rpms/ftp
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix buffer overflow in token parsing

Browse Source 
Resolves: #871296
This commit is contained in:
Jan Synacek 2012-10-30 08:37:31 +01:00
parent 445d297f37
commit 5f38f714ec
2 changed files with 82 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ftp.spec
View File

@ -1,7 +1,7 @@
Summary: The standard UNIX FTP (File Transfer Protocol) client Summary: The standard UNIX FTP (File Transfer Protocol) client
Name: ftp Name: ftp
Version: 0.17 Version: 0.17
Release: 62%{?dist} Release: 63%{?dist}
License: BSD with advertising License: BSD with advertising
Group: Applications/Internet Group: Applications/Internet
Source0: ftp://ftp.linux.org.uk/pub/linux/Networking/netkit/netkit-ftp-%{version}.tar.gz Source0: ftp://ftp.linux.org.uk/pub/linux/Networking/netkit/netkit-ftp-%{version}.tar.gz
@ -39,6 +39,7 @@ Patch30: netkit-ftp-0.17-active-mode-option.patch
Patch31: netkit-ftp-0.17-commands-leaks.patch Patch31: netkit-ftp-0.17-commands-leaks.patch
Patch32: netkit-ftp-0.17-lsn-timeout.patch Patch32: netkit-ftp-0.17-lsn-timeout.patch
Patch33: netkit-ftp-0.17-getlogin.patch Patch33: netkit-ftp-0.17-getlogin.patch
Patch34: netkit-ftp-0.17-token.patch
BuildRequires: glibc-devel, readline-devel, ncurses-devel BuildRequires: glibc-devel, readline-devel, ncurses-devel
@ -85,6 +86,7 @@ file transfers.
%patch31 -p1 -b .cmds-leaks %patch31 -p1 -b .cmds-leaks
%patch32 -p1 -b .lsn-timeout %patch32 -p1 -b .lsn-timeout
%patch33 -p1 -b .getlogin %patch33 -p1 -b .getlogin
%patch34 -p1 -b .token
%build %build
sh configure --with-c-compiler=gcc --enable-ipv6 sh configure --with-c-compiler=gcc --enable-ipv6
@ -113,6 +115,10 @@ make INSTALLROOT=${RPM_BUILD_ROOT} install
%{_mandir}/man5/netrc.* %{_mandir}/man5/netrc.*
%changelog %changelog
* Tue Oct 30 2012 Jan Synáček <jsynacek@redhat.com> - 0.17-63
- Fix buffer overflow in token parsing
- Resolves: #871296
* Tue Oct 30 2012 Jan Synáček <jsynacek@redhat.com> - 0.17-62 * Tue Oct 30 2012 Jan Synáček <jsynacek@redhat.com> - 0.17-62
- Fix linelen patch - Fix linelen patch
- Resolves: #871290 - Resolves: #871290

75
netkit-ftp-0.17-token.patch Normal file
View File

@ -0,0 +1,75 @@
diff -rup netkit-ftp-0.17/ftp/ruserpass.c netkit-ftp-0.17-new/ftp/ruserpass.c
--- netkit-ftp-0.17/ftp/ruserpass.c 2012-10-29 15:11:10.593841089 +0100
+++ netkit-ftp-0.17-new/ftp/ruserpass.c 2012-10-29 15:13:14.379822697 +0100
@@ -58,7 +58,8 @@ static int token(void);
#define ID 10
#define MACH 11
-static char tokval[100];
+#define MAXTOKENLEN 4096
+static char tokval[MAXTOKENLEN];
static struct toktab {
const char *tokstr;
@@ -249,13 +250,16 @@ bad:
return(-1);
}
-static
+static
int
token(void)
{
char *cp;
int c;
struct toktab *t;
+ size_t toklen = 0;
+ int showwarn = 1;
+ int quote = 0;
if (feof(cfile))
return (0);
@@ -266,20 +270,32 @@ token(void)
return (0);
cp = tokval;
if (c == '"') {
- while ((c = getc(cfile)) != EOF && c != '"') {
- if (c == '\\')
- c = getc(cfile);
- *cp++ = c;
- }
- } else {
+ quote = 1;
+ }
+ else {
*cp++ = c;
- while ((c = getc(cfile)) != EOF
- && c != '\n' && c != '\t' && c != ' ' && c != ',') {
- if (c == '\\')
- c = getc(cfile);
- *cp++ = c;
+ toklen++;
+ }
+ while ((c = getc(cfile)) != EOF) {
+ if (c == '"')
+ break;
+ if (c == '\\')
+ c = getc(cfile);
+ if (!quote && (c == '\n' || c == '\t' || c == ' ' || c == ','))
+ break;
+ if (toklen >= MAXTOKENLEN) {
+ if (showwarn) {
+ fprintf(stderr,
+ "Warning: .netrc token too long, will be trunctated to %zd characters\n",
+ toklen);
+ showwarn = 0;
+ }
+ continue;
}
+ *cp++ = c;
+ toklen++;
}
+
*cp = 0;
if (tokval[0] == 0)
return (0);