forked from mudongliang/LinuxFlaw
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathFix for CVE-2006-5815
75 lines (69 loc) · 2.05 KB
/
Fix for CVE-2006-5815
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
Index: support.c
===================================================================
RCS file: /cvsroot/proftp/proftpd/src/support.c,v
retrieving revision 1.79
retrieving revision 1.80
diff -u -u -r1.79 -r1.80
--- support.c 1 Nov 2006 03:11:04 -0000 1.79
+++ support.c 27 Nov 2006 14:49:47 -0000 1.80
@@ -27,7 +27,7 @@
/* Various basic support routines for ProFTPD, used by all modules
* and not specific to one or another.
*
- * $Id: support.c,v 1.79 2006/11/01 03:11:04 castaglia Exp $
+ * $Id: support.c,v 1.80 2006/11/27 14:49:47 jwm Exp $
*/
#include "conf.h"
@@ -632,7 +632,8 @@
char **mptr,**rptr;
char *marr[33],*rarr[33];
char buf[PR_TUNABLE_PATH_MAX] = {'\0'}, *pbuf = NULL;
- size_t mlen = 0, rlen = 0, blen;
+ size_t mlen = 0, rlen = 0;
+ int blen;
int dyn = TRUE;
cp = buf;
@@ -646,7 +647,7 @@
while ((m = va_arg(args, char *)) != NULL && mlen < sizeof(marr)-1) {
char *tmp = NULL;
- size_t count = 0;
+ int count = 0;
if ((r = va_arg(args, char *)) == NULL)
break;
@@ -659,6 +660,12 @@
while (tmp) {
pr_signals_handle();
count++;
+ if (count < 0) {
+ /* Integer overflow. In order to overflow integer range with a count
+ * of escapes, somebody must be doing something very strange.
+ */
+ return s;
+ }
/* Be sure to increment the pointer returned by strstr(3), to
* advance past the beginning of the substring for which we are
@@ -674,6 +681,12 @@
*/
if (count) {
blen += count * (strlen(r) - strlen(m));
+ if (blen < 0) {
+ /* Integer overflow. In order to overflow this, somebody must be
+ * doing something very strange.
+ */
+ return s;
+ }
marr[mlen] = m;
rarr[mlen++] = r;
}
@@ -722,10 +735,11 @@
}
if (!*mptr) {
- if ((cp - pbuf + 1) > blen) {
+ if ((cp - pbuf + 1) >= blen) {
pr_log_pri(PR_LOG_ERR,
"WARNING: attempt to overflow internal ProFTPD buffers");
cp = pbuf + blen - 1;
+ goto done;
}
*cp++ = *src++;
}