--- ./common/slp_message.c.orig 2005-02-15 16:48:20.243994238 +0000
+++ ./common/slp_message.c 2005-02-15 18:17:16.217402037 +0000
@@ -68,6 +68,10 @@
/* header (IN/OUT) pointer to the header structure to fill out */
/*=========================================================================*/
{
+ if (buffer->end - buffer->start < 2)
+ {
+ return SLP_ERROR_PARSE_ERROR;
+ }
header->version = *(buffer->curpos);
header->functionid = *(buffer->curpos + 1);
@@ -75,6 +79,11 @@
{
return SLP_ERROR_VER_NOT_SUPPORTED;
}
+ /* check for invalid length 18 bytes is the smallest v2 message*/
+ if (buffer->end - buffer->start < 18)
+ {
+ return SLP_ERROR_PARSE_ERROR;
+ }
header->length = AsUINT24(buffer->curpos + 2);
header->flags = AsUINT16(buffer->curpos + 5);
header->encoding = 0; /* not used for SLPv2 */
@@ -89,9 +98,7 @@
return SLP_ERROR_PARSE_ERROR;
}
- /* check for invalid length 18 bytes is the smallest v2 message*/
- if(header->length != buffer->end - buffer->start ||
- header->length < 18)
+ if(header->length != buffer->end - buffer->start)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -187,7 +194,7 @@
/* parse out url */
urlentry->urllen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(urlentry->urllen > buffer->end - buffer->curpos)
+ if(urlentry->urllen + 1 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -235,7 +242,7 @@
/* parse the prlist */
srvrqst->prlistlen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(srvrqst->prlistlen > buffer->end - buffer->curpos)
+ if(srvrqst->prlistlen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -246,7 +253,7 @@
/* parse the service type */
srvrqst->srvtypelen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(srvrqst->srvtypelen > buffer->end - buffer->curpos)
+ if(srvrqst->srvtypelen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -257,7 +264,7 @@
/* parse the scope list */
srvrqst->scopelistlen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(srvrqst->scopelistlen > buffer->end - buffer->curpos)
+ if(srvrqst->scopelistlen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -269,7 +276,7 @@
srvrqst->predicatever = 2; /* SLPv2 predicate (LDAPv3) */
srvrqst->predicatelen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(srvrqst->predicatelen > buffer->end - buffer->curpos)
+ if(srvrqst->predicatelen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -358,10 +365,14 @@
return result;
}
+ if(buffer->end - buffer->curpos < 2)
+ {
+ return SLP_ERROR_PARSE_ERROR;
+ }
/* parse the service type */
srvreg->srvtypelen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(srvreg->srvtypelen > buffer->end - buffer->curpos)
+ if(srvreg->srvtypelen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -372,7 +383,7 @@
/* parse the scope list */
srvreg->scopelistlen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(srvreg->scopelistlen > buffer->end - buffer->curpos)
+ if(srvreg->scopelistlen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -383,7 +394,7 @@
/* parse the attribute list*/
srvreg->attrlistlen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(srvreg->attrlistlen > buffer->end - buffer->curpos)
+ if(srvreg->attrlistlen + 1 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -447,6 +458,10 @@
}
/* parse the tag list */
+ if(buffer->end - buffer->curpos < 2)
+ {
+ return SLP_ERROR_PARSE_ERROR;
+ }
srvdereg->taglistlen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
if(srvdereg->taglistlen > buffer->end - buffer->curpos)
@@ -482,7 +497,7 @@
/* parse the prlist */
attrrqst->prlistlen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(attrrqst->prlistlen > buffer->end - buffer->curpos)
+ if(attrrqst->prlistlen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -492,7 +507,7 @@
/* parse the url */
attrrqst->urllen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(attrrqst->urllen > buffer->end - buffer->curpos)
+ if(attrrqst->urllen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -503,7 +518,7 @@
/* parse the scope list */
attrrqst->scopelistlen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(attrrqst->scopelistlen > buffer->end - buffer->curpos)
+ if(attrrqst->scopelistlen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -514,7 +529,7 @@
/* parse the taglist string */
attrrqst->taglistlen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(attrrqst->taglistlen > buffer->end - buffer->curpos)
+ if(attrrqst->taglistlen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -563,7 +578,7 @@
/* parse out the attrlist */
attrrply->attrlistlen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(attrrply->attrlistlen > buffer->end - buffer->curpos)
+ if(attrrply->attrlistlen + 1 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -619,13 +634,17 @@
buffer->curpos = buffer->curpos + 2;
/* parse out the bootstamp */
+ if(buffer->end - buffer->curpos < 6)
+ {
+ return SLP_ERROR_PARSE_ERROR;
+ }
daadvert->bootstamp = AsUINT32(buffer->curpos);
buffer->curpos = buffer->curpos + 4;
/* parse out the url */
daadvert->urllen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(daadvert->urllen > buffer->end - buffer->curpos)
+ if(daadvert->urllen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -635,7 +654,7 @@
/* parse the scope list */
daadvert->scopelistlen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(daadvert->scopelistlen > buffer->end - buffer->curpos)
+ if(daadvert->scopelistlen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -645,7 +664,7 @@
/* parse the attr list */
daadvert->attrlistlen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(daadvert->attrlistlen > buffer->end - buffer->curpos)
+ if(daadvert->attrlistlen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -655,7 +674,7 @@
/* parse the SPI list */
daadvert->spilistlen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(daadvert->spilistlen > buffer->end - buffer->curpos)
+ if(daadvert->spilistlen + 1 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -704,7 +723,7 @@
/* parse out the url */
saadvert->urllen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(saadvert->urllen > buffer->end - buffer->curpos)
+ if(saadvert->urllen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -714,7 +733,7 @@
/* parse the scope list */
saadvert->scopelistlen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(saadvert->scopelistlen > buffer->end - buffer->curpos)
+ if(saadvert->scopelistlen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -724,7 +743,7 @@
/* parse the attr list */
saadvert->attrlistlen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(saadvert->attrlistlen > buffer->end - buffer->curpos)
+ if(saadvert->attrlistlen + 1 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -769,7 +788,7 @@
/* parse the prlist */
srvtyperqst->prlistlen = AsUINT16(buffer->curpos);
buffer->curpos += 2;
- if(srvtyperqst->prlistlen > buffer->end - buffer->curpos)
+ if(srvtyperqst->prlistlen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -794,6 +813,10 @@
}
/* parse the scope list */
+ if(buffer->end - buffer->curpos < 2)
+ {
+ return SLP_ERROR_PARSE_ERROR;
+ }
srvtyperqst->scopelistlen = AsUINT16(buffer->curpos);
buffer->curpos += 2;
if(srvtyperqst->scopelistlen > buffer->end - buffer->curpos)
--- ./common/slp_network.c.audit 2003-03-05 09:04:55.000000000 -0700
+++ ./common/slp_network.c 2005-03-14 12:09:19.067942416 -0700
@@ -315,7 +315,7 @@
/* EINVAL parse error */
/*=========================================================================*/
{
- int xferbytes;
+ int xferbytes, recvlen;
fd_set readfds;
char peek[16];
int peeraddrlen = sizeof(struct sockaddr_in);
@@ -374,13 +374,17 @@
/* Read the rest of the message */
/*------------------------------*/
/* check the version */
- if(*peek == 2)
+ if(xferbytes >= 5 && *peek == 2)
{
/* Check the buffer size to make sure it is sane */
if(AsUINT24(peek + 2) < 0xffff)
{
/* allocate the recvmsg big enough for the whole message */
- *buf = SLPBufferRealloc(*buf, AsUINT24(peek + 2));
+ recvlen = AsUINT24(peek + 2);
+ /* one byte is minimum */
+ if (recvlen <= 0)
+ recvlen = 1;
+ *buf = SLPBufferRealloc(*buf, recvlen);
if(*buf)
{
while((*buf)->curpos < (*buf)->end)
--- ./common/slp_v1message.c.orig 2005-02-15 16:52:12.613798586 +0000
+++ ./common/slp_v1message.c 2005-02-15 18:26:47.632848004 +0000
@@ -60,6 +60,11 @@
/* SLP_ERROR_PARSE_ERROR. */
/*=========================================================================*/
{
+ if (buffer->end - buffer->start < 12)
+ {
+ /* invalid length 12 bytes is the smallest v1 message*/
+ return SLP_ERROR_PARSE_ERROR;
+ }
header->version = *(buffer->curpos);
header->functionid = *(buffer->curpos + 1);
@@ -85,10 +90,8 @@
return SLP_ERROR_CHARSET_NOT_UNDERSTOOD;
}
- if(header->length != buffer->end - buffer->start ||
- header->length < 12)
+ if(header->length != buffer->end - buffer->start)
{
- /* invalid length 12 bytes is the smallest v1 message*/
return SLP_ERROR_PARSE_ERROR;
}
@@ -114,7 +117,7 @@
int result;
/* make sure that min size is met */
- if(buffer->end - buffer->curpos < 6)
+ if(buffer->end - buffer->curpos < 4)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -160,7 +163,7 @@
int result;
/* make sure that min size is met */
- if(buffer->end - buffer->curpos < 10)
+ if(buffer->end - buffer->curpos < 4)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -168,7 +171,7 @@
/* parse the prlist */
srvrqst->prlistlen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(srvrqst->prlistlen > buffer->end - buffer->curpos)
+ if(srvrqst->prlistlen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -272,6 +275,10 @@
srvreg->srvtypelen = tmp - srvreg->srvtype;
/* parse the attribute list */
+ if(buffer->end - buffer->curpos < 2)
+ {
+ return SLP_ERROR_PARSE_ERROR;
+ }
srvreg->attrlistlen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
if(srvreg->attrlistlen > buffer->end - buffer->curpos)
@@ -335,7 +342,7 @@
srvdereg->urlentry.lifetime = 0; /* not present in SLPv1 */
srvdereg->urlentry.urllen = AsUINT16(buffer->curpos);
buffer->curpos += 2;
- if(srvdereg->urlentry.urllen > buffer->end - buffer->curpos)
+ if(srvdereg->urlentry.urllen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -381,7 +388,7 @@
/* parse the prlist */
attrrqst->prlistlen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(attrrqst->prlistlen > buffer->end - buffer->curpos)
+ if(attrrqst->prlistlen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -396,7 +403,7 @@
/* parse the url */
attrrqst->urllen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(attrrqst->urllen > buffer->end - buffer->curpos)
+ if(attrrqst->urllen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -411,7 +418,7 @@
/* parse the scope list */
attrrqst->scopelistlen = AsUINT16(buffer->curpos);
buffer->curpos = buffer->curpos + 2;
- if(attrrqst->scopelistlen > buffer->end - buffer->curpos)
+ if(attrrqst->scopelistlen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -469,7 +476,7 @@
/* parse the prlist */
srvtyperqst->prlistlen = AsUINT16(buffer->curpos);
buffer->curpos += 2;
- if(srvtyperqst->prlistlen > buffer->end - buffer->curpos)
+ if(srvtyperqst->prlistlen + 2 > buffer->end - buffer->curpos)
{
return SLP_ERROR_PARSE_ERROR;
}
@@ -504,6 +511,10 @@
}
/* parse the scope list */
+ if(buffer->end - buffer->curpos < 2)
+ {
+ return SLP_ERROR_PARSE_ERROR;
+ }
srvtyperqst->scopelistlen = AsUINT16(buffer->curpos);
buffer->curpos += 2;
if(srvtyperqst->scopelistlen > buffer->end - buffer->curpos)
--- ./libslp/libslp_parse.c.orig 2005-02-15 18:39:01.505072256 +0000
+++ ./libslp/libslp_parse.c 2005-02-15 18:41:21.510075488 +0000
@@ -168,7 +168,10 @@
if((isTag) && strchr(ATTRIBUTE_BAD_TAG, *current_inbuf))
return(SLP_PARSE_ERROR);
- if(strchr(ATTRIBUTE_RESERVE_STRING, *current_inbuf))
+ if((strchr(ATTRIBUTE_RESERVE_STRING, *current_inbuf)) ||
+ ((*current_inbuf >= 0x00) && (*current_inbuf <= 0x1F)) ||
+ (*current_inbuf == 0x7F)
+ )
amount_of_escape_characters++;
current_inbuf++;
--- ./slpd/slpd_incoming.c.audit 2002-05-01 09:47:21.000000000 -0600
+++ ./slpd/slpd_incoming.c 2005-03-14 12:19:13.264542709 -0700
@@ -189,26 +189,28 @@
MSG_PEEK,
(struct sockaddr *)&(sock->peeraddr),
&peeraddrlen);
- if (bytesread <= 0)
+ if (bytesread > 0 && bytesread >= (*peek == 2 ? 5 : 4))
{
- sock->state = SOCKET_CLOSE;
- return;
- }
-
- if (*peek == 2)
- {
- recvlen = AsUINT24(peek + 2);
- }
- else if (*peek == 1) /* SLPv1 packet */
- {
- recvlen = AsUINT16(peek + 2);
+ if (*peek == 2)
+ {
+ recvlen = AsUINT24(peek + 2);
+ }
+ else if (*peek == 1) /* SLPv1 packet */
+ {
+ recvlen = AsUINT16(peek + 2);
+ }
+ else
+ {
+ /* Version not supported */
+ SLPDLog("WARNING - Version %i not supported from %s",
+ *peek,
+ inet_ntoa(sock->peeraddr.sin_addr));
+ sock->state = SOCKET_CLOSE;
+ return;
+ }
}
else
{
- /* Version not supported */
- SLPDLog("WARNING - Version %i not supported from %s",
- *peek,
- inet_ntoa(sock->peeraddr.sin_addr));
sock->state = SOCKET_CLOSE;
return;
}
@@ -222,6 +224,10 @@
sock->state = SOCKET_CLOSE;
return;
}
+
+ /* one byte is minimum */
+ if (recvlen <= 0)
+ recvlen = 1;
/* allocate the recvbuf big enough for the whole message */
sock->recvbuf = SLPBufferRealloc(sock->recvbuf,recvlen);
@@ -270,7 +276,7 @@
}
else
{
- /* error in recv() */
+ /* error in recv() or eof */
sock->state = SOCKET_CLOSE;
}
}
--- ./slpd/slpd_outgoing.c.audit 2002-05-01 09:47:21.000000000 -0600
+++ ./slpd/slpd_outgoing.c 2005-03-14 12:24:35.433451033 -0700
@@ -206,7 +206,7 @@
MSG_PEEK,
(struct sockaddr *)&(sock->peeraddr),
&peeraddrlen);
- if ( bytesread > 0 )
+ if ( bytesread >= 5 && *peek == 2 )
{
/* Check the version */
@@ -239,6 +239,10 @@
return;
}
+ /* one byte is minimum */
+ if (recvlen <= 0)
+ recvlen = 1;
+
/* allocate the recvbuf big enough for the whole message */
sock->recvbuf = SLPBufferRealloc(sock->recvbuf,recvlen);
if ( sock->recvbuf )
@@ -251,7 +255,7 @@
sock->state = SOCKET_CLOSE;
}
}
- else
+ else if ( bytesread == -1 )
{
#ifdef WIN32
if ( WSAEWOULDBLOCK != WSAGetLastError() )
@@ -264,6 +268,10 @@
OutgoingStreamReconnect(socklist,sock);
}
}
+ else
+ {
+ sock->state = SOCKET_CLOSE;
+ }
}
if ( sock->state == STREAM_READ )
--- ./slpd/slpd_v1process.c.orig 2005-02-15 17:05:42.710057099 +0000
+++ ./slpd/slpd_v1process.c 2005-02-15 17:29:06.518563216 +0000
@@ -808,11 +808,16 @@
{
/* SLPv1 messages are handled only by DAs */
errorcode = SLP_ERROR_VER_NOT_SUPPORTED;
+ return errorcode;
}
/* Parse just the message header the reset the buffer "curpos" pointer */
recvbuf->curpos = recvbuf->start;
errorcode = SLPv1MessageParseHeader(recvbuf, &header);
+ if (errorcode != 0)
+ {
+ return errorcode;
+ }
/* TRICKY: Duplicate SRVREG recvbufs *before* parsing them */
/* it because we are going to keep them in the */
