INN commit: branches/2.5 (doc/pod/news.pod nnrpd/commands.c)

Thu May 14 13:41:42 UTC 2015

Date: Thursday, May 14, 2015 @ 06:41:41
  Author: iulius
Revision: 9864

nnrpd/commands.c:  paranoid checking of AUTHINFO GENERIC reply

Check the number of arguments returned by AUTHINFO GENERIC.

Thanks to Richard Kettlewell for the patch.

Modified:
  branches/2.5/doc/pod/news.pod
  branches/2.5/nnrpd/commands.c

------------------+
 doc/pod/news.pod |    3 ++-
 nnrpd/commands.c |   22 ++++++++++++++++++----
 2 files changed, 20 insertions(+), 5 deletions(-)

Modified: doc/pod/news.pod
===================================================================

--- doc/pod/news.pod	2015-05-14 13:39:24 UTC (rev 9863)
+++ doc/pod/news.pod	2015-05-14 13:41:41 UTC (rev 9864)
@@ -79,7 +79,8 @@
 Fixed the use of the legacy AUTHINFO GENERIC command, that has been
 broken since S<INN 2.4.0> (therefore proving readers probably no longer
 use that method to authenticate).  Thanks to Richard Kettlewell for
-having noticed, though.
+having noticed, though, and contributed to tighten the security of the
+replies of this command.
 
 =item *
 

Modified: nnrpd/commands.c
===================================================================
--- nnrpd/commands.c	2015-05-14 13:39:24 UTC (rev 9863)
+++ nnrpd/commands.c	2015-05-14 13:41:41 UTC (rev 9864)
@@ -96,6 +96,7 @@
 PERMgeneric(char *av[], char *accesslist, size_t size)
 {
     char path[BIG_BUFFER], *fields[6], *p;
+    size_t j;
     int i, pan[2], status;
     pid_t pid;
     struct stat stb;
@@ -213,12 +214,25 @@
 
     //syslog(L_NOTICE, "%s (%ld) returned: %d %s %d\n", av[0], (long) pid, i, path, status);
     /* Split "host:permissions:user:pass:groups" into fields. */
-    for (fields[0] = path, i = 0, p = path; *p; p++)
-	if (*p == ':') {
-	    *p = '\0';
-	    fields[++i] = p + 1;
+    for (fields[0] = path, j = 0, p = path; *p; p++)
+        if (*p == ':') {
+            *p = '\0';
+            ++j;
+            if (j < ARRAY_SIZE(fields)) {
+                fields[j] = p + 1;
+            } else {
+                Reply("%d Program error occurred\r\n", NNTP_FAIL_ACTION);
+                syslog(L_FATAL, "over-long response from %s", av[0]);
+                return -1;
+            }
 	}
 
+    if (j < 4) {
+        Reply("%d Program error occurred\r\n", NNTP_FAIL_ACTION);
+        syslog(L_FATAL, "short response from %s", av[0]);
+        return -1;
+    }
+
     PERMcanread = strchr(fields[1], 'R') != NULL;
     PERMcanpost = strchr(fields[1], 'P') != NULL;
     PERMaccessconf->allowapproved = strchr(fields[1], 'A') != NULL;

