Send Linux-ha-cvs mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.community.tummy.com/mailman/listinfo/linux-ha-cvs
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Linux-ha-cvs digest..."
Today's Topics:
1. Linux-HA CVS: lib by gshi from ([email protected])
----------------------------------------------------------------------
Message: 1
Date: Sun, 18 Dec 2005 00:57:53 -0700 (MST)
From: [email protected]
Subject: [Linux-ha-cvs] Linux-HA CVS: lib by gshi from
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
linux-ha CVS committal
Author : gshi
Host :
Project : linux-ha
Module : lib
Dir : linux-ha/lib/clplumbing
Modified Files:
cl_msg_types.c cl_netstring.c
Log Message:
add some memory out of boundary checking
===================================================================
RCS file: /home/cvs/linux-ha/linux-ha/lib/clplumbing/cl_msg_types.c,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -3 -r1.34 -r1.35
--- cl_msg_types.c 2 Dec 2005 23:49:50 -0000 1.34
+++ cl_msg_types.c 18 Dec 2005 07:57:52 -0000 1.35
@@ -80,9 +80,9 @@
int struct_stringlen(size_t namlen, size_t vallen, const void* value);
int struct_netstringlen(size_t namlen, size_t vallen, const void* value);
int convert_nl_sym(char* s, int len, char sym, int direction);
-
+int intlen(int x);
-static int
+int
intlen(int x)
{
char buf[20];
@@ -220,9 +220,14 @@
, (unsigned long)i);
return 0;
}
+ if (p + 2 + element_len + intlen(element_len)> maxp){
+ cl_log(LOG_ERR, "%s: memory out of boundary",
+ __FUNCTION__);
+ return 0;
+ }
p += sprintf(p, "%d:%s,", element_len,element);
- if (p >= maxp){
+ if (p > maxp){
cl_log(LOG_ERR, "string_list_pack: "
"buffer overflowed ");
return 0;
@@ -674,7 +679,7 @@
}
}
- if ( p >= maxp){
+ if ( p > maxp){
cl_log(LOG_ERR, "buffer overflow");
return HA_FAIL;
}
@@ -1096,6 +1101,13 @@
char* p = buf;
(void)maxp;
(void)depth;
+
+ if (buf + len > maxp){
+ cl_log(LOG_ERR, "%s: out of boundary",
+ __FUNCTION__);
+ return -1;
+ }
+
if ( strlen(s) != len){
cl_log(LOG_ERR, "str2string:"
"the input len != string length");
@@ -1127,7 +1139,7 @@
(void)depth;
baselen = B64_stringlen(len) + 1;
- if ( buf + baselen >= maxp){
+ if ( buf + baselen > maxp){
cl_log(LOG_ERR, "binary2string: out of bounary");
return -1;
}
@@ -1329,12 +1341,19 @@
size_t slen;
int ret = HA_OK;
char* sp_save = sp;
+ char* tmpsp;
fieldlen = fieldtypefuncs[type].netstringlen(nlen, vallen, value);
if (fieldlen > MAXMSG){
cl_log(LOG_INFO, "field too big(%d)", (int)fieldlen);
return HA_FAIL;
}
+ tmpsp = sp + netstring_extra(fieldlen);
+ if (tmpsp > smax){
+ cl_log(LOG_ERR, "%s: memory out of boundary, tmpsp=%p,
smax=%p",
+ __FUNCTION__, tmpsp, smax);
+ return HA_FAIL;
+ }
sp += sprintf(sp , "%d:(%d)%s=", (int)fieldlen, type, name);
switch (type){
===================================================================
RCS file: /home/cvs/linux-ha/linux-ha/lib/clplumbing/cl_netstring.c,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -3 -r1.28 -r1.29
--- cl_netstring.c 4 Nov 2005 17:56:34 -0000 1.28
+++ cl_netstring.c 18 Dec 2005 07:57:52 -0000 1.29
@@ -48,7 +48,7 @@
int is_auth_netstring(const char*, size_t, const char*, size_t);
char* msg2netstring(const struct ha_msg*, size_t*);
int process_netstring_nvpair(struct ha_msg* m, const char* nvpair, int nvlen);
-
+extern int intlen(int x);
extern const char * FT_strings[];
static int (*authmethod)(int whichauth
@@ -75,10 +75,10 @@
char * sp = s;
- /* 3 == ":" + "," + at least one digit number */
- if (s + len + 3 > smax) {
- cl_log(LOG_ERR
- , "netstring pointer out of boundary(compose_netstring)");
+ /* 2 == ":" + "," */
+ if (s + len + 2 + intlen(len) > smax) {
+ cl_log(LOG_ERR,
+ "netstring pointer out of boundary(compose_netstring)");
return(HA_FAIL);
}
@@ -146,7 +146,11 @@
}
-
+ if (sp + strlen(MSG_END_NETSTRING) > smax){
+ cl_log(LOG_ERR, "%s: out of boundary for MSG_END_NETSTRING",
+ __FUNCTION__);
+ return HA_FAIL;
+ }
strcpy(sp, MSG_END_NETSTRING);
sp += sizeof(MSG_END_NETSTRING) -1;
@@ -182,23 +186,26 @@
char authstring[MAXLINE];
char* sp;
size_t payload_len;
+ char* smax;
len= get_netstringlen_auth(m) + 1;
if (len >= MAXMSG){
- cl_log(LOG_ERR, "msg2netstring: msg is too large"
- "len =%d,MAX msg allowed=%d", len, MAXMSG);
+ cl_log(LOG_ERR, "%s: msg is too large"
+ "len =%d,MAX msg allowed=%d", __FUNCTION__, len, MAXMSG);
return NULL;
}
s = ha_calloc(1, len);
if (!s){
- cl_log(LOG_ERR, "msg2netstring: no memory for netstring");
+ cl_log(LOG_ERR, "%s: no memory for netstring", __FUNCTION__);
return(NULL);
}
+ smax = s + len;
+
if (msg2netstring_buf(m, s, len, &payload_len) != HA_OK){
- cl_log(LOG_ERR, "msg2netstring: msg2netstring_buf() failed");
+ cl_log(LOG_ERR, "%s: msg2netstring_buf() failed",
__FUNCTION__);
ha_free(s);
return(NULL);
}
@@ -206,14 +213,23 @@
sp = s + payload_len;
if ( need_auth && authmethod){
+ int auth_strlen;
+
authnum = authmethod(-1, s, payload_len,
authtoken,sizeof(authtoken));
if (authnum < 0){
cl_log(LOG_WARNING
, "Cannot compute message
authentication!");
+ ha_free(s);
return(NULL);
}
sprintf(authstring, "%d %s", authnum, authtoken);
+ auth_strlen = strlen(authstring);
+ if (sp + 2 + auth_strlen + intlen(auth_strlen) >= smax){
+ cl_log(LOG_ERR, "%s: out of boundary for auth",
__FUNCTION__);
+ ha_free(s);
+ return NULL;
+ }
sp += sprintf(sp, "%ld:%s,", (long)strlen(authstring),
authstring);
}
------------------------------
_______________________________________________
Linux-ha-cvs mailing list
[email protected]
http://lists.community.tummy.com/mailman/listinfo/linux-ha-cvs
End of Linux-ha-cvs Digest, Vol 25, Issue 39
********************************************
