INN commit: branches/2.4 (innd/cc.c lib/inndcomm.c)

INN Commit Russ_Allbery at isc.org
Tue Jan 16 23:11:06 UTC 2007


    Date: Tuesday, January 16, 2007 @ 15:11:05
  Author: eagle
Revision: 7597

Fix incomplete checking of packet sizes in the ctlinnd interface in the
no-Unix-domain-sockets case.  This is a potential buffer overflow in 
dead code since basically all systems INN builds on support Unix domain
sockets these days, but let's not have that code sitting around anyway.

Also track the buffer size more correctly in the client side of this
interface for the Unix domain socket case (we were thinking it was 
smaller than it actually was).

Thanks to zybadawg333 at hushmail.com for the report.

Modified:
  branches/2.4/innd/cc.c
  branches/2.4/lib/inndcomm.c

----------------+
 innd/cc.c      |    2 +-
 lib/inndcomm.c |    5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

Modified: innd/cc.c
===================================================================
--- innd/cc.c	2007-01-16 23:10:53 UTC (rev 7596)
+++ innd/cc.c	2007-01-16 23:11:05 UTC (rev 7597)
@@ -1801,7 +1801,7 @@
     memcpy (&protocol,buff,sizeof (protocol)) ;
     memcpy (&bufflen,buff + sizeof (protocol),sizeof (bufflen)) ;
     bufflen = ntohs (bufflen);
-    if (bufflen < HEADER_SIZE) {
+    if (bufflen < HEADER_SIZE || bufflen > BIG_BUFFER) {
 	syslog(L_ERROR, "%s cant read CCreader bad length", LogName);
 	return;
     }

Modified: lib/inndcomm.c
===================================================================
--- lib/inndcomm.c	2007-01-16 23:10:53 UTC (rev 7596)
+++ lib/inndcomm.c	2007-01-16 23:11:05 UTC (rev 7597)
@@ -256,6 +256,7 @@
 
     /* now stick in the protocol version and the length. */
     buff -= HEADER_SIZE;
+    bufsiz += HEADER_SIZE;
     protocol = ICC_PROTOCOL_1;
     memcpy(buff, &protocol, sizeof(protocol));
     memcpy(buff + sizeof(protocol), &rlen, sizeof(rlen));
@@ -370,6 +371,10 @@
     memcpy(&protocol, buff, sizeof(protocol));
     memcpy(&rlen, buff + sizeof(protocol), sizeof(rlen));
     rlen = ntohs(rlen) - HEADER_SIZE;
+    if (rlen > bufsiz) {
+        ICCfailure = "bad length";
+        return -1;
+    }
     
     i = RECVorREAD(ICCfd, buff, rlen);
     if (i != rlen) {



More information about the inn-committers mailing list