INN commit: trunk (5 files)

INN Commit Russ_Allbery at isc.org
Wed Aug 27 20:00:55 UTC 2008 

    Date: Wednesday, August 27, 2008 @ 13:00:54
  Author: iulius
Revision: 7978

The length of arguments is now checked:  they do not exceed 497 octets.
Fix the return code when the line is too long:  500 must be returned
when there is no valid command (and not 501).

Modified:
  trunk/include/inn/nntp.h
  trunk/nnrpd/line.c
  trunk/nnrpd/nnrpd.c
  trunk/nnrpd/post.c
  trunk/nnrpd/sasl.c

--------------------+
 include/inn/nntp.h |   10 +++++-----
 nnrpd/line.c       |    4 ++--
 nnrpd/nnrpd.c      |   38 ++++++++++++++++++++++++++++++++------
 nnrpd/post.c       |    6 +++---
 nnrpd/sasl.c       |    4 ++--
 5 files changed, 44 insertions(+), 18 deletions(-)

Modified: include/inn/nntp.h
===================================================================
--- include/inn/nntp.h	2008-08-26 20:50:41 UTC (rev 7977)
+++ include/inn/nntp.h	2008-08-27 20:00:54 UTC (rev 7978)
@@ -120,15 +120,15 @@
 };
 
 
-/* Per draft-ietf-nntpext-base-17.txt:
+/*     Command lines MUST NOT exceed 512 octets, which includes the
+       terminating  CRLF pair.  The arguments MUST NOT exceed 497
+       octets.  A server MAY relax these limits for commands defined
+       in an extension.
 
-       Command lines MUST NOT exceed 512 octets, which includes the
-       terminating US-ASCII CRLF pair.  The arguments MUST NOT exceed 497
-       octets.
-
    Also see below for an additional restriction on message IDs. */
 
 #define NNTP_MAXLEN_COMMAND     512
+#define NNTP_MAXLEN_ARG         497
 
 /* Consensus on the USEFOR mailing list in June of 2000 indicates that the
    next revision of the Usenet article standard will limit the length of the

Modified: nnrpd/line.c
===================================================================
--- nnrpd/line.c	2008-08-26 20:50:41 UTC (rev 7977)
+++ nnrpd/line.c	2008-08-27 20:00:54 UTC (rev 7978)
@@ -61,7 +61,7 @@
 line_init(struct line *line)
 {
     assert(line);
-    line->allocated = NNTP_STRLEN;
+    line->allocated = NNTP_MAXLEN_COMMAND;
     line->where = line->start = xmalloc(line->allocated);
     line->remaining = 0;
 }
@@ -164,7 +164,7 @@
 	    
 		/* don't grow the buffer bigger than the maximum
 		 * article size we'll accept */
-                if (PERMaccessconf->localmaxartsize > NNTP_STRLEN)
+                if (PERMaccessconf->localmaxartsize > NNTP_MAXLEN_COMMAND)
                     if (newsize > (unsigned)PERMaccessconf->localmaxartsize)
                         newsize = PERMaccessconf->localmaxartsize;
 

Modified: nnrpd/nnrpd.c
===================================================================
--- nnrpd/nnrpd.c	2008-08-26 20:50:41 UTC (rev 7977)
+++ nnrpd/nnrpd.c	2008-08-27 20:00:54 UTC (rev 7978)
@@ -229,7 +229,7 @@
 	sasl_dispose(&sasl_conn);
 	sasl_conn = NULL;
 	sasl_ssf = 0;
-	sasl_maxout = NNTP_STRLEN;
+	sasl_maxout = NNTP_MAXLEN_COMMAND;
     }
 #endif /* HAVE_SASL */
 
@@ -684,11 +684,12 @@
 {
     const char *name;
     CMDENT		*cp;
-    char		buff[NNTP_STRLEN];
+    char		buff[NNTP_MAXLEN_COMMAND];
     char		**av;
     int			ac;
     READTYPE		r;
     int			i;
+    char                **v;
     char		*Reject;
     int			timeout;
     unsigned int	vid=0; 
@@ -703,6 +704,7 @@
     int			clienttimeout;
     char		*ConfFile = NULL;
     char                *path;
+    bool                validcommandtoolong;
 
     int respawn = 0;
 
@@ -1046,7 +1048,7 @@
 	memset(&secprops, 0, sizeof(secprops));
 	secprops.security_flags = SASL_SEC_NOPLAINTEXT;
 	secprops.max_ssf = 256;
-	secprops.maxbufsize = NNTP_STRLEN;
+	secprops.maxbufsize = NNTP_MAXLEN_COMMAND;
 	sasl_setprop(sasl_conn, SASL_SEC_PROPS, &secprops);
     }
 #endif /* HAVE_SASL */
@@ -1117,7 +1119,16 @@
 		}
 		/* FALLTHROUGH */		
 	    case RTlong:
-		Reply("%d Line too long\r\n", NNTP_ERR_COMMAND);
+                /* The line is too long but we have to make sure that
+                 * no recognized command has been sent. */
+                validcommandtoolong = false;
+                for (cp = CMDtable; cp->Name; cp++)
+                    if (strncasecmp(cp->Name, p, strlen(cp->Name)) == 0) {
+                        validcommandtoolong = true;
+                        break;
+                    }
+                Reply("%d Line too long\r\n",
+                      validcommandtoolong ? NNTP_ERR_SYNTAX : NNTP_ERR_COMMAND);
 		continue;
 	    case RTeof:
 		/* Handled below. */
@@ -1134,6 +1145,8 @@
 	for (cp = CMDtable; cp->Name; cp++)
 	    if (strcasecmp(cp->Name, av[0]) == 0)
 		break;
+
+        /* If no command has been recognized. */
 	if (cp->Name == NULL) {
 	    if ((int)strlen(buff) > 40)
 		syslog(L_NOTICE, "%s unrecognized %.40s...", Client.host, buff);
@@ -1143,6 +1156,19 @@
 	    continue;
 	}
 
+        /* Check whether all arguments do not exceed their allowed size. */
+        if (ac > 1) {
+            validcommandtoolong = false;
+            for (v = av; *v; v++)
+                if (strlen(*v) > NNTP_MAXLEN_ARG) {
+                    validcommandtoolong = true;
+                    Reply("%d Argument too long\r\n", NNTP_ERR_SYNTAX);
+                    break;
+                }
+            if (validcommandtoolong)
+                continue;
+        }
+
         /* 502 if already successfully authenticated, according to RFC 4643. */
         if (!PERMcanauthenticate && (strcasecmp(cp->Name, "authinfo") == 0)) {
             Reply("%d %s\r\n", NNTP_ERR_ACCESS, "Already authenticated");
@@ -1165,9 +1191,9 @@
 	}
 	setproctitle("%s %s", Client.host, av[0]);
 
-    (*cp->Function)(ac, av);
+        (*cp->Function)(ac, av);
 
-    if (PushedBack)
+        if (PushedBack)
 	    break;
 	if (PERMaccessconf)
 	    clienttimeout = PERMaccessconf->clienttimeout;

Modified: nnrpd/post.c
===================================================================
--- nnrpd/post.c	2008-08-26 20:50:41 UTC (rev 7977)
+++ nnrpd/post.c	2008-08-27 20:00:54 UTC (rev 7978)
@@ -760,7 +760,7 @@
 static void
 SendQuit(FILE *FromServer, FILE *ToServer)
 {
-    char	buff[NNTP_STRLEN];
+    char	buff[NNTP_MAXLEN_COMMAND];
 
     fprintf(ToServer, "quit\r\n");
     fflush(ToServer);
@@ -794,7 +794,7 @@
 static const char *
 SpoolitTo(char *article, char *err, char *SpoolDir)
 {
-    static char	CANTSPOOL[NNTP_STRLEN+2];
+    static char	CANTSPOOL[NNTP_MAXLEN_COMMAND+2];
     HEADER *hp;
     FILE *F = NULL;
     int	i, fd;
@@ -933,7 +933,7 @@
     HEADER	*hp;
     FILE	*ToServer;
     FILE	*FromServer;
-    char	buff[NNTP_STRLEN + 2], frombuf[SMBUF];
+    char	buff[NNTP_MAXLEN_COMMAND + 2], frombuf[SMBUF];
     char	*modgroup = NULL;
     const char	*error;
     char	*TrackID;

Modified: nnrpd/sasl.c
===================================================================
--- nnrpd/sasl.c	2008-08-26 20:50:41 UTC (rev 7977)
+++ nnrpd/sasl.c	2008-08-27 20:00:54 UTC (rev 7978)
@@ -14,7 +14,7 @@
 
 #include <sasl/sasl.h>
 sasl_conn_t *sasl_conn = NULL;
-int sasl_ssf = 0, sasl_maxout = NNTP_STRLEN;
+int sasl_ssf = 0, sasl_maxout = NNTP_MAXLEN_COMMAND;
 
 sasl_callback_t sasl_callbacks[] = {
     /* XXX do we want a proxy callback? */
@@ -160,7 +160,7 @@
 	/* save info about the negotiated security layer for I/O functions */
 	sasl_ssf = *ssfp;
 	sasl_maxout =
-	    (*maxoutp == 0 || *maxoutp > NNTP_STRLEN) ? NNTP_STRLEN : *maxoutp;
+	    (*maxoutp == 0 || *maxoutp > NNTP_MAXLEN_COMMAND) ? NNTP_MAXLEN_COMMAND : *maxoutp;
     }
     else {
 	/* failure */

More information about the inn-committers mailing list