INN commit: branches/2.5 (doc/pod/news.pod nnrpd/commands.c)
INN Commit
rra at isc.org
Thu May 14 13:41:42 UTC 2015
Date: Thursday, May 14, 2015 @ 06:41:41
Author: iulius
Revision: 9864
nnrpd/commands.c: paranoid checking of AUTHINFO GENERIC reply
Check the number of arguments returned by AUTHINFO GENERIC.
Thanks to Richard Kettlewell for the patch.
Modified:
branches/2.5/doc/pod/news.pod
branches/2.5/nnrpd/commands.c
------------------+
doc/pod/news.pod | 3 ++-
nnrpd/commands.c | 22 ++++++++++++++++++----
2 files changed, 20 insertions(+), 5 deletions(-)
Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod 2015-05-14 13:39:24 UTC (rev 9863)
+++ doc/pod/news.pod 2015-05-14 13:41:41 UTC (rev 9864)
@@ -79,7 +79,8 @@
Fixed the use of the legacy AUTHINFO GENERIC command, that has been
broken since S<INN 2.4.0> (therefore proving readers probably no longer
use that method to authenticate). Thanks to Richard Kettlewell for
-having noticed, though.
+having noticed, though, and contributed to tighten the security of the
+replies of this command.
=item *
Modified: nnrpd/commands.c
===================================================================
--- nnrpd/commands.c 2015-05-14 13:39:24 UTC (rev 9863)
+++ nnrpd/commands.c 2015-05-14 13:41:41 UTC (rev 9864)
@@ -96,6 +96,7 @@
PERMgeneric(char *av[], char *accesslist, size_t size)
{
char path[BIG_BUFFER], *fields[6], *p;
+ size_t j;
int i, pan[2], status;
pid_t pid;
struct stat stb;
@@ -213,12 +214,25 @@
//syslog(L_NOTICE, "%s (%ld) returned: %d %s %d\n", av[0], (long) pid, i, path, status);
/* Split "host:permissions:user:pass:groups" into fields. */
- for (fields[0] = path, i = 0, p = path; *p; p++)
- if (*p == ':') {
- *p = '\0';
- fields[++i] = p + 1;
+ for (fields[0] = path, j = 0, p = path; *p; p++)
+ if (*p == ':') {
+ *p = '\0';
+ ++j;
+ if (j < ARRAY_SIZE(fields)) {
+ fields[j] = p + 1;
+ } else {
+ Reply("%d Program error occurred\r\n", NNTP_FAIL_ACTION);
+ syslog(L_FATAL, "over-long response from %s", av[0]);
+ return -1;
+ }
}
+ if (j < 4) {
+ Reply("%d Program error occurred\r\n", NNTP_FAIL_ACTION);
+ syslog(L_FATAL, "short response from %s", av[0]);
+ return -1;
+ }
+
PERMcanread = strchr(fields[1], 'R') != NULL;
PERMcanpost = strchr(fields[1], 'P') != NULL;
PERMaccessconf->allowapproved = strchr(fields[1], 'A') != NULL;
More information about the inn-committers
mailing list