Attachment #52387 for bug #83685

View | Details | Raw Unified | Return to bug 83685
Collapse All | Expand All

Lines 598-603 Link Here

(-)./common/slp_dhcp.c.orig (+2 lines)
598	cpysz = optdatasz < sizeof(ctxp->scopelist)?	598	cpysz = optdatasz < sizeof(ctxp->scopelist)?
599	optdatasz: sizeof(ctxp->scopelist);	599	optdatasz: sizeof(ctxp->scopelist);
600	strncpy(ctxp->scopelist, (char*)p, cpysz);	600	strncpy(ctxp->scopelist, (char*)p, cpysz);
		601	ctxp->scopelist[sizeof(ctxp->scopelist) - 1] = 0;
601	}	602	}
602	else	603	else
603	{	604	{
Lines 622-627 Link Here
622	cpysz = optdatasz < sizeof(ctxp->scopelist)?	623	cpysz = optdatasz < sizeof(ctxp->scopelist)?
623	optdatasz: sizeof(ctxp->scopelist);	624	optdatasz: sizeof(ctxp->scopelist);
624	strncpy(ctxp->scopelist, (char*)p, cpysz);	625	strncpy(ctxp->scopelist, (char*)p, cpysz);
		626	ctxp->scopelist[sizeof(ctxp->scopelist) - 1] = 0;
625	}	627	}
626	}	628	}
627	break;	629	break;

Lines 68-73 Link Here

(-)./common/slp_message.c.orig (-24 / +47 lines)
68	/* header (IN/OUT) pointer to the header structure to fill out */	68	/* header (IN/OUT) pointer to the header structure to fill out */
69	/=========================================================================/	69	/=========================================================================/
70	{	70	{
		71	if (buffer->end - buffer->start < 2)
		72	{
		73	return SLP_ERROR_PARSE_ERROR;
		74	}
71	header->version = *(buffer->curpos);	75	header->version = *(buffer->curpos);
72	header->functionid = *(buffer->curpos + 1);	76	header->functionid = *(buffer->curpos + 1);
73		77
Lines 75-80 Link Here
75	{	79	{
76	return SLP_ERROR_VER_NOT_SUPPORTED;	80	return SLP_ERROR_VER_NOT_SUPPORTED;
77	}	81	}
		82	/* check for invalid length 18 bytes is the smallest v2 message*/
		83	if (buffer->end - buffer->start < 18)
		84	{
		85	return SLP_ERROR_PARSE_ERROR;
		86	}
78	header->length = AsUINT24(buffer->curpos + 2);	87	header->length = AsUINT24(buffer->curpos + 2);
79	header->flags = AsUINT16(buffer->curpos + 5);	88	header->flags = AsUINT16(buffer->curpos + 5);
80	header->encoding = 0; /* not used for SLPv2 */	89	header->encoding = 0; /* not used for SLPv2 */
Lines 89-97 Link Here
89	return SLP_ERROR_PARSE_ERROR;	98	return SLP_ERROR_PARSE_ERROR;
90	}	99	}
91		100
92	/* check for invalid length 18 bytes is the smallest v2 message*/	101	if(header->length != buffer->end - buffer->start)
93	if(header->length != buffer->end - buffer->start \|\|
94	header->length < 18)
95	{	102	{
96	return SLP_ERROR_PARSE_ERROR;	103	return SLP_ERROR_PARSE_ERROR;
97	}	104	}
Lines 187-193 Link Here
187	/* parse out url */	194	/* parse out url */
188	urlentry->urllen = AsUINT16(buffer->curpos);	195	urlentry->urllen = AsUINT16(buffer->curpos);
189	buffer->curpos = buffer->curpos + 2;	196	buffer->curpos = buffer->curpos + 2;
190	if(urlentry->urllen > buffer->end - buffer->curpos)	197	if(urlentry->urllen + 1 > buffer->end - buffer->curpos)
191	{	198	{
192	return SLP_ERROR_PARSE_ERROR;	199	return SLP_ERROR_PARSE_ERROR;
193	}	200	}
Lines 235-241 Link Here
235	/* parse the prlist */	242	/* parse the prlist */
236	srvrqst->prlistlen = AsUINT16(buffer->curpos);	243	srvrqst->prlistlen = AsUINT16(buffer->curpos);
237	buffer->curpos = buffer->curpos + 2;	244	buffer->curpos = buffer->curpos + 2;
238	if(srvrqst->prlistlen > buffer->end - buffer->curpos)	245	if(srvrqst->prlistlen + 2 > buffer->end - buffer->curpos)
239	{	246	{
240	return SLP_ERROR_PARSE_ERROR;	247	return SLP_ERROR_PARSE_ERROR;
241	}	248	}
Lines 246-252 Link Here
246	/* parse the service type */	253	/* parse the service type */
247	srvrqst->srvtypelen = AsUINT16(buffer->curpos);	254	srvrqst->srvtypelen = AsUINT16(buffer->curpos);
248	buffer->curpos = buffer->curpos + 2;	255	buffer->curpos = buffer->curpos + 2;
249	if(srvrqst->srvtypelen > buffer->end - buffer->curpos)	256	if(srvrqst->srvtypelen + 2 > buffer->end - buffer->curpos)
250	{	257	{
251	return SLP_ERROR_PARSE_ERROR;	258	return SLP_ERROR_PARSE_ERROR;
252	}	259	}
Lines 257-263 Link Here
257	/* parse the scope list */	264	/* parse the scope list */
258	srvrqst->scopelistlen = AsUINT16(buffer->curpos);	265	srvrqst->scopelistlen = AsUINT16(buffer->curpos);
259	buffer->curpos = buffer->curpos + 2;	266	buffer->curpos = buffer->curpos + 2;
260	if(srvrqst->scopelistlen > buffer->end - buffer->curpos)	267	if(srvrqst->scopelistlen + 2 > buffer->end - buffer->curpos)
261	{	268	{
262	return SLP_ERROR_PARSE_ERROR;	269	return SLP_ERROR_PARSE_ERROR;
263	}	270	}
Lines 269-275 Link Here
269	srvrqst->predicatever = 2; /* SLPv2 predicate (LDAPv3) */	276	srvrqst->predicatever = 2; /* SLPv2 predicate (LDAPv3) */
270	srvrqst->predicatelen = AsUINT16(buffer->curpos);	277	srvrqst->predicatelen = AsUINT16(buffer->curpos);
271	buffer->curpos = buffer->curpos + 2;	278	buffer->curpos = buffer->curpos + 2;
272	if(srvrqst->predicatelen > buffer->end - buffer->curpos)	279	if(srvrqst->predicatelen + 2 > buffer->end - buffer->curpos)
273	{	280	{
274	return SLP_ERROR_PARSE_ERROR;	281	return SLP_ERROR_PARSE_ERROR;
275	}	282	}
Lines 358-367 Link Here
358	return result;	365	return result;
359	}	366	}
360		367
		368	if(buffer->end - buffer->curpos < 2)
		369	{
		370	return SLP_ERROR_PARSE_ERROR;
		371	}
361	/* parse the service type */	372	/* parse the service type */
362	srvreg->srvtypelen = AsUINT16(buffer->curpos);	373	srvreg->srvtypelen = AsUINT16(buffer->curpos);
363	buffer->curpos = buffer->curpos + 2;	374	buffer->curpos = buffer->curpos + 2;
364	if(srvreg->srvtypelen > buffer->end - buffer->curpos)	375	if(srvreg->srvtypelen + 2 > buffer->end - buffer->curpos)
365	{	376	{
366	return SLP_ERROR_PARSE_ERROR;	377	return SLP_ERROR_PARSE_ERROR;
367	}	378	}
Lines 372-378 Link Here
372	/* parse the scope list */	383	/* parse the scope list */
373	srvreg->scopelistlen = AsUINT16(buffer->curpos);	384	srvreg->scopelistlen = AsUINT16(buffer->curpos);
374	buffer->curpos = buffer->curpos + 2;	385	buffer->curpos = buffer->curpos + 2;
375	if(srvreg->scopelistlen > buffer->end - buffer->curpos)	386	if(srvreg->scopelistlen + 2 > buffer->end - buffer->curpos)
376	{	387	{
377	return SLP_ERROR_PARSE_ERROR;	388	return SLP_ERROR_PARSE_ERROR;
378	}	389	}
Lines 383-389 Link Here
383	/* parse the attribute list*/	394	/* parse the attribute list*/
384	srvreg->attrlistlen = AsUINT16(buffer->curpos);	395	srvreg->attrlistlen = AsUINT16(buffer->curpos);
385	buffer->curpos = buffer->curpos + 2;	396	buffer->curpos = buffer->curpos + 2;
386	if(srvreg->attrlistlen > buffer->end - buffer->curpos)	397	if(srvreg->attrlistlen + 1 > buffer->end - buffer->curpos)
387	{	398	{
388	return SLP_ERROR_PARSE_ERROR;	399	return SLP_ERROR_PARSE_ERROR;
389	}	400	}
Lines 447-452 Link Here
447	}	458	}
448		459
449	/* parse the tag list */	460	/* parse the tag list */
		461	if(buffer->end - buffer->curpos < 2)
		462	{
		463	return SLP_ERROR_PARSE_ERROR;
		464	}
450	srvdereg->taglistlen = AsUINT16(buffer->curpos);	465	srvdereg->taglistlen = AsUINT16(buffer->curpos);
451	buffer->curpos = buffer->curpos + 2;	466	buffer->curpos = buffer->curpos + 2;
452	if(srvdereg->taglistlen > buffer->end - buffer->curpos)	467	if(srvdereg->taglistlen > buffer->end - buffer->curpos)
Lines 482-488 Link Here
482	/* parse the prlist */	497	/* parse the prlist */
483	attrrqst->prlistlen = AsUINT16(buffer->curpos);	498	attrrqst->prlistlen = AsUINT16(buffer->curpos);
484	buffer->curpos = buffer->curpos + 2;	499	buffer->curpos = buffer->curpos + 2;
485	if(attrrqst->prlistlen > buffer->end - buffer->curpos)	500	if(attrrqst->prlistlen + 2 > buffer->end - buffer->curpos)
486	{	501	{
487	return SLP_ERROR_PARSE_ERROR;	502	return SLP_ERROR_PARSE_ERROR;
488	}	503	}
Lines 492-498 Link Here
492	/* parse the url */	507	/* parse the url */
493	attrrqst->urllen = AsUINT16(buffer->curpos);	508	attrrqst->urllen = AsUINT16(buffer->curpos);
494	buffer->curpos = buffer->curpos + 2;	509	buffer->curpos = buffer->curpos + 2;
495	if(attrrqst->urllen > buffer->end - buffer->curpos)	510	if(attrrqst->urllen + 2 > buffer->end - buffer->curpos)
496	{	511	{
497	return SLP_ERROR_PARSE_ERROR;	512	return SLP_ERROR_PARSE_ERROR;
498	}	513	}
Lines 503-509 Link Here
503	/* parse the scope list */	518	/* parse the scope list */
504	attrrqst->scopelistlen = AsUINT16(buffer->curpos);	519	attrrqst->scopelistlen = AsUINT16(buffer->curpos);
505	buffer->curpos = buffer->curpos + 2;	520	buffer->curpos = buffer->curpos + 2;
506	if(attrrqst->scopelistlen > buffer->end - buffer->curpos)	521	if(attrrqst->scopelistlen + 2 > buffer->end - buffer->curpos)
507	{	522	{
508	return SLP_ERROR_PARSE_ERROR;	523	return SLP_ERROR_PARSE_ERROR;
509	}	524	}
Lines 514-520 Link Here
514	/* parse the taglist string */	529	/* parse the taglist string */
515	attrrqst->taglistlen = AsUINT16(buffer->curpos);	530	attrrqst->taglistlen = AsUINT16(buffer->curpos);
516	buffer->curpos = buffer->curpos + 2;	531	buffer->curpos = buffer->curpos + 2;
517	if(attrrqst->taglistlen > buffer->end - buffer->curpos)	532	if(attrrqst->taglistlen + 2 > buffer->end - buffer->curpos)
518	{	533	{
519	return SLP_ERROR_PARSE_ERROR;	534	return SLP_ERROR_PARSE_ERROR;
520	}	535	}
Lines 563-569 Link Here
563	/* parse out the attrlist */	578	/* parse out the attrlist */
564	attrrply->attrlistlen = AsUINT16(buffer->curpos);	579	attrrply->attrlistlen = AsUINT16(buffer->curpos);
565	buffer->curpos = buffer->curpos + 2;	580	buffer->curpos = buffer->curpos + 2;
566	if(attrrply->attrlistlen > buffer->end - buffer->curpos)	581	if(attrrply->attrlistlen + 1 > buffer->end - buffer->curpos)
567	{	582	{
568	return SLP_ERROR_PARSE_ERROR;	583	return SLP_ERROR_PARSE_ERROR;
569	}	584	}
Lines 619-631 Link Here
619	buffer->curpos = buffer->curpos + 2;	634	buffer->curpos = buffer->curpos + 2;
620		635
621	/* parse out the bootstamp */	636	/* parse out the bootstamp */
		637	if(buffer->end - buffer->curpos < 6)
		638	{
		639	return SLP_ERROR_PARSE_ERROR;
		640	}
622	daadvert->bootstamp = AsUINT32(buffer->curpos);	641	daadvert->bootstamp = AsUINT32(buffer->curpos);
623	buffer->curpos = buffer->curpos + 4;	642	buffer->curpos = buffer->curpos + 4;
624		643
625	/* parse out the url */	644	/* parse out the url */
626	daadvert->urllen = AsUINT16(buffer->curpos);	645	daadvert->urllen = AsUINT16(buffer->curpos);
627	buffer->curpos = buffer->curpos + 2;	646	buffer->curpos = buffer->curpos + 2;
628	if(daadvert->urllen > buffer->end - buffer->curpos)	647	if(daadvert->urllen + 2 > buffer->end - buffer->curpos)
629	{	648	{
630	return SLP_ERROR_PARSE_ERROR;	649	return SLP_ERROR_PARSE_ERROR;
631	}	650	}
Lines 635-641 Link Here
635	/* parse the scope list */	654	/* parse the scope list */
636	daadvert->scopelistlen = AsUINT16(buffer->curpos);	655	daadvert->scopelistlen = AsUINT16(buffer->curpos);
637	buffer->curpos = buffer->curpos + 2;	656	buffer->curpos = buffer->curpos + 2;
638	if(daadvert->scopelistlen > buffer->end - buffer->curpos)	657	if(daadvert->scopelistlen + 2 > buffer->end - buffer->curpos)
639	{	658	{
640	return SLP_ERROR_PARSE_ERROR;	659	return SLP_ERROR_PARSE_ERROR;
641	}	660	}
Lines 645-651 Link Here
645	/* parse the attr list */	664	/* parse the attr list */
646	daadvert->attrlistlen = AsUINT16(buffer->curpos);	665	daadvert->attrlistlen = AsUINT16(buffer->curpos);
647	buffer->curpos = buffer->curpos + 2;	666	buffer->curpos = buffer->curpos + 2;
648	if(daadvert->attrlistlen > buffer->end - buffer->curpos)	667	if(daadvert->attrlistlen + 2 > buffer->end - buffer->curpos)
649	{	668	{
650	return SLP_ERROR_PARSE_ERROR;	669	return SLP_ERROR_PARSE_ERROR;
651	}	670	}
Lines 655-661 Link Here
655	/* parse the SPI list */	674	/* parse the SPI list */
656	daadvert->spilistlen = AsUINT16(buffer->curpos);	675	daadvert->spilistlen = AsUINT16(buffer->curpos);
657	buffer->curpos = buffer->curpos + 2;	676	buffer->curpos = buffer->curpos + 2;
658	if(daadvert->spilistlen > buffer->end - buffer->curpos)	677	if(daadvert->spilistlen + 1 > buffer->end - buffer->curpos)
659	{	678	{
660	return SLP_ERROR_PARSE_ERROR;	679	return SLP_ERROR_PARSE_ERROR;
661	}	680	}
Lines 704-710 Link Here
704	/* parse out the url */	723	/* parse out the url */
705	saadvert->urllen = AsUINT16(buffer->curpos);	724	saadvert->urllen = AsUINT16(buffer->curpos);
706	buffer->curpos = buffer->curpos + 2;	725	buffer->curpos = buffer->curpos + 2;
707	if(saadvert->urllen > buffer->end - buffer->curpos)	726	if(saadvert->urllen + 2 > buffer->end - buffer->curpos)
708	{	727	{
709	return SLP_ERROR_PARSE_ERROR;	728	return SLP_ERROR_PARSE_ERROR;
710	}	729	}
Lines 714-720 Link Here
714	/* parse the scope list */	733	/* parse the scope list */
715	saadvert->scopelistlen = AsUINT16(buffer->curpos);	734	saadvert->scopelistlen = AsUINT16(buffer->curpos);
716	buffer->curpos = buffer->curpos + 2;	735	buffer->curpos = buffer->curpos + 2;
717	if(saadvert->scopelistlen > buffer->end - buffer->curpos)	736	if(saadvert->scopelistlen + 2 > buffer->end - buffer->curpos)
718	{	737	{
719	return SLP_ERROR_PARSE_ERROR;	738	return SLP_ERROR_PARSE_ERROR;
720	}	739	}
Lines 724-730 Link Here
724	/* parse the attr list */	743	/* parse the attr list */
725	saadvert->attrlistlen = AsUINT16(buffer->curpos);	744	saadvert->attrlistlen = AsUINT16(buffer->curpos);
726	buffer->curpos = buffer->curpos + 2;	745	buffer->curpos = buffer->curpos + 2;
727	if(saadvert->attrlistlen > buffer->end - buffer->curpos)	746	if(saadvert->attrlistlen + 1 > buffer->end - buffer->curpos)
728	{	747	{
729	return SLP_ERROR_PARSE_ERROR;	748	return SLP_ERROR_PARSE_ERROR;
730	}	749	}
Lines 769-775 Link Here
769	/* parse the prlist */	788	/* parse the prlist */
770	srvtyperqst->prlistlen = AsUINT16(buffer->curpos);	789	srvtyperqst->prlistlen = AsUINT16(buffer->curpos);
771	buffer->curpos += 2;	790	buffer->curpos += 2;
772	if(srvtyperqst->prlistlen > buffer->end - buffer->curpos)	791	if(srvtyperqst->prlistlen + 2 > buffer->end - buffer->curpos)
773	{	792	{
774	return SLP_ERROR_PARSE_ERROR;	793	return SLP_ERROR_PARSE_ERROR;
775	}	794	}
Lines 794-799 Link Here
794	}	813	}
795		814
796	/* parse the scope list */	815	/* parse the scope list */
		816	if(buffer->end - buffer->curpos < 2)
		817	{
		818	return SLP_ERROR_PARSE_ERROR;
		819	}
797	srvtyperqst->scopelistlen = AsUINT16(buffer->curpos);	820	srvtyperqst->scopelistlen = AsUINT16(buffer->curpos);
798	buffer->curpos += 2;	821	buffer->curpos += 2;
799	if(srvtyperqst->scopelistlen > buffer->end - buffer->curpos)	822	if(srvtyperqst->scopelistlen > buffer->end - buffer->curpos)




/*               EINVAL parse error                                        */
/*=========================================================================*/ 
{
    int         xferbytes, recvlen;
    fd_set      readfds;
    char        peek[16];
    int         peeraddrlen = sizeof(struct sockaddr_in);

    /* Read the rest of the message */
    /*------------------------------*/
    /* check the version */
    if(xferbytes >= 5 && *peek == 2)
    {
        /* allocate the recvmsg big enough for the whole message */
        recvlen = AsUINT24(peek + 2);
        /* one byte is minimum */
        if (recvlen <= 0)
            recvlen = 1;
        *buf = SLPBufferRealloc(*buf, recvlen);
        if(*buf)
        {
            while((*buf)->curpos < (*buf)->end)

Lines 60-65 Link Here

(-)./common/slp_v1message.c.orig (-11 / +22 lines)
60	/* SLP_ERROR_PARSE_ERROR. */	60	/* SLP_ERROR_PARSE_ERROR. */
61	/=========================================================================/	61	/=========================================================================/
62	{	62	{
		63	if (buffer->end - buffer->start < 12)
		64	{
		65	/* invalid length 12 bytes is the smallest v1 message*/
		66	return SLP_ERROR_PARSE_ERROR;
		67	}
63	header->version = *(buffer->curpos);	68	header->version = *(buffer->curpos);
64	header->functionid = *(buffer->curpos + 1);	69	header->functionid = *(buffer->curpos + 1);
65		70
Lines 85-94 Link Here
85	return SLP_ERROR_CHARSET_NOT_UNDERSTOOD;	90	return SLP_ERROR_CHARSET_NOT_UNDERSTOOD;
86	}	91	}
87		92
88	if(header->length != buffer->end - buffer->start \|\|	93	if(header->length != buffer->end - buffer->start)
89	header->length < 12)
90	{	94	{
91	/* invalid length 12 bytes is the smallest v1 message*/
92	return SLP_ERROR_PARSE_ERROR;	95	return SLP_ERROR_PARSE_ERROR;
93	}	96	}
94		97
Lines 114-120 Link Here
114	int result;	117	int result;
115		118
116	/* make sure that min size is met */	119	/* make sure that min size is met */
117	if(buffer->end - buffer->curpos < 6)	120	if(buffer->end - buffer->curpos < 4)
118	{	121	{
119	return SLP_ERROR_PARSE_ERROR;	122	return SLP_ERROR_PARSE_ERROR;
120	}	123	}
Lines 160-166 Link Here
160	int result;	163	int result;
161		164
162	/* make sure that min size is met */	165	/* make sure that min size is met */
163	if(buffer->end - buffer->curpos < 10)	166	if(buffer->end - buffer->curpos < 4)
164	{	167	{
165	return SLP_ERROR_PARSE_ERROR;	168	return SLP_ERROR_PARSE_ERROR;
166	}	169	}
Lines 168-174 Link Here
168	/* parse the prlist */	171	/* parse the prlist */
169	srvrqst->prlistlen = AsUINT16(buffer->curpos);	172	srvrqst->prlistlen = AsUINT16(buffer->curpos);
170	buffer->curpos = buffer->curpos + 2;	173	buffer->curpos = buffer->curpos + 2;
171	if(srvrqst->prlistlen > buffer->end - buffer->curpos)	174	if(srvrqst->prlistlen + 2 > buffer->end - buffer->curpos)
172	{	175	{
173	return SLP_ERROR_PARSE_ERROR;	176	return SLP_ERROR_PARSE_ERROR;
174	}	177	}
Lines 272-277 Link Here
272	srvreg->srvtypelen = tmp - srvreg->srvtype;	275	srvreg->srvtypelen = tmp - srvreg->srvtype;
273		276
274	/* parse the attribute list */	277	/* parse the attribute list */
		278	if(buffer->end - buffer->curpos < 2)
		279	{
		280	return SLP_ERROR_PARSE_ERROR;
		281	}
275	srvreg->attrlistlen = AsUINT16(buffer->curpos);	282	srvreg->attrlistlen = AsUINT16(buffer->curpos);
276	buffer->curpos = buffer->curpos + 2;	283	buffer->curpos = buffer->curpos + 2;
277	if(srvreg->attrlistlen > buffer->end - buffer->curpos)	284	if(srvreg->attrlistlen > buffer->end - buffer->curpos)
Lines 335-341 Link Here
335	srvdereg->urlentry.lifetime = 0; /* not present in SLPv1 */	342	srvdereg->urlentry.lifetime = 0; /* not present in SLPv1 */
336	srvdereg->urlentry.urllen = AsUINT16(buffer->curpos);	343	srvdereg->urlentry.urllen = AsUINT16(buffer->curpos);
337	buffer->curpos += 2;	344	buffer->curpos += 2;
338	if(srvdereg->urlentry.urllen > buffer->end - buffer->curpos)	345	if(srvdereg->urlentry.urllen + 2 > buffer->end - buffer->curpos)
339	{	346	{
340	return SLP_ERROR_PARSE_ERROR;	347	return SLP_ERROR_PARSE_ERROR;
341	}	348	}
Lines 381-387 Link Here
381	/* parse the prlist */	388	/* parse the prlist */
382	attrrqst->prlistlen = AsUINT16(buffer->curpos);	389	attrrqst->prlistlen = AsUINT16(buffer->curpos);
383	buffer->curpos = buffer->curpos + 2;	390	buffer->curpos = buffer->curpos + 2;
384	if(attrrqst->prlistlen > buffer->end - buffer->curpos)	391	if(attrrqst->prlistlen + 2 > buffer->end - buffer->curpos)
385	{	392	{
386	return SLP_ERROR_PARSE_ERROR;	393	return SLP_ERROR_PARSE_ERROR;
387	}	394	}
Lines 396-402 Link Here
396	/* parse the url */	403	/* parse the url */
397	attrrqst->urllen = AsUINT16(buffer->curpos);	404	attrrqst->urllen = AsUINT16(buffer->curpos);
398	buffer->curpos = buffer->curpos + 2;	405	buffer->curpos = buffer->curpos + 2;
399	if(attrrqst->urllen > buffer->end - buffer->curpos)	406	if(attrrqst->urllen + 2 > buffer->end - buffer->curpos)
400	{	407	{
401	return SLP_ERROR_PARSE_ERROR;	408	return SLP_ERROR_PARSE_ERROR;
402	}	409	}
Lines 411-417 Link Here
411	/* parse the scope list */	418	/* parse the scope list */
412	attrrqst->scopelistlen = AsUINT16(buffer->curpos);	419	attrrqst->scopelistlen = AsUINT16(buffer->curpos);
413	buffer->curpos = buffer->curpos + 2;	420	buffer->curpos = buffer->curpos + 2;
414	if(attrrqst->scopelistlen > buffer->end - buffer->curpos)	421	if(attrrqst->scopelistlen + 2 > buffer->end - buffer->curpos)
415	{	422	{
416	return SLP_ERROR_PARSE_ERROR;	423	return SLP_ERROR_PARSE_ERROR;
417	}	424	}
Lines 469-475 Link Here
469	/* parse the prlist */	476	/* parse the prlist */
470	srvtyperqst->prlistlen = AsUINT16(buffer->curpos);	477	srvtyperqst->prlistlen = AsUINT16(buffer->curpos);
471	buffer->curpos += 2;	478	buffer->curpos += 2;
472	if(srvtyperqst->prlistlen > buffer->end - buffer->curpos)	479	if(srvtyperqst->prlistlen + 2 > buffer->end - buffer->curpos)
473	{	480	{
474	return SLP_ERROR_PARSE_ERROR;	481	return SLP_ERROR_PARSE_ERROR;
475	}	482	}
Lines 504-509 Link Here
504	}	511	}
505		512
506	/* parse the scope list */	513	/* parse the scope list */
		514	if(buffer->end - buffer->curpos < 2)
		515	{
		516	return SLP_ERROR_PARSE_ERROR;
		517	}
507	srvtyperqst->scopelistlen = AsUINT16(buffer->curpos);	518	srvtyperqst->scopelistlen = AsUINT16(buffer->curpos);
508	buffer->curpos += 2;	519	buffer->curpos += 2;
509	if(srvtyperqst->scopelistlen > buffer->end - buffer->curpos)	520	if(srvtyperqst->scopelistlen > buffer->end - buffer->curpos)

Lines 168-174 Link Here

(-)./libslp/libslp_parse.c.orig (-1 / +4 lines)
168	if((isTag) && strchr(ATTRIBUTE_BAD_TAG, *current_inbuf))	168	if((isTag) && strchr(ATTRIBUTE_BAD_TAG, *current_inbuf))
169	return(SLP_PARSE_ERROR);	169	return(SLP_PARSE_ERROR);
170		170
171	if(strchr(ATTRIBUTE_RESERVE_STRING, *current_inbuf))	171	if((strchr(ATTRIBUTE_RESERVE_STRING, *current_inbuf)) \|\|
		172	((current_inbuf >= 0x00) && (current_inbuf <= 0x1F)) \|\|
		173	(*current_inbuf == 0x7F)
		174	)
172	amount_of_escape_characters++;	175	amount_of_escape_characters++;
173		176
174	current_inbuf++;	177	current_inbuf++;




                             MSG_PEEK,
                             (struct sockaddr *)&(sock->peeraddr),
                             &peeraddrlen);
        if (bytesread > 0 && bytesread >= (*peek == 2 ? 5 : 4))
        {

            if (*peek == 2)
                recvlen = AsUINT24(peek + 2);
            else if (*peek == 1) /* SLPv1 packet */
                recvlen = AsUINT16(peek + 2);
            /* one byte is minimum */
            if (recvlen <= 0)
                recvlen = 1;
            /* allocate the recvbuf big enough for the whole message */
            sock->recvbuf = SLPBufferRealloc(sock->recvbuf,recvlen);
            if (sock->recvbuf)

        }
        else
        {
            /* error in recv() or eof */
            sock->state = SOCKET_CLOSE;
        }
    }

Lines 190-196 Link Here

(-)./slpd/slpd_outgoing.c.orig (-4 / +12 lines)
190	void OutgoingStreamRead(SLPList* socklist, SLPDSocket* sock)	190	void OutgoingStreamRead(SLPList* socklist, SLPDSocket* sock)
191	/-------------------------------------------------------------------------/	191	/-------------------------------------------------------------------------/
192	{	192	{
193	int bytesread;	193	int bytesread, recvlen;
194	char peek[16];	194	char peek[16];
195	int peeraddrlen = sizeof(struct sockaddr_in);	195	int peeraddrlen = sizeof(struct sockaddr_in);
196		196
Lines 205-214 Link Here
205	MSG_PEEK,	205	MSG_PEEK,
206	(struct sockaddr *)&(sock->peeraddr),	206	(struct sockaddr *)&(sock->peeraddr),
207	&peeraddrlen);	207	&peeraddrlen);
208	if ( bytesread > 0 )	208	if ( bytesread >= 5 && *peek == 2 )
209	{	209	{
		210	recvlen = AsUINT24(peek + 2);
		211	/* one byte is minimum */
		212	if (recvlen <= 0)
		213	recvlen = 1;
210	/* allocate the recvbuf big enough for the whole message */	214	/* allocate the recvbuf big enough for the whole message */
211	sock->recvbuf = SLPBufferRealloc(sock->recvbuf,AsUINT24(peek+2));	215	sock->recvbuf = SLPBufferRealloc(sock->recvbuf, recvlen);
212	if ( sock->recvbuf )	216	if ( sock->recvbuf )
213	{	217	{
214	sock->state = STREAM_READ;	218	sock->state = STREAM_READ;
Lines 219-225 Link Here
219	sock->state = SOCKET_CLOSE;	223	sock->state = SOCKET_CLOSE;
220	}	224	}
221	}	225	}
222	else	226	else if ( bytesread == -1 )
223	{	227	{
224	#ifdef _WIN32	228	#ifdef _WIN32
225	if ( WSAEWOULDBLOCK != WSAGetLastError() )	229	if ( WSAEWOULDBLOCK != WSAGetLastError() )
Lines 232-237 Link Here
232	OutgoingStreamReconnect(socklist,sock);	236	OutgoingStreamReconnect(socklist,sock);
233	}	237	}
234	}	238	}
		239	else
		240	{
		241	sock->state = SOCKET_CLOSE;
		242	}
235	}	243	}
236		244
237	if ( sock->state == STREAM_READ )	245	if ( sock->state == STREAM_READ )

Lines 808-818 Link Here

(-)./slpd/slpd_v1process.c.orig (+5 lines)
808	{	808	{
809	/* SLPv1 messages are handled only by DAs */	809	/* SLPv1 messages are handled only by DAs */
810	errorcode = SLP_ERROR_VER_NOT_SUPPORTED;	810	errorcode = SLP_ERROR_VER_NOT_SUPPORTED;
		811	return errorcode;
811	}	812	}
812		813
813	/* Parse just the message header the reset the buffer "curpos" pointer */	814	/* Parse just the message header the reset the buffer "curpos" pointer */
814	recvbuf->curpos = recvbuf->start;	815	recvbuf->curpos = recvbuf->start;
815	errorcode = SLPv1MessageParseHeader(recvbuf, &header);	816	errorcode = SLPv1MessageParseHeader(recvbuf, &header);
		817	if (errorcode != 0)
		818	{
		819	return errorcode;
		820	}
816		821
817	/* TRICKY: Duplicate SRVREG recvbufs before parsing them */	822	/* TRICKY: Duplicate SRVREG recvbufs before parsing them */
818	/* it because we are going to keep them in the */	823	/* it because we are going to keep them in the */

Return to bug 83685

Lines 300-306 Link Here

(-)./common/slp_network.c.orig (-3 / +7 lines)
300	/* EINVAL parse error */	300	/* EINVAL parse error */
301	/=========================================================================/	301	/=========================================================================/
302	{	302	{
303	int xferbytes;	303	int xferbytes, recvlen;
304	fd_set readfds;	304	fd_set readfds;
305	char peek[16];	305	char peek[16];
306	int peeraddrlen = sizeof(struct sockaddr_in);	306	int peeraddrlen = sizeof(struct sockaddr_in);
Lines 359-368 Link Here
359	/* Read the rest of the message */	359	/* Read the rest of the message */
360	/------------------------------/	360	/------------------------------/
361	/* check the version */	361	/* check the version */
362	if(*peek == 2)	362	if(xferbytes >= 5 && *peek == 2)
363	{	363	{
364	/* allocate the recvmsg big enough for the whole message */	364	/* allocate the recvmsg big enough for the whole message */
365	buf = SLPBufferRealloc(buf, AsUINT24(peek + 2));	365	recvlen = AsUINT24(peek + 2);
		366	/* one byte is minimum */
		367	if (recvlen <= 0)
		368	recvlen = 1;
		369	buf = SLPBufferRealloc(buf, recvlen);
366	if(*buf)	370	if(*buf)
367	{	371	{
368	while((buf)->curpos < (buf)->end)	372	while((buf)->curpos < (buf)->end)

Lines 189-201 Link Here

(-)./slpd/slpd_incoming.c.orig (-2 / +5 lines)
189	MSG_PEEK,	189	MSG_PEEK,
190	(struct sockaddr *)&(sock->peeraddr),	190	(struct sockaddr *)&(sock->peeraddr),
191	&peeraddrlen);	191	&peeraddrlen);
192	if (bytesread > 0)	192	if (bytesread > 0 && bytesread >= (*peek == 2 ? 5 : 4))
193	{	193	{
194		194
195	if (*peek == 2)	195	if (*peek == 2)
196	recvlen = AsUINT24(peek + 2);	196	recvlen = AsUINT24(peek + 2);
197	else if (peek == 1) / SLPv1 packet */	197	else if (peek == 1) / SLPv1 packet */
198	recvlen = AsUINT16(peek + 2);	198	recvlen = AsUINT16(peek + 2);
		199	/* one byte is minimum */
		200	if (recvlen <= 0)
		201	recvlen = 1;
199	/* allocate the recvbuf big enough for the whole message */	202	/* allocate the recvbuf big enough for the whole message */
200	sock->recvbuf = SLPBufferRealloc(sock->recvbuf,recvlen);	203	sock->recvbuf = SLPBufferRealloc(sock->recvbuf,recvlen);
201	if (sock->recvbuf)	204	if (sock->recvbuf)
Lines 249-255 Link Here
249	}	252	}
250	else	253	else
251	{	254	{
252	/* error in recv() */	255	/* error in recv() or eof */
253	sock->state = SOCKET_CLOSE;	256	sock->state = SOCKET_CLOSE;
254	}	257	}
255	}	258	}