Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 52386 Details for
Bug 83685
net-libs/openslp issues
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
openslp-1.1.5.AUD
openslp-1.1.5.AUD (text/plain), 7.62 KB, created by
Sune Kloppenborg Jeppesen (RETIRED)
on 2005-03-01 07:19:00 UTC
(
hide
)
Description:
openslp-1.1.5.AUD
Filename:
MIME Type:
Creator:
Sune Kloppenborg Jeppesen (RETIRED)
Created:
2005-03-01 07:19:00 UTC
Size:
7.62 KB
patch
obsolete
>./slpd/slpd_incoming.c:91: // AUD: who sais that a complete message has been received? >./slpd/slpd_incoming.c-92- switch (SLPDProcessMessage(&sock->peeraddr, >./slpd/slpd_incoming.c-93- sock->recvbuf, >./slpd/slpd_incoming.c-94- &(sock->sendbuf))) >-- >./slpd/slpd_incoming.c:194: // AUD: it trusts the length received from network, >./slpd/slpd_incoming.c:195: // AUD: it could be 1 or something, which cant hold >./slpd/slpd_incoming.c:196: // AUD: a complete message, but the parsing below expects >./slpd/slpd_incoming.c:197: // AUD: complete message and accesses mem out of bounds >./slpd/slpd_incoming.c:198: // AUD: peek might even not be big enough to hold the length-bytes >./slpd/slpd_incoming.c-199- if (*peek == 2) >./slpd/slpd_incoming.c:200: recvlen = AsUINT24(peek + 2);//AUD:unsigned int, but recvlen is signed >./slpd/slpd_incoming.c-201- else if (*peek == 1) /* SLPv1 packet */ >./slpd/slpd_incoming.c-202- recvlen = AsUINT16(peek + 2); >./slpd/slpd_incoming.c-203- /* allocate the recvbuf big enough for the whole message */ >-- >./slpd/slpd_incoming.c:629:// AUD: done >./slpd/slpd_incoming.c-630- >-- >./slpd/slpd_v1process.c:815: // AUD: errorcode not checked! the length field from the packet >./slpd/slpd_v1process.c:816: // AUD: is checked for in the called function and it returns error, but >./slpd/slpd_v1process.c:817: // AUD: here the error-check is missing >./slpd/slpd_v1process.c-818- errorcode = SLPv1MessageParseHeader(recvbuf, &header); >./slpd/slpd_v1process.c-819- >./slpd/slpd_v1process.c-820- /* TRICKY: Duplicate SRVREG recvbufs *before* parsing them */ >-- >./slpd/slpd_v1process.c:911:// AUD: done >./slpd/slpd_v1process.c-912- >-- >./slpd/slpd_knownda.c:1677:// AUD: done >./slpd/slpd_knownda.c-1678- >-- >./slpd/slpd_process.c:1502://AUD: done >./slpd/slpd_process.c-1503- >-- >./slpd/slpd_log.c:579:// AUD: done >./slpd/slpd_log.c-580- >-- >./slpd/slpd_database.c:938:// AUD: done >./slpd/slpd_database.c-939- >-- >./slpd/slpd_outgoing.c:89: // AUD: who sais that a complete message has been received? >./slpd/slpd_outgoing.c:90: // AUD: its only > 0, but might not even contain a complete >./slpd/slpd_outgoing.c:91: // AUD: header >./slpd/slpd_outgoing.c-92- SLPDProcessMessage(&(sock->peeraddr), >./slpd/slpd_outgoing.c-93- sock->recvbuf, >./slpd/slpd_outgoing.c-94- &(sock->sendbuf)); >-- >./slpd/slpd_outgoing.c:212: // AUD: peek+2 may be out of bounds >./slpd/slpd_outgoing.c:213: // AUD: the length from buffer might be 1 or 2 (too >./slpd/slpd_outgoing.c:214: // AUD: small to hold complete message) >./slpd/slpd_outgoing.c-215- /* allocate the recvbuf big enough for the whole message */ >./slpd/slpd_outgoing.c-216- sock->recvbuf = SLPBufferRealloc(sock->recvbuf,AsUINT24(peek+2)); >./slpd/slpd_outgoing.c-217- if ( sock->recvbuf ) >-- >./slpd/slpd_outgoing.c:261: { // AUD: who sais that a complete message was received? >./slpd/slpd_outgoing.c-262- switch ( SLPDProcessMessage(&(sock->peeraddr), >./slpd/slpd_outgoing.c-263- sock->recvbuf, >./slpd/slpd_outgoing.c-264- &(sock->sendbuf)) ) >-- >./slpd/slpd_outgoing.c:677:// AUD: done >./slpd/slpd_outgoing.c-678- >-- >./common/slp_network.c:363: { // AUD: buffer might be too small to hold size. Size is also untrusted >./common/slp_network.c-364- /* allocate the recvmsg big enough for the whole message */ >./common/slp_network.c-365- *buf = SLPBufferRealloc(*buf, AsUINT24(peek + 2)); >./common/slp_network.c-366- if(*buf) >-- >./common/slp_network.c:416:// AUD: done >./common/slp_network.c-417- >-- >./common/slp_message.c:324: { //AUD: the multiplication might overflow to 0? >./common/slp_message.c-325- srvrply->urlarray = (SLPUrlEntry*)xmalloc(sizeof(SLPUrlEntry) * srvrply->urlcount); >./common/slp_message.c-326- if(srvrply->urlarray == 0) >./common/slp_message.c-327- { >-- >./common/slp_message.c:604: /* make sure that min size is met *///AUD: should be 2+4+2+2+2+2+1 >./common/slp_message.c-605- if(buffer->end - buffer->curpos < 4) >./common/slp_message.c-606- { >./common/slp_message.c-607- return SLP_ERROR_PARSE_ERROR; >-- >./common/slp_message.c:698: /* make sure that min size is met *///AUD: should be 2+2+2+1 >./common/slp_message.c-699- if(buffer->end - buffer->curpos < 4) >./common/slp_message.c-700- { >./common/slp_message.c-701- return SLP_ERROR_PARSE_ERROR; >-- >./common/slp_message.c:1191://AUD:done >./common/slp_message.c-1192- >-- >./common/slp_dhcp.c:600: strncpy(ctxp->scopelist, (char*)p, cpysz);//AUD: missing 0-termination if sizeof() is used >./common/slp_dhcp.c-601- } >./common/slp_dhcp.c-602- else >./common/slp_dhcp.c-603- { >-- >./common/slp_dhcp.c:624: strncpy(ctxp->scopelist, (char*)p, cpysz); // AUD: missing 0-termination >./common/slp_dhcp.c-625- } >./common/slp_dhcp.c-626- } >./common/slp_dhcp.c-627- break; >-- >./common/slp_dhcp.c:691:// AUD: done >./common/slp_dhcp.c-692- >./common/slp_dhcp.c-693- >-- >./libslp/libslp_reg.c:452:// AUD: done >./libslp/libslp_reg.c-453- >-- >./libslp/libslp_findattrs.c:454://AUD: done >./libslp/libslp_findattrs.c-455- >-- >./libslp/libslp_delattrs.c:63:// AUD: done >./libslp/libslp_delattrs.c-64- >-- >./libslp/libslp_findscopes.c:123:// AUD: done >./libslp/libslp_findscopes.c-124- >-- >./libslp/libslp_knownda.c:963:// AUD: done >./libslp/libslp_knownda.c-964- >-- >./libslp/libslp_findsrvtypes.c:470:// AUD: done >./libslp/libslp_findsrvtypes.c-471- >-- >./libslp/libslp_network.c:980: strcat(prlist,inet_ntoa(peeraddr.sin_addr)); //AUD, we are inside a loop >./libslp/libslp_network.c-981- prlistlen = strlen(prlist); >./libslp/libslp_network.c-982- } >./libslp/libslp_network.c-983- } >-- >./libslp/libslp_network.c:1245: strcat(prlist,inet_ntoa(peeraddr.sin_addr));//AUD, should be ok, no loop (unicast) >./libslp/libslp_network.c-1246- prlistlen = strlen(prlist); >./libslp/libslp_network.c-1247- } >./libslp/libslp_network.c-1248- } >-- >./libslp/libslp_network.c:1279:// AUD: done >./libslp/libslp_network.c-1280- >-- >./libslp/libslp_parse.c:185: // AUD: theres a logical error in the escaping. >./libslp/libslp_parse.c:186: // AUD: During the counting of chars which have to be escaped, >./libslp/libslp_parse.c:187: // AUD: it only checks against ATTRIBUTE_RESERVE_STRING, >./libslp/libslp_parse.c:188: // AUD: and reserves this anount of memory. However, in the loop >./libslp/libslp_parse.c:189: // AUD: actually doing the escape (below) it also checks for >./libslp/libslp_parse.c:190: // AUD: (*current_inbuf == 0x7F) for example. Thus, the buffer >./libslp/libslp_parse.c:191: // AUD: can be overflowed. >./libslp/libslp_parse.c-192- >./libslp/libslp_parse.c-193- /* >./libslp/libslp_parse.c-194- * Go over it, again. Replace each of the escape characters with their >-- >./libslp/libslp_parse.c:429://AUD: done >./libslp/libslp_parse.c-430- >-- >./libslp/libslp_property.c:77: // AUD: could make problems with suid binaries >./libslp/libslp_property.c-78- #ifdef _WIN32 >./libslp/libslp_property.c-79- ExpandEnvironmentStrings(LIBSLP_CONFFILE,conffile,MAX_PATH); >./libslp/libslp_property.c-80- #else >-- >./libslp/libslp_property.c:126:// AUD: done >./libslp/libslp_property.c-127- >-- >./libslp/libslp_findsrvs.c:608://AUD: done >./libslp/libslp_findsrvs.c-609- >-- >./libslp/libslp_thread.c:69:// AUD: done >./libslp/libslp_thread.c-70- >-- >./libslp/libslp_dereg.c:359:// AUD: done >./libslp/libslp_dereg.c-360-
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 83685
: 52386 |
52387