kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/textproc/libxml/patches/patch-ad
jmmv ed6f6b18b5 Backport security fixes (in the nanohttp and the nanoftp modules) from 
libxml2 (several buffer overflows).  Bump PKGREVISION to 3.
2004-11-20 22:07:49 +00:00

106 lines
3.1 KiB
Text
Raw Blame History

$NetBSD: patch-ad,v 1.3 2004/11/20 22:07:49 jmmv Exp $
--- nanoftp.c.orig 2000-07-10 12:16:39.000000000 +0200
+++ nanoftp.c
@@ -65,6 +65,8 @@ static char hostname[100];
#define FTP_GET_PASSWD 331
#define FTP_BUF_SIZE 512
+#define XML_NANO_MAX_URLBUF 4096
+
typedef struct xmlNanoFTPCtxt {
char *protocol; /* the protocol name */
char *hostname; /* the host name */
@@ -203,7 +205,7 @@ static void
xmlNanoFTPScanURL(void *ctx, const char *URL) {
xmlNanoFTPCtxtPtr ctxt = (xmlNanoFTPCtxtPtr) ctx;
const char *cur = URL;
- char buf[4096];
+ char buf[XML_NANO_MAX_URLBUF];
int index = 0;
int port = 0;
@@ -221,7 +223,7 @@ xmlNanoFTPScanURL(void *ctx, const char
}
if (URL == NULL) return;
buf[index] = 0;
- while (*cur != 0) {
+ while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF - 1)) {
if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
buf[index] = 0;
ctxt->protocol = xmlMemStrdup(buf);
@@ -234,7 +236,7 @@ xmlNanoFTPScanURL(void *ctx, const char
if (*cur == 0) return;
buf[index] = 0;
- while (1) {
+ while (index < XML_NANO_MAX_URLBUF - 1) {
if (cur[0] == ':') {
buf[index] = 0;
ctxt->hostname = xmlMemStrdup(buf);
@@ -263,7 +265,7 @@ xmlNanoFTPScanURL(void *ctx, const char
else {
index = 0;
buf[index] = 0;
- while (*cur != 0)
+ while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1))
buf[index++] = *cur++;
buf[index] = 0;
ctxt->path = xmlMemStrdup(buf);
@@ -288,7 +290,7 @@ int
xmlNanoFTPUpdateURL(void *ctx, const char *URL) {
xmlNanoFTPCtxtPtr ctxt = (xmlNanoFTPCtxtPtr) ctx;
const char *cur = URL;
- char buf[4096];
+ char buf[XML_NANO_MAX_URLBUF];
int index = 0;
int port = 0;
@@ -301,7 +303,7 @@ xmlNanoFTPUpdateURL(void *ctx, const cha
if (ctxt->hostname == NULL)
return(-1);
buf[index] = 0;
- while (*cur != 0) {
+ while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1)) {
if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
buf[index] = 0;
if (strcmp(ctxt->protocol, buf))
@@ -353,7 +355,7 @@ xmlNanoFTPUpdateURL(void *ctx, const cha
else {
index = 0;
buf[index] = 0;
- while (*cur != 0)
+ while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1))
buf[index++] = *cur++;
buf[index] = 0;
ctxt->path = xmlMemStrdup(buf);
@@ -374,7 +376,7 @@ xmlNanoFTPUpdateURL(void *ctx, const cha
void
xmlNanoFTPScanProxy(const char *URL) {
const char *cur = URL;
- char buf[4096];
+ char buf[XML_NANO_MAX_URLBUF];
int index = 0;
int port = 0;
@@ -393,7 +395,7 @@ xmlNanoFTPScanProxy(const char *URL) {
#endif
if (URL == NULL) return;
buf[index] = 0;
- while (*cur != 0) {
+ while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1)) {
if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
buf[index] = 0;
index = 0;
@@ -828,6 +830,11 @@ xmlNanoFTPConnect(void *ctx) {
if (hp == NULL)
return(-1);
+ if ((unsigned int) hp->h_length >
+ sizeof(((struct sockaddr_in *)&ctxt->ftpAddr)->sin_addr)) {
+ return (-1);
+ }
+
/*
* Prepare the socket
*/
Reference in a new issue View git blame Copy permalink