,10 @@
|
||
|
|
}
|
||
|
|
|
||
|
|
/* parse the scope list */
|
||
|
|
+ if(buffer->end - buffer->curpos < 2)
|
||
|
|
+ {
|
||
|
|
+ return SLP_ERROR_PARSE_ERROR;
|
||
|
|
+ }
|
||
|
|
srvtyperqst->scopelistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos += 2;
|
||
|
|
if(srvtyperqst->scopelistlen > buffer->end - buffer->curpos)
|
||
|
|
--- ./common/slp_network.c.orig 2005-02-15 17:48:00.831814261 +0000
|
||
|
|
+++ ./common/slp_network.c 2005-02-15 17:51:29.856000181 +0000
|
||
|
|
@@ -300,7 +300,7 @@
|
||
|
|
/* EINVAL parse error */
|
||
|
|
/*=========================================================================*/
|
||
|
|
{
|
||
|
|
- int xferbytes;
|
||
|
|
+ int xferbytes, recvlen;
|
||
|
|
fd_set readfds;
|
||
|
|
char peek[16];
|
||
|
|
int peeraddrlen = sizeof(struct sockaddr_in);
|
||
|
|
@@ -359,10 +359,14 @@
|
||
|
|
/* Read the rest of the message */
|
||
|
|
/*------------------------------*/
|
||
|
|
/* check the version */
|
||
|
|
- if(*peek == 2)
|
||
|
|
+ if(xferbytes >= 5 && *peek == 2)
|
||
|
|
{
|
||
|
|
/* allocate the recvmsg big enough for the whole message */
|
||
|
|
- *buf = SLPBufferRealloc(*buf, AsUINT24(peek + 2));
|
||
|
|
+ recvlen = AsUINT24(peek + 2);
|
||
|
|
+ /* one byte is minimum */
|
||
|
|
+ if (recvlen <= 0)
|
||
|
|
+ recvlen = 1;
|
||
|
|
+ *buf = SLPBufferRealloc(*buf, recvlen);
|
||
|
|
if(*buf)
|
||
|
|
{
|
||
|
|
while((*buf)->curpos < (*buf)->end)
|
||
|
|
--- ./common/slp_v1message.c.orig 2005-02-15 16:52:12.613798586 +0000
|
||
|
|
+++ ./common/slp_v1message.c 2005-02-15 18:26:47.632848004 +0000
|
||
|
|
@@ -60,6 +60,11 @@
|
||
|
|
/* SLP_ERROR_PARSE_ERROR. */
|
||
|
|
/*=========================================================================*/
|
||
|
|
{
|
||
|
|
+ if (buffer->end - buffer->start < 12)
|
||
|
|
+ {
|
||
|
|
+ /* invalid length 12 bytes is the smallest v1 message*/
|
||
|
|
+ return SLP_ERROR_PARSE_ERROR;
|
||
|
|
+ }
|
||
|
|
header->version = *(buffer->curpos);
|
||
|
|
header->functionid = *(buffer->curpos + 1);
|
||
|
|
|
||
|
|
@@ -85,10 +90,8 @@
|
||
|
|
return SLP_ERROR_CHARSET_NOT_UNDERSTOOD;
|
||
|
|
}
|
||
|
|
|
||
|
|
- if(header->length != buffer->end - buffer->start ||
|
||
|
|
- header->length < 12)
|
||
|
|
+ if(header->length != buffer->end - buffer->start)
|
||
|
|
{
|
||
|
|
- /* invalid length 12 bytes is the smallest v1 message*/
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
|
||
|
|
@@ -114,7 +117,7 @@
|
||
|
|
int result;
|
||
|
|
|
||
|
|
/* make sure that min size is met */
|
||
|
|
- if(buffer->end - buffer->curpos < 6)
|
||
|
|
+ if(buffer->end - buffer->curpos < 4)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -160,7 +163,7 @@
|
||
|
|
int result;
|
||
|
|
|
||
|
|
/* make sure that min size is met */
|
||
|
|
- if(buffer->end - buffer->curpos < 10)
|
||
|
|
+ if(buffer->end - buffer->curpos < 4)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -168,7 +171,7 @@
|
||
|
|
/* parse the prlist */
|
||
|
|
srvrqst->prlistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(srvrqst->prlistlen > buffer->end - buffer->curpos)
|
||
|
|
+ if(srvrqst->prlistlen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -272,6 +275,10 @@
|
||
|
|
srvreg->srvtypelen = tmp - srvreg->srvtype;
|
||
|
|
|
||
|
|
/* parse the attribute list */
|
||
|
|
+ if(buffer->end - buffer->curpos < 2)
|
||
|
|
+ {
|
||
|
|
+ return SLP_ERROR_PARSE_ERROR;
|
||
|
|
+ }
|
||
|
|
srvreg->attrlistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
if(srvreg->attrlistlen > buffer->end - buffer->curpos)
|
||
|
|
@@ -335,7 +342,7 @@
|
||
|
|
srvdereg->urlentry.lifetime = 0; /* not present in SLPv1 */
|
||
|
|
srvdereg->urlentry.urllen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos += 2;
|
||
|
|
- if(srvdereg->urlentry.urllen > buffer->end - buffer->curpos)
|
||
|
|
+ if(srvdereg->urlentry.urllen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -381,7 +388,7 @@
|
||
|
|
/* parse the prlist */
|
||
|
|
attrrqst->prlistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(attrrqst->prlistlen > buffer->end - buffer->curpos)
|
||
|
|
+ if(attrrqst->prlistlen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -396,7 +403,7 @@
|
||
|
|
/* parse the url */
|
||
|
|
attrrqst->urllen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(attrrqst->urllen > buffer->end - buffer->curpos)
|
||
|
|
+ if(attrrqst->urllen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -411,7 +418,7 @@
|
||
|
|
/* parse the scope list */
|
||
|
|
attrrqst->scopelistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos = buffer->curpos + 2;
|
||
|
|
- if(attrrqst->scopelistlen > buffer->end - buffer->curpos)
|
||
|
|
+ if(attrrqst->scopelistlen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -469,7 +476,7 @@
|
||
|
|
/* parse the prlist */
|
||
|
|
srvtyperqst->prlistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos += 2;
|
||
|
|
- if(srvtyperqst->prlistlen > buffer->end - buffer->curpos)
|
||
|
|
+ if(srvtyperqst->prlistlen + 2 > buffer->end - buffer->curpos)
|
||
|
|
{
|
||
|
|
return SLP_ERROR_PARSE_ERROR;
|
||
|
|
}
|
||
|
|
@@ -504,6 +511,10 @@
|
||
|
|
}
|
||
|
|
|
||
|
|
/* parse the scope list */
|
||
|
|
+ if(buffer->end - buffer->curpos < 2)
|
||
|
|
+ {
|
||
|
|
+ return SLP_ERROR_PARSE_ERROR;
|
||
|
|
+ }
|
||
|
|
srvtyperqst->scopelistlen = AsUINT16(buffer->curpos);
|
||
|
|
buffer->curpos += 2;
|
||
|
|
if(srvtyperqst->scopelistlen > buffer->end - buffer->curpos)
|
||
|
|
--- ./libslp/libslp_parse.c.orig 2005-02-15 18:39:01.505072256 +0000
|
||
|
|
+++ ./libslp/libslp_parse.c 2005-02-15 18:41:21.510075488 +0000
|
||
|
|
@@ -168,7 +168,10 @@
|
||
|
|
if((isTag) && strchr(ATTRIBUTE_BAD_TAG, *current_inbuf))
|
||
|
|
return(SLP_PARSE_ERROR);
|
||
|
|
|
||
|
|
- if(strchr(ATTRIBUTE_RESERVE_STRING, *current_inbuf))
|
||
|
|
+ if((strchr(ATTRIBUTE_RESERVE_STRING, *current_inbuf)) ||
|
||
|
|
+ ((*current_inbuf >= 0x00) && (*current_inbuf <= 0x1F)) ||
|
||
|
|
+ (*current_inbuf == 0x7F)
|
||
|
|
+ )
|
||
|
|
amount_of_escape_characters++;
|
||
|
|
|
||
|
|
current_inbuf++;
|
||
|
|
--- ./slpd/slpd_incoming.c.orig 2005-02-15 17:01:07.456383345 +0000
|
||
|
|
+++ ./slpd/slpd_incoming.c 2005-02-15 17:47:18.244888341 +0000
|
||
|
|
@@ -189,13 +189,16 @@
|
||
|
|
MSG_PEEK,
|
||
|
|
(struct sockaddr *)&(sock->peeraddr),
|
||
|
|
&peeraddrlen);
|
||
|
|
- if (bytesread > 0)
|
||
|
|
+ if (bytesread > 0 && bytesread >= (*peek == 2 ? 5 : 4))
|
||
|
|
{
|
||
|
|
|
||
|
|
if (*peek == 2)
|
||
|
|
recvlen = AsUINT24(peek + 2);
|
||
|
|
else if (*peek == 1) /* SLPv1 packet */
|
||
|
|
recvlen = AsUINT16(peek + 2);
|
||
|
|
+ /* one byte is minimum */
|
||
|
|
+ if (recvlen <= 0)
|
||
|
|
+ recvlen = 1;
|
||
|
|
/* allocate the recvbuf big enough for the whole message */
|
||
|
|
sock->recvbuf = SLPBufferRealloc(sock->recvbuf,recvlen);
|
||
|
|
if (sock->recvbuf)
|
||
|
|
@@ -249,7 +252,7 @@
|
||
|
|
}
|
||
|
|
else
|
||
|
|
{
|
||
|
|
- /* error in recv() */
|
||
|
|
+ /* error in recv() or eof */
|
||
|
|
sock->state = SOCKET_CLOSE;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
--- ./slpd/slpd_outgoing.c.orig 2005-02-15 17:29:22.366303963 +0000
|
||
|
|
+++ ./slpd/slpd_outgoing.c 2005-02-15 17:46:47.727240947 +0000
|
||
|
|
@@ -190,7 +190,7 @@
|
||
|
|
void OutgoingStreamRead(SLPList* socklist, SLPDSocket* sock)
|
||
|
|
/*-------------------------------------------------------------------------*/
|
||
|
|
{
|
||
|
|
- int bytesread;
|
||
|
|
+ int bytesread, recvlen;
|
||
|
|
char peek[16];
|
||
|
|
int peeraddrlen = sizeof(struct sockaddr_in);
|
||
|
|
|
||
|
|
@@ -205,10 +205,14 @@
|
||
|
|
MSG_PEEK,
|
||
|
|
(struct sockaddr *)&(sock->peeraddr),
|
||
|
|
&peeraddrlen);
|
||
|
|
- if ( bytesread > 0 )
|
||
|
|
+ if ( bytesread >= 5 && *peek == 2 )
|
||
|
|
{
|
||
|
|
+ recvlen = AsUINT24(peek + 2);
|
||
|
|
+ /* one byte is minimum */
|
||
|
|
+ if (recvlen <= 0)
|
||
|
|
+ recvlen = 1;
|
||
|
|
/* allocate the recvbuf big enough for the whole message */
|
||
|
|
- sock->recvbuf = SLPBufferRealloc(sock->recvbuf,AsUINT24(peek+2));
|
||
|
|
+ sock->recvbuf = SLPBufferRealloc(sock->recvbuf, recvlen);
|
||
|
|
if ( sock->recvbuf )
|
||
|
|
{
|
||
|
|
sock->state = STREAM_READ;
|
||
|
|
@@ -219,7 +223,7 @@
|
||
|
|
sock->state = SOCKET_CLOSE;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
- else
|
||
|
|
+ else if ( bytesread == -1 )
|
||
|
|
{
|
||
|
|
#ifdef _WIN32
|
||
|
|
if ( WSAEWOULDBLOCK != WSAGetLastError() )
|
||
|
|
@@ -232,6 +236,10 @@
|
||
|
|
OutgoingStreamReconnect(socklist,sock);
|
||
|
|
}
|
||
|
|
}
|
||
|
|
+ else
|
||
|
|
+ {
|
||
|
|
+ sock->state = SOCKET_CLOSE;
|
||
|
|
+ }
|
||
|
|
}
|
||
|
|
|
||
|
|
if ( sock->state == STREAM_READ )
|
||
|
|
--- ./slpd/slpd_v1process.c.orig 2005-02-15 17:05:42.710057099 +0000
|
||
|
|
+++ ./slpd/slpd_v1process.c 2005-02-15 17:29:06.518563216 +0000
|
||
|
|
@@ -808,11 +808,16 @@
|
||
|
|
{
|
||
|
|
/* SLPv1 messages are handled only by DAs */
|
||
|
|
errorcode = SLP_ERROR_VER_NOT_SUPPORTED;
|
||
|
|
+ return errorcode;
|
||
|
|
}
|
||
|
|
|
||
|
|
/* Parse just the message header the reset the buffer "curpos" pointer */
|
||
|
|
recvbuf->curpos = recvbuf->start;
|
||
|
|
errorcode = SLPv1MessageParseHeader(recvbuf, &header);
|
||
|
|
+ if (errorcode != 0)
|
||
|
|
+ {
|
||
|
|
+ return errorcode;
|
||
|
|
+ }
|
||
|
|
|
||
|
|
/* TRICKY: Duplicate SRVREG recvbufs *before* parsing them */
|
||
|
|
/* it because we are going to keep them in the */
|