INN commit: trunk/nnrpd (commands.c)

INN Commit rra at isc.org
Sun May 3 15:25:53 UTC 2015


    Date: Sunday, May 3, 2015 @ 08:25:53
  Author: iulius
Revision: 9850

nnrpd/commands.c:  paranoid checking of AUTHINFO GENERIC reply

Check the number of arguments returned by AUTHINFO GENERIC.

Thanks to Richard Kettlewell for the patch.

Modified:
  trunk/nnrpd/commands.c

------------+
 commands.c |   22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

Modified: commands.c
===================================================================
--- commands.c	2015-05-03 15:11:05 UTC (rev 9849)
+++ commands.c	2015-05-03 15:25:53 UTC (rev 9850)
@@ -97,6 +97,7 @@
 PERMgeneric(char *av[], char *accesslist, size_t size)
 {
     char path[BIG_BUFFER], *fields[6], *p;
+    size_t j;
     int i, pan[2], status;
     pid_t pid;
     struct stat stb;
@@ -214,12 +215,25 @@
 
     //syslog(L_NOTICE, "%s (%ld) returned: %d %s %d\n", av[0], (long) pid, i, path, status);
     /* Split "host:permissions:user:pass:groups" into fields. */
-    for (fields[0] = path, i = 0, p = path; *p; p++)
-	if (*p == ':') {
-	    *p = '\0';
-	    fields[++i] = p + 1;
+    for (fields[0] = path, j = 0, p = path; *p; p++)
+        if (*p == ':') {
+            *p = '\0';
+            ++j;
+            if (j < ARRAY_SIZE(fields)) {
+                fields[j] = p + 1;
+            } else {
+                Reply("%d Program error occurred\r\n", NNTP_FAIL_ACTION);
+                syslog(L_FATAL, "over-long response from %s", av[0]);
+                return -1;
+            }
 	}
 
+    if (j < 4) {
+        Reply("%d Program error occurred\r\n", NNTP_FAIL_ACTION);
+        syslog(L_FATAL, "short response from %s", av[0]);
+        return -1;
+    }
+
     PERMcanread = strchr(fields[1], 'R') != NULL;
     PERMcanpost = strchr(fields[1], 'P') != NULL;
     PERMaccessconf->allowapproved = strchr(fields[1], 'A') != NULL;



More information about the inn-committers mailing list