CVS commit: src/libexec/ftpd
Module Name:src Committed By: shm Date: Sat Sep 30 18:10:55 UTC 2023 Modified Files: src/libexec/ftpd: version.h Log Message: NetBSD-ftpd 20230930 Update version to "NetBSD-ftpd 20230930" for changes: - fix uninitialized memory usage in count_users() - fix pam_set_item call with proper struct passed as PAM_SOCKADDR To generate a diff of this commit: cvs rdiff -u -r1.79 -r1.80 src/libexec/ftpd/version.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/libexec/ftpd/version.h diff -u src/libexec/ftpd/version.h:1.79 src/libexec/ftpd/version.h:1.80 --- src/libexec/ftpd/version.h:1.79 Fri Sep 22 21:57:55 2023 +++ src/libexec/ftpd/version.h Sat Sep 30 18:10:55 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: version.h,v 1.79 2023/09/22 21:57:55 lukem Exp $ */ +/* $NetBSD: version.h,v 1.80 2023/09/30 18:10:55 shm Exp $ */ /*- * Copyright (c) 1999-2023 The NetBSD Foundation, Inc. * All rights reserved. @@ -29,5 +29,5 @@ */ #ifndef FTPD_VERSION -#define FTPD_VERSION "NetBSD-ftpd 20230922" +#define FTPD_VERSION "NetBSD-ftpd 20230930" #endif
CVS commit: src/libexec/ftpd
Module Name:src Committed By: shm Date: Sat Sep 30 18:10:55 UTC 2023 Modified Files: src/libexec/ftpd: version.h Log Message: NetBSD-ftpd 20230930 Update version to "NetBSD-ftpd 20230930" for changes: - fix uninitialized memory usage in count_users() - fix pam_set_item call with proper struct passed as PAM_SOCKADDR To generate a diff of this commit: cvs rdiff -u -r1.79 -r1.80 src/libexec/ftpd/version.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/libexec/ftpd
Module Name:src Committed By: shm Date: Sat Sep 30 18:06:24 UTC 2023 Modified Files: src/libexec/ftpd: ftpd.c Log Message: pam_set_item PAM_SOCKADDR expects sockaddr_storage structure Instead, internal struct sockinet was used. Because it's length is shorter than sockaddr_storage, libpam was copying also memory outside of sockinet struct. To generate a diff of this commit: cvs rdiff -u -r1.207 -r1.208 src/libexec/ftpd/ftpd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/libexec/ftpd/ftpd.c diff -u src/libexec/ftpd/ftpd.c:1.207 src/libexec/ftpd/ftpd.c:1.208 --- src/libexec/ftpd/ftpd.c:1.207 Sat Sep 2 12:16:29 2023 +++ src/libexec/ftpd/ftpd.c Sat Sep 30 18:06:24 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: ftpd.c,v 1.207 2023/09/02 12:16:29 lukem Exp $ */ +/* $NetBSD: ftpd.c,v 1.208 2023/09/30 18:06:24 shm Exp $ */ /* * Copyright (c) 1997-2023 The NetBSD Foundation, Inc. @@ -97,7 +97,7 @@ __COPYRIGHT("@(#) Copyright (c) 1985, 19 #if 0 static char sccsid[] = "@(#)ftpd.c 8.5 (Berkeley) 4/28/95"; #else -__RCSID("$NetBSD: ftpd.c,v 1.207 2023/09/02 12:16:29 lukem Exp $"); +__RCSID("$NetBSD: ftpd.c,v 1.208 2023/09/30 18:06:24 shm Exp $"); #endif #endif /* not lint */ @@ -3896,6 +3896,7 @@ auth_pam(void) int e; ftpd_cred_t auth_cred = { curname, 0 }; struct pam_conv conv = { &auth_conv, &auth_cred }; + struct sockaddr_storage ss; e = pam_start("ftpd", curname, &conv, &pamh); if (e != PAM_SUCCESS) { @@ -3918,7 +3919,9 @@ auth_pam(void) return -1; } - e = pam_set_item(pamh, PAM_SOCKADDR, &his_addr); + memset(&ss, 0, sizeof(ss)); + memcpy(&ss, &his_addr.si_su, his_addr.su_len); + e = pam_set_item(pamh, PAM_SOCKADDR, &ss); if (e != PAM_SUCCESS) { syslog(LOG_ERR, "pam_set_item(PAM_SOCKADDR): %s", pam_strerror(pamh, e));
CVS commit: src/libexec/ftpd
Module Name:src Committed By: shm Date: Sat Sep 30 18:06:24 UTC 2023 Modified Files: src/libexec/ftpd: ftpd.c Log Message: pam_set_item PAM_SOCKADDR expects sockaddr_storage structure Instead, internal struct sockinet was used. Because it's length is shorter than sockaddr_storage, libpam was copying also memory outside of sockinet struct. To generate a diff of this commit: cvs rdiff -u -r1.207 -r1.208 src/libexec/ftpd/ftpd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/libexec/ftpd
Module Name:src Committed By: shm Date: Fri Sep 29 14:49:03 UTC 2023 Modified Files: src/libexec/ftpd: conf.c Log Message: Fix uninitialized memory usage in count_users() If the file was previously empty, pids table is not set, the code however used pids[0] which is uninitialized in this case. In some scenarios it may lead to propagate garbage value from pids[0] to the file and cause writing outside of allocated memory. OK lukem@ To generate a diff of this commit: cvs rdiff -u -r1.64 -r1.65 src/libexec/ftpd/conf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/libexec/ftpd/conf.c diff -u src/libexec/ftpd/conf.c:1.64 src/libexec/ftpd/conf.c:1.65 --- src/libexec/ftpd/conf.c:1.64 Sun Nov 4 20:46:46 2012 +++ src/libexec/ftpd/conf.c Fri Sep 29 14:49:03 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.64 2012/11/04 20:46:46 christos Exp $ */ +/* $NetBSD: conf.c,v 1.65 2023/09/29 14:49:03 shm Exp $ */ /*- * Copyright (c) 1997-2009 The NetBSD Foundation, Inc. @@ -31,7 +31,7 @@ #include #ifndef lint -__RCSID("$NetBSD: conf.c,v 1.64 2012/11/04 20:46:46 christos Exp $"); +__RCSID("$NetBSD: conf.c,v 1.65 2023/09/29 14:49:03 shm Exp $"); #endif /* not lint */ #include @@ -909,7 +909,7 @@ count_users(void) goto cleanup_count; if (fstat(fd, &sb) == -1) goto cleanup_count; - if ((pids = malloc(sb.st_size + sizeof(pid_t))) == NULL) + if ((pids = calloc(sb.st_size + sizeof(pid_t), 1)) == NULL) goto cleanup_count; /* XXX: implement a better read loop */ scount = read(fd, pids, sb.st_size);
CVS commit: src/libexec/ftpd
Module Name:src Committed By: shm Date: Fri Sep 29 14:49:03 UTC 2023 Modified Files: src/libexec/ftpd: conf.c Log Message: Fix uninitialized memory usage in count_users() If the file was previously empty, pids table is not set, the code however used pids[0] which is uninitialized in this case. In some scenarios it may lead to propagate garbage value from pids[0] to the file and cause writing outside of allocated memory. OK lukem@ To generate a diff of this commit: cvs rdiff -u -r1.64 -r1.65 src/libexec/ftpd/conf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/libexec/telnetd
Module Name:src Committed By: shm Date: Fri Sep 22 15:28:36 UTC 2023 Modified Files: src/libexec/telnetd: state.c Log Message: Fix off by one in telrcv() In case of "\r" in the data buffer, the code was unconditionally looking ahead to next character, even if "\r" was last character in the buffer. That condition leads to read outside of the data (one byte after the array) Thanks christos@ for the review To generate a diff of this commit: cvs rdiff -u -r1.32 -r1.33 src/libexec/telnetd/state.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/libexec/telnetd/state.c diff -u src/libexec/telnetd/state.c:1.32 src/libexec/telnetd/state.c:1.33 --- src/libexec/telnetd/state.c:1.32 Mon Aug 9 21:38:04 2021 +++ src/libexec/telnetd/state.c Fri Sep 22 15:28:36 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: state.c,v 1.32 2021/08/09 21:38:04 andvar Exp $ */ +/* $NetBSD: state.c,v 1.33 2023/09/22 15:28:36 shm Exp $ */ /* * Copyright (c) 1989, 1993 @@ -34,7 +34,7 @@ #if 0 static char sccsid[] = "@(#)state.c 8.5 (Berkeley) 5/30/95"; #else -__RCSID("$NetBSD: state.c,v 1.32 2021/08/09 21:38:04 andvar Exp $"); +__RCSID("$NetBSD: state.c,v 1.33 2023/09/22 15:28:36 shm Exp $"); #endif #endif /* not lint */ @@ -100,9 +100,33 @@ telrcv(void) case TS_CR: state = TS_DATA; - /* Strip off \n or \0 after a \r */ - if ((c == 0) || (c == '\n')) { -break; + +#ifdef LINEMODE + /* + * If we are operating in linemode, + * convert to local end-of-line. + */ + if (linemode && (ncc > 0) && ((c == '\n') || + ((c == 0) && tty_iscrnl())) ) +c = '\n'; + else +#endif + { +/* + * We now map \r\n ==> \r for pragmatic reasons. + * Many client implementations send \r\n when + * the user hits the CarriageReturn key. + * + * We USED to map \r\n ==> \n, since \r\n says + * that we want to be in column 1 of the next + * printable line, and \n is the standard + * unix way of saying that (\r is only good + * if CRMOD is set, which it normally is). + */ + +/* Strip off \n or \0 after a \r */ +if ((c == 0) || (c == '\n')) + break; } /* FALL THROUGH */ @@ -111,42 +135,10 @@ telrcv(void) state = TS_IAC; break; } - /* - * We now map \r\n ==> \r for pragmatic reasons. - * Many client implementations send \r\n when - * the user hits the CarriageReturn key. - * - * We USED to map \r\n ==> \n, since \r\n says - * that we want to be in column 1 of the next - * printable line, and \n is the standard - * unix way of saying that (\r is only good - * if CRMOD is set, which it normally is). - */ - if ((c == '\r') && his_state_is_wont(TELOPT_BINARY)) { -int nc = *netip; -#ifdef ENCRYPTION -if (decrypt_input) - nc = (*decrypt_input)(nc & 0xff); -#endif /* ENCRYPTION */ -#ifdef LINEMODE -/* - * If we are operating in linemode, - * convert to local end-of-line. - */ -if (linemode && (ncc > 0) && (('\n' == nc) || - ((0 == nc) && tty_iscrnl())) ) { - netip++; ncc--; - c = '\n'; -} else -#endif -{ -#ifdef ENCRYPTION - if (decrypt_input) - (void)(*decrypt_input)(-1); -#endif /* ENCRYPTION */ - state = TS_CR; -} - } + + if ((c == '\r') && his_state_is_wont(TELOPT_BINARY)) +state = TS_CR; + *pfrontp++ = c; break;
CVS commit: src/libexec/telnetd
Module Name:src Committed By: shm Date: Fri Sep 22 15:28:36 UTC 2023 Modified Files: src/libexec/telnetd: state.c Log Message: Fix off by one in telrcv() In case of "\r" in the data buffer, the code was unconditionally looking ahead to next character, even if "\r" was last character in the buffer. That condition leads to read outside of the data (one byte after the array) Thanks christos@ for the review To generate a diff of this commit: cvs rdiff -u -r1.32 -r1.33 src/libexec/telnetd/state.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/libexec/ftpd
Module Name:src Committed By: shm Date: Fri Sep 22 11:23:28 UTC 2023 Modified Files: src/libexec/ftpd: ftpcmd.y Log Message: Add missing check_login checks for MLST and MLSD To generate a diff of this commit: cvs rdiff -u -r1.94 -r1.95 src/libexec/ftpd/ftpcmd.y Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/libexec/ftpd
Module Name:src Committed By: shm Date: Fri Sep 22 11:23:28 UTC 2023 Modified Files: src/libexec/ftpd: ftpcmd.y Log Message: Add missing check_login checks for MLST and MLSD To generate a diff of this commit: cvs rdiff -u -r1.94 -r1.95 src/libexec/ftpd/ftpcmd.y Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/libexec/ftpd/ftpcmd.y diff -u src/libexec/ftpd/ftpcmd.y:1.94 src/libexec/ftpd/ftpcmd.y:1.95 --- src/libexec/ftpd/ftpcmd.y:1.94 Mon Aug 10 07:45:50 2015 +++ src/libexec/ftpd/ftpcmd.y Fri Sep 22 11:23:28 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: ftpcmd.y,v 1.94 2015/08/10 07:45:50 shm Exp $ */ +/* $NetBSD: ftpcmd.y,v 1.95 2023/09/22 11:23:28 shm Exp $ */ /*- * Copyright (c) 1997-2009 The NetBSD Foundation, Inc. @@ -72,7 +72,7 @@ #if 0 static char sccsid[] = "@(#)ftpcmd.y 8.3 (Berkeley) 4/6/94"; #else -__RCSID("$NetBSD: ftpcmd.y,v 1.94 2015/08/10 07:45:50 shm Exp $"); +__RCSID("$NetBSD: ftpcmd.y,v 1.95 2023/09/22 11:23:28 shm Exp $"); #endif #endif /* not lint */ @@ -855,7 +855,8 @@ cmd | MLST check_login CRLF { - mlst(NULL); + if ($2) +mlst(NULL); } | MLSD check_login SP pathname CRLF @@ -868,7 +869,8 @@ cmd | MLSD check_login CRLF { - mlsd(NULL); + if ($2) +mlsd(NULL); } | error CRLF
CVS commit: src/libexec/telnetd
Module Name:src Committed By: shm Date: Thu Sep 21 14:00:34 UTC 2023 Modified Files: src/libexec/telnetd: telnetd.c Log Message: Fix memory leak - free resources allocated by getaddrinfo To generate a diff of this commit: cvs rdiff -u -r1.58 -r1.59 src/libexec/telnetd/telnetd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/libexec/telnetd/telnetd.c diff -u src/libexec/telnetd/telnetd.c:1.58 src/libexec/telnetd/telnetd.c:1.59 --- src/libexec/telnetd/telnetd.c:1.58 Fri Aug 26 19:30:44 2022 +++ src/libexec/telnetd/telnetd.c Thu Sep 21 14:00:34 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: telnetd.c,v 1.58 2022/08/26 19:30:44 dholland Exp $ */ +/* $NetBSD: telnetd.c,v 1.59 2023/09/21 14:00:34 shm Exp $ */ /* * Copyright (C) 1997 and 1998 WIDE Project. @@ -65,7 +65,7 @@ __COPYRIGHT("@(#) Copyright (c) 1989, 19 #if 0 static char sccsid[] = "@(#)telnetd.c 8.4 (Berkeley) 5/30/95"; #else -__RCSID("$NetBSD: telnetd.c,v 1.58 2022/08/26 19:30:44 dholland Exp $"); +__RCSID("$NetBSD: telnetd.c,v 1.59 2023/09/21 14:00:34 shm Exp $"); #endif #endif /* not lint */ @@ -400,6 +400,7 @@ main(int argc, char *argv[]) (void) dup2(ns, 0); (void) close(ns); (void) close(s); + freeaddrinfo(res); } else if (argc > 0) { usage(); /* NOT REACHED */
CVS commit: src/libexec/telnetd
Module Name:src Committed By: shm Date: Thu Sep 21 14:00:34 UTC 2023 Modified Files: src/libexec/telnetd: telnetd.c Log Message: Fix memory leak - free resources allocated by getaddrinfo To generate a diff of this commit: cvs rdiff -u -r1.58 -r1.59 src/libexec/telnetd/telnetd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/gen
Module Name:src Committed By: shm Date: Thu Sep 21 13:46:12 UTC 2023 Modified Files: src/lib/libc/gen: getcap.c Log Message: Fix memory leak in getent() Memory was not freed if record was not found To generate a diff of this commit: cvs rdiff -u -r1.57 -r1.58 src/lib/libc/gen/getcap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/gen/getcap.c diff -u src/lib/libc/gen/getcap.c:1.57 src/lib/libc/gen/getcap.c:1.58 --- src/lib/libc/gen/getcap.c:1.57 Sun Jun 18 03:56:39 2017 +++ src/lib/libc/gen/getcap.c Thu Sep 21 13:46:12 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: getcap.c,v 1.57 2017/06/18 03:56:39 manu Exp $ */ +/* $NetBSD: getcap.c,v 1.58 2023/09/21 13:46:12 shm Exp $ */ /*- * Copyright (c) 1992, 1993 @@ -41,7 +41,7 @@ #if 0 static char sccsid[] = "@(#)getcap.c 8.3 (Berkeley) 3/25/94"; #else -__RCSID("$NetBSD: getcap.c,v 1.57 2017/06/18 03:56:39 manu Exp $"); +__RCSID("$NetBSD: getcap.c,v 1.58 2023/09/21 13:46:12 shm Exp $"); #endif #endif /* LIBC_SCCS and not lint */ @@ -502,8 +502,10 @@ getent(char **cap, size_t *len, const ch break; } - if (!foundit) + if (!foundit) { + free(record); return -1; + } /* * Got the capability record, but now we have to expand all tc=name
CVS commit: src/lib/libc/gen
Module Name:src Committed By: shm Date: Thu Sep 21 13:46:12 UTC 2023 Modified Files: src/lib/libc/gen: getcap.c Log Message: Fix memory leak in getent() Memory was not freed if record was not found To generate a diff of this commit: cvs rdiff -u -r1.57 -r1.58 src/lib/libc/gen/getcap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/libexec/httpd
Module Name:src Committed By: shm Date: Wed Sep 20 08:41:35 UTC 2023 Modified Files: src/libexec/httpd: cgi-bozo.c Log Message: Removed unnecessary comment Thanks leot@ for pointing this out To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.56 src/libexec/httpd/cgi-bozo.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/libexec/httpd/cgi-bozo.c diff -u src/libexec/httpd/cgi-bozo.c:1.55 src/libexec/httpd/cgi-bozo.c:1.56 --- src/libexec/httpd/cgi-bozo.c:1.55 Wed Sep 20 07:09:14 2023 +++ src/libexec/httpd/cgi-bozo.c Wed Sep 20 08:41:35 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: cgi-bozo.c,v 1.55 2023/09/20 07:09:14 shm Exp $ */ +/* $NetBSD: cgi-bozo.c,v 1.56 2023/09/20 08:41:35 shm Exp $ */ /* $eterna: cgi-bozo.c,v 1.40 2011/11/18 09:21:15 mrg Exp $ */ @@ -654,7 +654,6 @@ bozo_process_cgi(bozo_httpreq_t *request /* CGI programs should perform their own timeouts */ while ((rbytes = bozo_read(httpd, STDIN_FILENO, buf, sizeof buf)) > 0) { ssize_t wbytes; - /* char *bp = buf; */ while (rbytes) { wbytes = write(sv[0], buf, (size_t)rbytes);
CVS commit: src/libexec/httpd
Module Name:src Committed By: shm Date: Wed Sep 20 08:41:35 UTC 2023 Modified Files: src/libexec/httpd: cgi-bozo.c Log Message: Removed unnecessary comment Thanks leot@ for pointing this out To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.56 src/libexec/httpd/cgi-bozo.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/libexec/httpd
Module Name:src Committed By: shm Date: Wed Sep 20 07:13:35 UTC 2023 Modified Files: src/libexec/httpd: bozohttpd.c Log Message: Fix off-by-one in bozo_decode_url_percent In case of strings that end with '%', debug function was reading past buffer. To generate a diff of this commit: cvs rdiff -u -r1.144 -r1.145 src/libexec/httpd/bozohttpd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/libexec/httpd/bozohttpd.c diff -u src/libexec/httpd/bozohttpd.c:1.144 src/libexec/httpd/bozohttpd.c:1.145 --- src/libexec/httpd/bozohttpd.c:1.144 Thu Sep 7 06:40:56 2023 +++ src/libexec/httpd/bozohttpd.c Wed Sep 20 07:13:35 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: bozohttpd.c,v 1.144 2023/09/07 06:40:56 shm Exp $ */ +/* $NetBSD: bozohttpd.c,v 1.145 2023/09/20 07:13:35 shm Exp $ */ /* $eterna: bozohttpd.c,v 1.178 2011/11/18 09:21:15 mrg Exp $ */ @@ -1564,9 +1564,14 @@ bozo_decode_url_percent(bozo_httpreq_t * *t++ = *s++; break; } - debug((httpd, DEBUG_EXPLODING, - "fu_%%: got s == %%, s[1]s[2] == %c%c", - s[1], s[2])); + if (&s[2] < end) + debug((httpd, DEBUG_EXPLODING, +"fu_%%: got s == %%, s[1]s[2] == %c%c", +s[1], s[2])); + else + debug((httpd, DEBUG_EXPLODING, + "fu_%%: got s == %%, s[1] == %c s[2] is not set", +s[1])); if (s[1] == '\0' || s[2] == '\0') return bozo_http_error(httpd, 400, request, "percent hack missing two chars afterwards");
CVS commit: src/libexec/httpd
Module Name:src Committed By: shm Date: Wed Sep 20 07:13:35 UTC 2023 Modified Files: src/libexec/httpd: bozohttpd.c Log Message: Fix off-by-one in bozo_decode_url_percent In case of strings that end with '%', debug function was reading past buffer. To generate a diff of this commit: cvs rdiff -u -r1.144 -r1.145 src/libexec/httpd/bozohttpd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/libexec/httpd
Module Name:src Committed By: shm Date: Wed Sep 20 07:09:14 UTC 2023 Modified Files: src/libexec/httpd: cgi-bozo.c Log Message: Remove unused variable (bp) To generate a diff of this commit: cvs rdiff -u -r1.54 -r1.55 src/libexec/httpd/cgi-bozo.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/libexec/httpd
Module Name:src Committed By: shm Date: Wed Sep 20 07:09:14 UTC 2023 Modified Files: src/libexec/httpd: cgi-bozo.c Log Message: Remove unused variable (bp) To generate a diff of this commit: cvs rdiff -u -r1.54 -r1.55 src/libexec/httpd/cgi-bozo.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/libexec/httpd/cgi-bozo.c diff -u src/libexec/httpd/cgi-bozo.c:1.54 src/libexec/httpd/cgi-bozo.c:1.55 --- src/libexec/httpd/cgi-bozo.c:1.54 Thu Apr 8 07:02:12 2021 +++ src/libexec/httpd/cgi-bozo.c Wed Sep 20 07:09:14 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: cgi-bozo.c,v 1.54 2021/04/08 07:02:12 rillig Exp $ */ +/* $NetBSD: cgi-bozo.c,v 1.55 2023/09/20 07:09:14 shm Exp $ */ /* $eterna: cgi-bozo.c,v 1.40 2011/11/18 09:21:15 mrg Exp $ */ @@ -185,15 +185,13 @@ finish_cgi_output(bozohttpd_t *httpd, bo /* CGI programs should perform their own timeouts */ while ((rbytes = read(in, buf, sizeof buf)) > 0) { ssize_t wbytes; - char *bp = buf; while (rbytes) { wbytes = bozo_write(httpd, STDOUT_FILENO, buf, (size_t)rbytes); - if (wbytes > 0) { + if (wbytes > 0) rbytes -= wbytes; -bp += wbytes; - } else + else bozoerr(httpd, 1, "cgi output write failed: %s", strerror(errno)); @@ -656,14 +654,13 @@ bozo_process_cgi(bozo_httpreq_t *request /* CGI programs should perform their own timeouts */ while ((rbytes = bozo_read(httpd, STDIN_FILENO, buf, sizeof buf)) > 0) { ssize_t wbytes; - char *bp = buf; + /* char *bp = buf; */ while (rbytes) { wbytes = write(sv[0], buf, (size_t)rbytes); - if (wbytes > 0) { + if (wbytes > 0) rbytes -= wbytes; -bp += wbytes; - } else + else bozoerr(httpd, 1, "write failed: %s", strerror(errno)); }
CVS commit: src/libexec/httpd
Module Name:src Committed By: shm Date: Tue Sep 19 07:51:43 UTC 2023 Modified Files: src/libexec/httpd: auth-bozo.c Log Message: Fix hr_authrealm memory leak hr_authrealm might be already set, so we need to free it before overwriting the value To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.28 src/libexec/httpd/auth-bozo.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/libexec/httpd/auth-bozo.c diff -u src/libexec/httpd/auth-bozo.c:1.27 src/libexec/httpd/auth-bozo.c:1.28 --- src/libexec/httpd/auth-bozo.c:1.27 Wed May 5 07:41:48 2021 +++ src/libexec/httpd/auth-bozo.c Tue Sep 19 07:51:43 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: auth-bozo.c,v 1.27 2021/05/05 07:41:48 mrg Exp $ */ +/* $NetBSD: auth-bozo.c,v 1.28 2023/09/19 07:51:43 shm Exp $ */ /* $eterna: auth-bozo.c,v 1.17 2011/11/18 09:21:15 mrg Exp $ */ @@ -67,6 +67,11 @@ bozo_auth_check(bozo_httpreq_t *request, if (bozo_check_special_files(request, basename, true)) return 1; } + + /* we might be called from cgi code again with the hr_authrealm + * already set */ + if (request->hr_authrealm) + free(request->hr_authrealm); request->hr_authrealm = bozostrdup(httpd, request, dir); if ((size_t)snprintf(authfile, sizeof(authfile), "%s/%s", dir,
CVS commit: src/libexec/httpd
Module Name:src Committed By: shm Date: Tue Sep 19 07:51:43 UTC 2023 Modified Files: src/libexec/httpd: auth-bozo.c Log Message: Fix hr_authrealm memory leak hr_authrealm might be already set, so we need to free it before overwriting the value To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.28 src/libexec/httpd/auth-bozo.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.bin/mail
Module Name:src Committed By: shm Date: Fri Sep 8 20:46:45 UTC 2023 Modified Files: src/usr.bin/mail: support.c Log Message: Add check for space presence after comma in skin() Check if comma is followed by space, otherwise it may lead to overflow in the output buffer as space might be extra appended to the output buffer without consuming anything from the input. This condition breaks the assumption that length(input) >= length(output) while the code relies on it. To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.27 src/usr.bin/mail/support.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.bin/mail
Module Name:src Committed By: shm Date: Fri Sep 8 20:46:45 UTC 2023 Modified Files: src/usr.bin/mail: support.c Log Message: Add check for space presence after comma in skin() Check if comma is followed by space, otherwise it may lead to overflow in the output buffer as space might be extra appended to the output buffer without consuming anything from the input. This condition breaks the assumption that length(input) >= length(output) while the code relies on it. To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.27 src/usr.bin/mail/support.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.bin/mail/support.c diff -u src/usr.bin/mail/support.c:1.26 src/usr.bin/mail/support.c:1.27 --- src/usr.bin/mail/support.c:1.26 Fri Sep 8 20:37:07 2023 +++ src/usr.bin/mail/support.c Fri Sep 8 20:46:45 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: support.c,v 1.26 2023/09/08 20:37:07 shm Exp $ */ +/* $NetBSD: support.c,v 1.27 2023/09/08 20:46:45 shm Exp $ */ /* * Copyright (c) 1980, 1993 @@ -34,7 +34,7 @@ #if 0 static char sccsid[] = "@(#)aux.c 8.1 (Berkeley) 6/6/93"; #else -__RCSID("$NetBSD: support.c,v 1.26 2023/09/08 20:37:07 shm Exp $"); +__RCSID("$NetBSD: support.c,v 1.27 2023/09/08 20:46:45 shm Exp $"); #endif #endif /* not lint */ @@ -537,7 +537,7 @@ skin(char *name) *cp2++ = ' '; } *cp2++ = c; - if (c == ',' && !gotlt) { + if (c == ',' && *cp == ' ' && !gotlt) { *cp2++ = ' '; for (/*EMPTY*/; *cp == ' '; cp++) continue;
CVS commit: src/usr.bin/mail
Module Name:src Committed By: shm Date: Fri Sep 8 20:37:07 UTC 2023 Modified Files: src/usr.bin/mail: support.c Log Message: Fix writing outside of the nbuf buffer in skin() Data provided to skin() can be longer than LINEBUF (if same header is provided multiple times, hfield returns concatenated data). Thanks to riastradh@ for the review and comments To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.26 src/usr.bin/mail/support.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.bin/mail/support.c diff -u src/usr.bin/mail/support.c:1.25 src/usr.bin/mail/support.c:1.26 --- src/usr.bin/mail/support.c:1.25 Thu Nov 9 20:27:50 2017 +++ src/usr.bin/mail/support.c Fri Sep 8 20:37:07 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: support.c,v 1.25 2017/11/09 20:27:50 christos Exp $ */ +/* $NetBSD: support.c,v 1.26 2023/09/08 20:37:07 shm Exp $ */ /* * Copyright (c) 1980, 1993 @@ -34,7 +34,7 @@ #if 0 static char sccsid[] = "@(#)aux.c 8.1 (Berkeley) 6/6/93"; #else -__RCSID("$NetBSD: support.c,v 1.25 2017/11/09 20:27:50 christos Exp $"); +__RCSID("$NetBSD: support.c,v 1.26 2023/09/08 20:37:07 shm Exp $"); #endif #endif /* not lint */ @@ -456,13 +456,15 @@ skin(char *name) char *cp, *cp2; char *bufend; int gotlt, lastsp; - char nbuf[LINESIZE]; + char *nbuf, *ret; if (name == NULL) return NULL; if (strchr(name, '(') == NULL && strchr(name, '<') == NULL && strchr(name, ' ') == NULL) return name; + + nbuf = emalloc(strlen(name) + 1); gotlt = 0; lastsp = 0; bufend = nbuf; @@ -545,8 +547,11 @@ skin(char *name) } } *cp2 = 0; + + ret = savestr(nbuf); + free(nbuf); - return savestr(nbuf); + return ret; } /*
CVS commit: src/usr.bin/mail
Module Name:src Committed By: shm Date: Fri Sep 8 20:37:07 UTC 2023 Modified Files: src/usr.bin/mail: support.c Log Message: Fix writing outside of the nbuf buffer in skin() Data provided to skin() can be longer than LINEBUF (if same header is provided multiple times, hfield returns concatenated data). Thanks to riastradh@ for the review and comments To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.26 src/usr.bin/mail/support.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.bin/mail
Module Name:src Committed By: shm Date: Fri Sep 8 14:34:02 UTC 2023 Modified Files: src/usr.bin/mail: format.c Log Message: Fix check_bufsize() incorrect behaviour The function ensures that that buffer is large enough to store the data (if not, it reallocates it). It doubled the buffer every time the buffer was too small, but in some cases it wasn't enough, which might lead to heap overflows. Rewrite of this function handles int overflow scenarios as well as ensures the buffer is big enough to handle the data. Thanks riastradh@ for the review and comments To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/usr.bin/mail/format.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.bin/mail/format.c diff -u src/usr.bin/mail/format.c:1.17 src/usr.bin/mail/format.c:1.18 --- src/usr.bin/mail/format.c:1.17 Sun Aug 7 10:12:19 2022 +++ src/usr.bin/mail/format.c Fri Sep 8 14:34:02 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: format.c,v 1.17 2022/08/07 10:12:19 andvar Exp $ */ +/* $NetBSD: format.c,v 1.18 2023/09/08 14:34:02 shm Exp $ */ /*- * Copyright (c) 2006 The NetBSD Foundation, Inc. @@ -31,7 +31,7 @@ #include #ifndef __lint__ -__RCSID("$NetBSD: format.c,v 1.17 2022/08/07 10:12:19 andvar Exp $"); +__RCSID("$NetBSD: format.c,v 1.18 2023/09/08 14:34:02 shm Exp $"); #endif /* not __lint__ */ #include @@ -54,13 +54,21 @@ __RCSID("$NetBSD: format.c,v 1.17 2022/0 static void check_bufsize(char **buf, size_t *bufsize, char **p, size_t cnt) { - char *q; - if (*p + cnt < *buf + *bufsize) + size_t offset = (size_t)(*p - *buf); + + /* enough buffer allocated already */ + if (cnt < *bufsize - offset) return; - *bufsize *= 2; - q = erealloc(*buf, *bufsize); - *p = q + (*p - *buf); - *buf = q; + + /* expand buffer till it's sufficient to handle the data */ + while (cnt >= *bufsize - offset) { + if (*bufsize > SIZE_MAX/2) + errx(1, "out of memory"); + *bufsize *= 2; + } + + *buf = erealloc(*buf, *bufsize); + *p = *buf + offset; } static const char *
CVS commit: src/usr.bin/mail
Module Name:src Committed By: shm Date: Fri Sep 8 14:34:02 UTC 2023 Modified Files: src/usr.bin/mail: format.c Log Message: Fix check_bufsize() incorrect behaviour The function ensures that that buffer is large enough to store the data (if not, it reallocates it). It doubled the buffer every time the buffer was too small, but in some cases it wasn't enough, which might lead to heap overflows. Rewrite of this function handles int overflow scenarios as well as ensures the buffer is big enough to handle the data. Thanks riastradh@ for the review and comments To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/usr.bin/mail/format.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.bin/mail
Module Name:src Committed By: shm Date: Fri Sep 8 14:22:04 UTC 2023 Modified Files: src/usr.bin/mail: vars.c Log Message: Fixed undefined behaviour in hash() Shift left on large int values was causing an undefined behaviour, fix it by operating on unsigned int type instead. This patch changes behaviour of the hash() slightly - if the computed hash is INT_MIN, the function previously returned 0, but this case is negligible. To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/usr.bin/mail/vars.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.bin/mail/vars.c diff -u src/usr.bin/mail/vars.c:1.18 src/usr.bin/mail/vars.c:1.19 --- src/usr.bin/mail/vars.c:1.18 Sat Oct 27 15:14:51 2007 +++ src/usr.bin/mail/vars.c Fri Sep 8 14:22:04 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: vars.c,v 1.18 2007/10/27 15:14:51 christos Exp $ */ +/* $NetBSD: vars.c,v 1.19 2023/09/08 14:22:04 shm Exp $ */ /* * Copyright (c) 1980, 1993 @@ -34,7 +34,7 @@ #if 0 static char sccsid[] = "@(#)vars.c 8.1 (Berkeley) 6/6/93"; #else -__RCSID("$NetBSD: vars.c,v 1.18 2007/10/27 15:14:51 christos Exp $"); +__RCSID("$NetBSD: vars.c,v 1.19 2023/09/08 14:22:04 shm Exp $"); #endif #endif /* not lint */ @@ -86,14 +86,12 @@ vcopy(const char str[]) PUBLIC int hash(const char *name) { - int h = 0; + unsigned int h = 0; while (*name) { h <<= 2; h += *name++; } - if (h < 0 && (h = -h) < 0) - h = 0; return h % HSHSIZE; }
CVS commit: src/usr.bin/mail
Module Name:src Committed By: shm Date: Fri Sep 8 14:22:04 UTC 2023 Modified Files: src/usr.bin/mail: vars.c Log Message: Fixed undefined behaviour in hash() Shift left on large int values was causing an undefined behaviour, fix it by operating on unsigned int type instead. This patch changes behaviour of the hash() slightly - if the computed hash is INT_MIN, the function previously returned 0, but this case is negligible. To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/usr.bin/mail/vars.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/libexec/httpd
Module Name:src Committed By: shm Date: Thu Sep 7 06:40:56 UTC 2023 Modified Files: src/libexec/httpd: bozohttpd.c Log Message: Fix memory leaks in bozo_cleanup To generate a diff of this commit: cvs rdiff -u -r1.143 -r1.144 src/libexec/httpd/bozohttpd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/libexec/httpd/bozohttpd.c diff -u src/libexec/httpd/bozohttpd.c:1.143 src/libexec/httpd/bozohttpd.c:1.144 --- src/libexec/httpd/bozohttpd.c:1.143 Wed Jun 7 20:12:31 2023 +++ src/libexec/httpd/bozohttpd.c Thu Sep 7 06:40:56 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: bozohttpd.c,v 1.143 2023/06/07 20:12:31 mrg Exp $ */ +/* $NetBSD: bozohttpd.c,v 1.144 2023/09/07 06:40:56 shm Exp $ */ /* $eterna: bozohttpd.c,v 1.178 2011/11/18 09:21:15 mrg Exp $ */ @@ -2728,6 +2728,11 @@ bozo_cleanup(bozohttpd_t *httpd, bozopre free(httpd->errorbuf); free(httpd->getln_buffer); free(httpd->slashdir); + free(httpd->bindport); + free(httpd->pidfile); + free(httpd->cgibin); + free(httpd->virtbase); + free(httpd->dynamic_content_map); #define bozo_unconst(x) ((void *)(uintptr_t)x) free(bozo_unconst(httpd->server_software)); free(bozo_unconst(httpd->index_html));
CVS commit: src/libexec/httpd
Module Name:src Committed By: shm Date: Thu Sep 7 06:40:56 UTC 2023 Modified Files: src/libexec/httpd: bozohttpd.c Log Message: Fix memory leaks in bozo_cleanup To generate a diff of this commit: cvs rdiff -u -r1.143 -r1.144 src/libexec/httpd/bozohttpd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/libexec/mail.local
Module Name:src Committed By: shm Date: Wed Sep 6 08:12:09 UTC 2023 Modified Files: src/libexec/mail.local: mail.local.c Log Message: - remove lock file on error - clarify diagnostic messages - initialize struct stat if lstat(2) failed (from mhal at rbox dot co) - ensure appending to a regular file To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.30 src/libexec/mail.local/mail.local.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/libexec/mail.local
Module Name:src Committed By: shm Date: Wed Sep 6 08:12:09 UTC 2023 Modified Files: src/libexec/mail.local: mail.local.c Log Message: - remove lock file on error - clarify diagnostic messages - initialize struct stat if lstat(2) failed (from mhal at rbox dot co) - ensure appending to a regular file To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.30 src/libexec/mail.local/mail.local.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/libexec/mail.local/mail.local.c diff -u src/libexec/mail.local/mail.local.c:1.29 src/libexec/mail.local/mail.local.c:1.30 --- src/libexec/mail.local/mail.local.c:1.29 Tue May 17 11:18:58 2022 +++ src/libexec/mail.local/mail.local.c Wed Sep 6 08:12:09 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: mail.local.c,v 1.29 2022/05/17 11:18:58 kre Exp $ */ +/* $NetBSD: mail.local.c,v 1.30 2023/09/06 08:12:09 shm Exp $ */ /*- * Copyright (c) 1990, 1993, 1994 @@ -36,7 +36,7 @@ __COPYRIGHT("@(#) Copyright (c) 1990, 19 #if 0 static char sccsid[] = "@(#)mail.local.c 8.22 (Berkeley) 6/21/95"; #else -__RCSID("$NetBSD: mail.local.c,v 1.29 2022/05/17 11:18:58 kre Exp $"); +__RCSID("$NetBSD: mail.local.c,v 1.30 2023/09/06 08:12:09 shm Exp $"); #endif #endif /* not lint */ @@ -51,6 +51,7 @@ __RCSID("$NetBSD: mail.local.c,v 1.29 20 #include #include #include +#include #include #include #include @@ -137,7 +138,7 @@ store(const char *from) tn = strdup(_PATH_LOCTMP); if (!tn) - logerr(EX_OSERR, "not enough core"); + logerr(EX_OSERR, "not enough memory"); if ((fd = mkstemp(tn)) == -1 || !(fp = fdopen(fd, "w+"))) logerr(EX_OSERR, "unable to open temporary file"); (void)unlink(tn); @@ -175,13 +176,28 @@ store(const char *from) return(fd); } +static bool +badfile(const char *path, const struct stat *sb) +{ + if (!S_ISREG(sb->st_mode)) { + logwarn("%s: not a regular file", path); + return true; + } + + if (sb->st_nlink != 1) { + logwarn("%s: linked file", path); + return true; + } + return false; +} + static int deliver(int fd, char *name, int lockfile) { struct stat sb, nsb; struct passwd pwres, *pw; char pwbuf[1024]; - int created = 0, mbfd, nr, nw, off, rval=EX_OK, lfd = -1; + int created = 0, mbfd = -1, nr, nw, off, rval=EX_OK, lfd = -1; char biffmsg[100], buf[8*1024], path[MAXPATHLEN], lpath[MAXPATHLEN]; off_t curoff; @@ -211,10 +227,17 @@ deliver(int fd, char *name, int lockfile } } - if ((lstat(path, &sb) != -1) && - (sb.st_nlink != 1 || S_ISLNK(sb.st_mode))) { - logwarn("%s: linked file", path); - return(EX_OSERR); + if (lstat(path, &sb) == -1) { + if (errno != ENOENT) { + logwarn("%s: %s", path, strerror(errno)); + rval = EX_OSERR; + goto bad; + } + memset(&sb, 0, sizeof(sb)); + sb.st_dev = NODEV; + } else if (badfile(path, &sb)) { + rval = EX_OSERR; + goto bad; } if ((mbfd = open(path, O_APPEND|O_WRONLY|O_EXLOCK|O_NOFOLLOW, @@ -235,8 +258,14 @@ deliver(int fd, char *name, int lockfile goto bad; } + if (badfile(path, &nsb)) { + rval = EX_OSERR; + goto bad; + } + /* file is not what we expected */ if (nsb.st_ino != sb.st_ino || nsb.st_dev != sb.st_dev) { + logwarn("%s: file has changed", path); rval = EX_OSERR; goto bad; }
CVS commit: src/sys/miscfs/procfs
Module Name:src Committed By: shm Date: Fri Jun 17 14:30:37 UTC 2022 Modified Files: src/sys/miscfs/procfs: procfs_vnops.c Log Message: Add missing permission check To generate a diff of this commit: cvs rdiff -u -r1.228 -r1.229 src/sys/miscfs/procfs/procfs_vnops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/miscfs/procfs/procfs_vnops.c diff -u src/sys/miscfs/procfs/procfs_vnops.c:1.228 src/sys/miscfs/procfs/procfs_vnops.c:1.229 --- src/sys/miscfs/procfs/procfs_vnops.c:1.228 Sun Mar 27 17:10:56 2022 +++ src/sys/miscfs/procfs/procfs_vnops.c Fri Jun 17 14:30:37 2022 @@ -1,4 +1,4 @@ -/* $NetBSD: procfs_vnops.c,v 1.228 2022/03/27 17:10:56 christos Exp $ */ +/* $NetBSD: procfs_vnops.c,v 1.229 2022/06/17 14:30:37 shm Exp $ */ /*- * Copyright (c) 2006, 2007, 2008, 2020 The NetBSD Foundation, Inc. @@ -105,7 +105,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: procfs_vnops.c,v 1.228 2022/03/27 17:10:56 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: procfs_vnops.c,v 1.229 2022/06/17 14:30:37 shm Exp $"); #include #include @@ -976,6 +976,9 @@ procfs_lookup(void *v) *vpp = NULL; + if ((error = VOP_ACCESS(dvp, VEXEC, cnp->cn_cred)) != 0) + return (error); + if (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME) return (EROFS);
CVS commit: src/sys/miscfs/procfs
Module Name:src Committed By: shm Date: Fri Jun 17 14:30:37 UTC 2022 Modified Files: src/sys/miscfs/procfs: procfs_vnops.c Log Message: Add missing permission check To generate a diff of this commit: cvs rdiff -u -r1.228 -r1.229 src/sys/miscfs/procfs/procfs_vnops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.