Hello community, here is the log from the commit of package openslp for openSUSE:Factory checked in at 2016-09-17 14:36:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openslp (Old) and /work/SRC/openSUSE:Factory/.openslp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openslp" Changes: -------- --- /work/SRC/openSUSE:Factory/openslp/openslp.changes 2015-03-23 12:14:25.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openslp.new/openslp.changes 2016-09-17 14:36:51.000000000 +0200 @@ -1,0 +2,17 @@ +Mon Sep 12 14:23:15 CEST 2016 - [email protected] + +- remove convenience code as changes bytes in the message + buffer breaking the verification code [bnc#994989] + new patch: openslp.noconvenience.diff +- fix storage handling in predicate code, it clashed with gcc's + fortify_source extension [bnc#909195] + new patch: openslp.predicatestorage.diff +- bring back allowDoubleEqualInPredicate option + new patch: openslp.doubleequal.diff +- fix bug in openslp.initda.diff patch +- fix rcopenslp helper +- fix _xrealloc not checking the malloc return value + [bnc#980722] [CVE-2016-4912] + new patch: openslp.xrealloc.diff + +------------------------------------------------------------------- New: ---- openslp.doubleequal.diff openslp.noconvenience.diff openslp.predicatestorage.diff openslp.xrealloc.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openslp.spec ++++++ --- /var/tmp/diff_new_pack.LWW0j7/_old 2016-09-17 14:36:53.000000000 +0200 +++ /var/tmp/diff_new_pack.LWW0j7/_new 2016-09-17 14:36:53.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package openslp # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -57,6 +57,10 @@ Patch10: openslp.tcplocal.diff Patch11: openslp.localtime.diff Patch12: openslp.sd_notify.diff +Patch13: openslp.predicatestorage.diff +Patch14: openslp.doubleequal.diff +Patch15: openslp.noconvenience.diff +Patch16: openslp.xrealloc.diff %description Service Location Protocol is an IETF standards track protocol that @@ -121,6 +125,11 @@ %if 0%{?has_systemd} %patch12 %endif +%patch13 +%patch14 +%patch15 +%patch16 + %build autoreconf -fiv %configure --disable-static --with-pic --enable-slpv1 \ @@ -148,7 +157,11 @@ ${RPM_BUILD_ROOT}%_defaultdocdir/%name %if 0%{?has_systemd} ln -s %{_sbindir}/service ${RPM_BUILD_ROOT}/usr/sbin/rcslpd -ln -s %{_sbindir}/service ${RPM_BUILD_ROOT}/usr/sbin/rcopenslp +cat > ${RPM_BUILD_ROOT}/usr/sbin/rcopenslp <<'EOF' +#!/bin/sh +exec /usr/sbin/rcslpd "$@" +EOF +chmod 755 ${RPM_BUILD_ROOT}/usr/sbin/rcopenslp %else mkdir -p ${RPM_BUILD_ROOT}/etc/init.d/ install -m 755 %{SOURCE1} ${RPM_BUILD_ROOT}/etc/init.d/slpd ++++++ openslp.doubleequal.diff ++++++ --- ./slpd/slpd_predicate.c.orig 2014-12-15 14:11:36.181812237 +0000 +++ ./slpd/slpd_predicate.c 2014-12-15 14:20:00.441759165 +0000 @@ -66,6 +66,7 @@ #include "slp_xmalloc.h" #include "slpd_predicate.h" +#include "slpd_property.h" /* Parse character definitions. */ #define BRACKET_OPEN '(' @@ -1633,6 +1634,11 @@ SLPDPredicateParseResult createPredicate op = EQUAL; } + if (op == EQUAL && G_SlpdProperty.allowDoubleEqualInPredicate && operator[1] == '=') + { + val_start++; + } + /***** Get operands. *****/ /**** Left. ****/ lhs_len = operator - cur; --- ./slpd/slpd_property.c.orig 2014-12-15 14:09:49.294246247 +0000 +++ ./slpd/slpd_property.c 2014-12-15 14:11:21.587871548 +0000 @@ -250,6 +250,7 @@ void SLPDPropertyReinit(void) G_SlpdProperty.myHostnameLen = strlen(G_SlpdProperty.myHostname); G_SlpdProperty.hardMTU = SLPPropertyAsBoolean("net.slp.hardMTU"); + G_SlpdProperty.allowDoubleEqualInPredicate = SLPPropertyAsBoolean("net.slp.allowDoubleEqualInPredicate"); G_SlpdProperty.DASyncReg = SLPPropertyAsBoolean("net.slp.DASyncReg"); G_SlpdProperty.isDABackup = SLPPropertyAsBoolean("net.slp.isDABackup"); --- ./slpd/slpd_property.h.orig 2014-12-15 14:09:43.647269171 +0000 +++ ./slpd/slpd_property.h 2014-12-15 14:10:24.932101603 +0000 @@ -118,6 +118,7 @@ typedef struct _SLPDProperty int useDHCP; int oversizedUDP; int hardMTU; + int allowDoubleEqualInPredicate; int DASyncReg; int isDABackup; ++++++ openslp.initda.diff ++++++ --- /var/tmp/diff_new_pack.LWW0j7/_old 2016-09-17 14:36:53.000000000 +0200 +++ /var/tmp/diff_new_pack.LWW0j7/_new 2016-09-17 14:36:53.000000000 +0200 @@ -1,5 +1,5 @@ ---- ./common/slp_message.h.orig 2014-02-19 18:05:26.154934647 +0000 -+++ ./common/slp_message.h 2014-02-19 18:05:31.755934637 +0000 +--- ./common/slp_message.h.orig 2016-09-13 10:56:06.324486007 +0000 ++++ ./common/slp_message.h 2016-09-13 10:56:14.214459554 +0000 @@ -126,6 +126,7 @@ #define SLP_REG_SOURCE_REMOTE 1 /* from a remote host */ #define SLP_REG_SOURCE_LOCAL 2 /* from localhost or IPC */ @@ -8,8 +8,8 @@ #define SLP_REG_WATCH_TCP (1<<0) #define SLP_REG_WATCH_UDP (1<<1) ---- ./common/slp_property.c.orig 2014-02-19 18:05:26.154934647 +0000 -+++ ./common/slp_property.c 2014-02-19 18:05:31.755934637 +0000 +--- ./common/slp_property.c.orig 2016-09-13 10:56:06.324486007 +0000 ++++ ./common/slp_property.c 2016-09-13 10:56:14.215459551 +0000 @@ -176,6 +176,11 @@ static int SetDefaultValues(void) /* Additional properties that are specific to IPv6 */ {"net.slp.useIPv6", "false", 0}, @@ -23,7 +23,7 @@ int i; --- ./etc/slp.conf.orig 2012-11-28 17:07:04.000000000 +0000 -+++ ./etc/slp.conf 2014-02-19 18:05:31.756934637 +0000 ++++ ./etc/slp.conf 2016-09-13 10:56:14.215459551 +0000 @@ -23,6 +23,20 @@ # which DAs to use. (Default is to use dynamic DA discovery) ;net.slp.DAAddresses = myDa1,myDa2,myDa3 @@ -46,7 +46,7 @@ #---------------------------------------------------------------------------- # DA Specific Configuration --- ./slpd/Makefile.am.orig 2012-11-28 17:07:04.000000000 +0000 -+++ ./slpd/Makefile.am 2014-02-19 18:05:31.756934637 +0000 ++++ ./slpd/Makefile.am 2016-09-13 10:56:14.216459548 +0000 @@ -73,7 +73,8 @@ slpd_SOURCES = \ slpd_property.c \ slpd_regfile.c \ @@ -67,8 +67,8 @@ #if you're building on Irix, replace .la with .a below slpd_LDADD = ../common/libcommonslpd.la ../libslpattr/libslpattr.la ---- ./slpd/slpd_database.c.orig 2014-02-19 18:05:26.161934647 +0000 -+++ ./slpd/slpd_database.c 2014-02-19 18:05:55.042934596 +0000 +--- ./slpd/slpd_database.c.orig 2016-09-13 10:56:06.332485980 +0000 ++++ ./slpd/slpd_database.c 2016-09-13 10:56:14.217459544 +0000 @@ -50,6 +50,7 @@ #define _GNU_SOURCE #include <string.h> @@ -245,8 +245,8 @@ #ifdef DEBUG /** Cleans up all resources used by the database. */ ---- ./slpd/slpd_database.h.orig 2014-02-19 18:05:26.155934647 +0000 -+++ ./slpd/slpd_database.h 2014-02-19 18:05:31.758934637 +0000 +--- ./slpd/slpd_database.h.orig 2016-09-13 10:56:06.326486000 +0000 ++++ ./slpd/slpd_database.h 2016-09-13 10:56:14.217459544 +0000 @@ -105,7 +105,8 @@ int SLPDDatabaseIsEmpty(void); int SLPDDatabaseInit(const char * regfile); int SLPDDatabaseReInit(); @@ -257,8 +257,8 @@ #ifdef DEBUG void SLPDDatabaseDeinit(void); ---- ./slpd/slpd_initda.c.orig 2014-02-19 18:05:31.759934637 +0000 -+++ ./slpd/slpd_initda.c 2014-02-19 18:05:31.759934637 +0000 +--- ./slpd/slpd_initda.c.orig 2016-09-13 10:56:14.218459541 +0000 ++++ ./slpd/slpd_initda.c 2016-09-13 10:56:14.218459541 +0000 @@ -0,0 +1,396 @@ +#include <stdio.h> +#include <string.h> @@ -656,8 +656,8 @@ + return gresult; +} + ---- ./slpd/slpd_initda.h.orig 2014-02-19 18:05:31.759934637 +0000 -+++ ./slpd/slpd_initda.h 2014-02-19 18:05:31.759934637 +0000 +--- ./slpd/slpd_initda.h.orig 2016-09-13 10:56:14.218459541 +0000 ++++ ./slpd/slpd_initda.h 2016-09-13 10:56:14.218459541 +0000 @@ -0,0 +1,16 @@ +#ifndef SLPD_INITDA_H_INCLUDED +#define SLPD_INITDA_H_INCLUDED @@ -675,8 +675,8 @@ +#endif /* SLPD_INITDA_H_INCLUDED */ + +/*=========================================================================*/ ---- ./slpd/slpd_log.c.orig 2014-02-19 18:05:26.156934647 +0000 -+++ ./slpd/slpd_log.c 2014-02-19 18:05:31.760934637 +0000 +--- ./slpd/slpd_log.c.orig 2016-09-13 10:56:06.326486000 +0000 ++++ ./slpd/slpd_log.c 2016-09-13 10:56:14.219459537 +0000 @@ -509,6 +509,12 @@ void SLPDLogRegistration(const char * pr case SLP_REG_SOURCE_STATIC: SLPDLog("static (slp.reg)\n"); @@ -690,8 +690,8 @@ } SLPDLogBuffer(" service-url = ", entry->msg->body.srvreg.urlentry.urllen, ---- ./slpd/slpd_main.c.orig 2014-02-19 18:05:26.156934647 +0000 -+++ ./slpd/slpd_main.c 2014-02-19 18:05:31.760934637 +0000 +--- ./slpd/slpd_main.c.orig 2016-09-13 10:56:06.326486000 +0000 ++++ ./slpd/slpd_main.c 2016-09-13 10:57:32.988195569 +0000 @@ -57,6 +57,7 @@ #include "slp_xmalloc.h" #include "slp_xid.h" @@ -771,10 +771,15 @@ /* init watcher */ SLPDDatabaseWatcher(); -@@ -677,6 +712,38 @@ int main(int argc, char * argv[]) +@@ -677,6 +712,43 @@ int main(int argc, char * argv[]) if (SetUpSignalHandlers()) SLPDFatal("Error setting up signal handlers.\n"); ++ if (G_SlpdProperty.isDA && G_SlpdProperty.isDABackup && DABackupfp) ++ { ++ SLPDDatabaseReadDABackup(DABackupfp); ++ } ++ + if((G_SlpdProperty.isDA) && (G_SlpdProperty.DASyncReg)) + { + /* HACK: at that point in time all outgoing sockets are DA connections @@ -810,7 +815,7 @@ /* Set up alarm to age database -- a shorter start, so SAs register with us quickly on our startup */ alarm(2); -@@ -748,6 +815,22 @@ HANDLE_SIGNAL: +@@ -748,6 +820,22 @@ HANDLE_SIGNAL: } #endif @@ -833,9 +838,9 @@ } /* End of main loop */ /* Got SIGTERM */ ---- ./slpd/slpd_property.c.orig 2014-02-19 18:05:26.160934647 +0000 -+++ ./slpd/slpd_property.c 2014-02-19 18:05:31.760934637 +0000 -@@ -247,6 +247,11 @@ void SLPDPropertyReinit(void) +--- ./slpd/slpd_property.c.orig 2016-09-13 10:56:06.330485986 +0000 ++++ ./slpd/slpd_property.c 2016-09-13 10:56:14.220459534 +0000 +@@ -248,6 +248,11 @@ void SLPDPropertyReinit(void) /* set up hostname */ G_SlpdProperty.myHostname = SLPDGetCanonHostname(); G_SlpdProperty.myHostnameLen = strlen(G_SlpdProperty.myHostname); @@ -847,8 +852,8 @@ } /** Initialize the slpd property management subsystem. ---- ./slpd/slpd_property.h.orig 2014-02-19 18:05:26.160934647 +0000 -+++ ./slpd/slpd_property.h 2014-02-19 18:05:31.760934637 +0000 +--- ./slpd/slpd_property.h.orig 2016-09-13 10:56:06.330485986 +0000 ++++ ./slpd/slpd_property.h 2016-09-13 10:56:14.220459534 +0000 @@ -117,6 +117,11 @@ typedef struct _SLPDProperty int MTU; int useDHCP; @@ -861,8 +866,8 @@ } SLPDProperty; extern SLPDProperty G_SlpdProperty; ---- ./slpd/slpd_regfile.c.orig 2014-02-19 18:05:26.156934647 +0000 -+++ ./slpd/slpd_regfile.c 2014-02-19 18:05:31.760934637 +0000 +--- ./slpd/slpd_regfile.c.orig 2016-09-13 10:56:06.327485996 +0000 ++++ ./slpd/slpd_regfile.c 2016-09-13 10:56:14.221459531 +0000 @@ -108,15 +108,190 @@ static char * RegFileReadLine(FILE * fd, return line; } @@ -1332,7 +1337,7 @@ } --- ./slpd/slpd_regfile.h.orig 2012-11-28 17:07:04.000000000 +0000 -+++ ./slpd/slpd_regfile.h 2014-02-19 18:05:31.760934637 +0000 ++++ ./slpd/slpd_regfile.h 2016-09-13 10:56:14.221459531 +0000 @@ -53,7 +53,12 @@ #include "slp_message.h" #include "slpd.h" ++++++ openslp.noconvenience.diff ++++++ --- ./common/slp_auth.c.orig 2016-09-12 14:33:58.923718969 +0000 +++ ./common/slp_auth.c 2016-09-12 14:35:19.660448155 +0000 @@ -237,6 +237,7 @@ static int SLPAuthSignDigest(int spistrl curpos += spistrlen; /* sign the digest and put it in the authblock */ + memset(curpos, 0, signaturelen); if (SLPCryptoDSASign(key, digest, SLPAUTH_SHA1_DIGEST_SIZE, curpos, &signaturelen)) { --- ./common/slp_crypto.c.orig 2016-09-12 14:30:13.053476772 +0000 +++ ./common/slp_crypto.c 2016-09-12 14:31:32.443210397 +0000 @@ -153,6 +153,20 @@ int SLPCryptoDSASign(SLPCryptoDSAKey * k int SLPCryptoDSAVerify(SLPCryptoDSAKey * key, const unsigned char * digest, int digestlen, const unsigned char * signature, int signaturelen) { + /* newer openssl versions need the exact size. trim down. */ + if (signaturelen > 2 && *signature == 0x30) + { + int l = 0; + if (signature[1] < 128) + l = 2 + signature[1]; + else if (signature[1] == 129) + l = 3 + signature[2]; + else if (signature[1] == 130) + l = 4 + (signature[2] << 8 | signature[3]); + if (l && l < signaturelen) + signaturelen = l; + } + /* it does not look like the type param is used? */ /* broken DSA_verify() declaration */ return DSA_verify(0, digest, digestlen, (unsigned char *)signature, --- ./common/slp_v2message.c.orig 2016-09-12 10:51:36.284400063 +0000 +++ ./common/slp_v2message.c 2016-09-12 10:55:19.553648752 +0000 @@ -150,13 +150,6 @@ static int v2ParseUrlEntry(SLPBuffer buf } urlentry->opaquelen = buffer->curpos - urlentry->opaque; - /* Terminate the URL string for caller convenience - we're overwriting - * the first byte of the "# of URL auths" field, but it's okay because - * we've already read and stored it away. - */ - if(urlentry->url) - ((uint8_t *)urlentry->url)[urlentry->urllen] = 0; - return 0; } @@ -543,12 +536,6 @@ static int v2ParseAttrRply(SLPBuffer buf } } - /* Terminate the attr list for caller convenience - overwrites the - * first byte of the "# of AttrAuths" field, but we've processed it. - */ - if(attrrply->attrlist) - ((uint8_t *)attrrply->attrlist)[attrrply->attrlistlen] = 0; - return 0; } @@ -643,13 +630,6 @@ static int v2ParseDAAdvert(SLPBuffer buf } } - /* Terminate the URL string for caller convenience - we're overwriting - * the first byte of the "Length of <scope-list>" field, but it's okay - * because we've already read and stored it away. - */ - if(daadvert->url) - ((uint8_t *)daadvert->url)[daadvert->urllen] = 0; - return 0; } @@ -749,14 +729,6 @@ static int v2ParseSrvTypeRply(SLPBuffer if (buffer->curpos > buffer->end) return SLP_ERROR_PARSE_ERROR; - /* Terminate the service type list string for caller convenience - while - * it appears that we're writing one byte past the end of the buffer here, - * it's not so - message buffers are always allocated one byte larger than - * requested for just this reason. - */ - if(srvtyperply->srvtypelist) - ((uint8_t *)srvtyperply->srvtypelist)[srvtyperply->srvtypelistlen] = 0; - return 0; } @@ -825,13 +797,6 @@ static int v2ParseSAAdvert(SLPBuffer buf } } - /* Terminate the URL string for caller convenience - we're overwriting - * the first byte of the "Length of <scope-list>" field, but it's okay - * because we've already read and stored it away. - */ - if(saadvert->url) - ((uint8_t *)saadvert->url)[saadvert->urllen] = 0; - return 0; } --- ./libslp/libslp_findattrs.c.orig 2016-09-12 10:57:02.363303412 +0000 +++ ./libslp/libslp_findattrs.c 2016-09-12 10:58:41.416970996 +0000 @@ -98,6 +98,9 @@ static SLPBoolean ProcessAttrRplyCallbac return SLP_TRUE; /* Authentication failure. */ } #endif + /* TRICKY: null terminate the attrlist by setting the authcount to 0 */ + ((char*)(attrrply->attrlist))[attrrply->attrlistlen] = 0; + /* Call the user's callback function. */ result = handle->params.findattrs.callback(handle, attrrply->attrlist, (SLPError)(-attrrply->errorcode), --- ./libslp/libslp_findsrvs.c.orig 2016-09-12 10:57:07.995284521 +0000 +++ ./libslp/libslp_findsrvs.c 2016-09-12 11:26:08.220430148 +0000 @@ -227,6 +227,9 @@ static SLPBoolean ProcessSrvRplyCallback && SLPAuthVerifyUrl(handle->hspi, 1, &urlentry[i])) continue; /* Authentication failed, skip this URLEntry. */ #endif + /* TRICKY: null terminate the url by setting the authcount to 0 */ + ((char*)(urlentry[i].url))[urlentry[i].urllen] = 0; + result = CollateToSLPSrvURLCallback(handle, urlentry[i].url, (unsigned short)urlentry[i].lifetime, SLP_OK, peeraddr); if (result == SLP_FALSE) @@ -245,6 +248,9 @@ static SLPBoolean ProcessSrvRplyCallback return SLP_TRUE; } #endif + /* TRICKY: null terminate the url by setting the scope list length to 0 */ + ((char *)replymsg->body.daadvert.url)[replymsg->body.daadvert.urllen] = 0; + result = CollateToSLPSrvURLCallback(handle, replymsg->body.daadvert.url, SLP_LIFETIME_MAXIMUM, SLP_OK, peeraddr); @@ -260,6 +266,9 @@ static SLPBoolean ProcessSrvRplyCallback return SLP_TRUE; } #endif + /* TRICKY: null terminate the url by setting the scope list length to 0 */ + ((char *)replymsg->body.saadvert.url)[replymsg->body.saadvert.urllen] = 0; + result = CollateToSLPSrvURLCallback(handle, replymsg->body.saadvert.url, SLP_LIFETIME_MAXIMUM, SLP_OK, peeraddr); --- ./libslp/libslp_findsrvtypes.c.orig 2016-09-12 10:57:15.275260063 +0000 +++ ./libslp/libslp_findsrvtypes.c 2016-09-12 11:03:41.863964662 +0000 @@ -175,8 +175,13 @@ static SLPBoolean ProcessSrvTypeRplyCall { SLPSrvTypeRply * srvtyperply = &replymsg->body.srvtyperply; if (srvtyperply->srvtypelistlen) + { + /* TRICKY: null terminate the srvtypelist by setting the last byte 0 */ + ((char*)(srvtyperply->srvtypelist))[srvtyperply->srvtypelistlen] = 0; + result = CollateToSLPSrvTypeCallback((SLPHandle)handle, srvtyperply->srvtypelist, srvtyperply->errorcode * -1); + } } SLPMessageFree(replymsg); } --- ./libslp/libslp_knownda.c.orig 2016-09-12 10:57:21.083240529 +0000 +++ ./libslp/libslp_knownda.c 2016-09-12 11:07:26.178207707 +0000 @@ -335,6 +335,8 @@ static SLPBoolean KnownDADiscoveryCallba { SLPParsedSrvUrl * srvurl; + /* TRICKY: NULL terminate the DA url */ + ((char*)(replymsg->body.daadvert.url))[replymsg->body.daadvert.urllen] = 0; if (SLPParseSrvUrl(replymsg->body.daadvert.urllen, replymsg->body.daadvert.url, &srvurl) == 0) { @@ -993,14 +995,22 @@ void KnownDAProcessSrvRqst(SLPHandleInfo { SLPBoolean cb_result; SLPDatabaseEntry * entry = SLPDatabaseEnum(dh); + char tmp; if (!entry) break; + /* TRICKY temporary null termination of DA url */ + tmp = entry->msg->body.daadvert.url[entry->msg->body.daadvert.urllen]; + ((char*)(entry->msg->body.daadvert.url))[entry->msg->body.daadvert.urllen] = 0; + /* Call the SrvURLCallback. */ cb_result = handle->params.findsrvs.callback(handle, entry->msg->body.daadvert.url, SLP_LIFETIME_MAXIMUM, SLP_OK, handle->params.findsrvs.cookie); + /* TRICKY: undo temporary null termination of DA url */ + ((char*)(entry->msg->body.daadvert.url))[entry->msg->body.daadvert.urllen] = tmp; + /* Does the caller want more? */ if (cb_result == SLP_FALSE) break; --- ./slpd/slpd_regfile.c.orig 2016-09-12 11:12:02.353273706 +0000 +++ ./slpd/slpd_regfile.c 2016-09-12 14:29:17.611662818 +0000 @@ -657,7 +657,7 @@ int SLPDRegFileWriteSrvReg(FILE * fd, SL if (fd) { - fprintf(fd, "%s,%s,%d\n", msg->body.srvreg.urlentry.url, msg->header.langtag, msg->body.srvreg.urlentry.lifetime); + fprintf(fd, "%.*s,%s,%d\n", (int)(msg->body.srvreg.urlentry.urllen), msg->body.srvreg.urlentry.url, msg->header.langtag, msg->body.srvreg.urlentry.lifetime); if (msg->body.srvreg.source == SLP_REG_SOURCE_PULL_PEER_DA) fprintf(fd, "slp-source=pulled-from-da-%s\n", SLPNetSockAddrStorageToString(&msg->peer, addr_str, sizeof(addr_str))); else if (msg->body.srvreg.source == SLP_REG_SOURCE_LOCAL) ++++++ openslp.predicatestorage.diff ++++++ --- ./slpd/slpd_predicate.c.orig 2014-12-15 13:07:38.636640141 +0000 +++ ./slpd/slpd_predicate.c 2014-12-15 13:10:09.507004676 +0000 @@ -1643,7 +1643,7 @@ SLPDPredicateParseResult createPredicate rhs = val_start; /***** Create leaf node. *****/ - *ppNode = (SLPDPredicateTreeNode *)xmalloc(sizeof (SLPDPredicateTreeNode) + lhs_len + rhs_len); + *ppNode = (SLPDPredicateTreeNode *)xmalloc(sizeof (SLPDPredicateTreeNode) + lhs_len + 1 + rhs_len + 1); if (!(*ppNode)) return PREDICATE_PARSE_INTERNAL_ERROR; @@ -1653,7 +1653,7 @@ SLPDPredicateParseResult createPredicate /* Finished with "operator" now - just use as temporary pointer to assist with copying the * attribute name (lhs) and required value (rhs) into the node */ - operator = (*ppNode)->nodeBody.comparison.storage; + operator = (char *)((*ppNode) + 1); strncpy(operator, lhs, lhs_len); operator[lhs_len] = '\0'; (*ppNode)->nodeBody.comparison.tag_len = lhs_len; @@ -1853,7 +1853,7 @@ SLPDPredicateParseResult createPredicate rhs = val_start; /***** Create leaf node. *****/ - *ppNode = (SLPDPredicateTreeNode *)xmalloc(sizeof (SLPDPredicateTreeNode) + lhs_len + rhs_len); + *ppNode = (SLPDPredicateTreeNode *)xmalloc(sizeof (SLPDPredicateTreeNode) + lhs_len + 1 + rhs_len + 1); if (!(*ppNode)) return PREDICATE_PARSE_INTERNAL_ERROR; @@ -1863,7 +1863,7 @@ SLPDPredicateParseResult createPredicate /* Finished with "operator" now - just use as temporary pointer to assist with copying the * attribute name (lhs) and required value (rhs) into the node */ - operator = (*ppNode)->nodeBody.comparison.storage; + operator = (char *)((*ppNode) + 1); strncpy(operator, lhs, lhs_len); operator[lhs_len] = '\0'; (*ppNode)->nodeBody.comparison.tag_len = lhs_len; --- ./slpd/slpd_predicate.h.orig 2014-12-15 13:07:43.084621416 +0000 +++ ./slpd/slpd_predicate.h 2014-12-15 13:08:00.738547083 +0000 @@ -98,7 +98,6 @@ typedef struct __SLPDPredicateTreeNode char *tag_str; size_t value_len; char *value_str; - char storage[2]; } comparison; } nodeBody; } SLPDPredicateTreeNode; ++++++ openslp.xrealloc.diff ++++++ --- ./common/slp_xmalloc.c.orig 2016-09-13 11:46:35.749065088 +0000 +++ ./common/slp_xmalloc.c 2016-09-13 11:48:03.785749186 +0000 @@ -203,6 +203,8 @@ void * _xrealloc(const char * file, int if (x->size != size) { newptr = _xmalloc(file, line, size); + if (!newptr) + return 0; memcpy(newptr, ptr, x->size); _xfree(file, line, x); }
