--- ./common/slp_message.c.orig 2005-02-15 16:48:20.243994238 +0000 +++ ./common/slp_message.c 2005-02-15 18:17:16.217402037 +0000 @@ -68,6 +68,10 @@ /* header (IN/OUT) pointer to the header structure to fill out */ /*=========================================================================*/ { + if (buffer->end - buffer->start < 2) + { + return SLP_ERROR_PARSE_ERROR; + } header->version = *(buffer->curpos); header->functionid = *(buffer->curpos + 1); @@ -75,6 +79,11 @@ { return SLP_ERROR_VER_NOT_SUPPORTED; } + /* check for invalid length 18 bytes is the smallest v2 message*/ + if (buffer->end - buffer->start < 18) + { + return SLP_ERROR_PARSE_ERROR; + } header->length = AsUINT24(buffer->curpos + 2); header->flags = AsUINT16(buffer->curpos + 5); header->encoding = 0; /* not used for SLPv2 */ @@ -89,9 +98,7 @@ return SLP_ERROR_PARSE_ERROR; } - /* check for invalid length 18 bytes is the smallest v2 message*/ - if(header->length != buffer->end - buffer->start || - header->length < 18) + if(header->length != buffer->end - buffer->start) { return SLP_ERROR_PARSE_ERROR; } @@ -187,7 +194,7 @@ /* parse out url */ urlentry->urllen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(urlentry->urllen > buffer->end - buffer->curpos) + if(urlentry->urllen + 1 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -235,7 +242,7 @@ /* parse the prlist */ srvrqst->prlistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(srvrqst->prlistlen > buffer->end - buffer->curpos) + if(srvrqst->prlistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -246,7 +253,7 @@ /* parse the service type */ srvrqst->srvtypelen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(srvrqst->srvtypelen > buffer->end - buffer->curpos) + if(srvrqst->srvtypelen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -257,7 +264,7 @@ /* parse the scope list */ srvrqst->scopelistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(srvrqst->scopelistlen > buffer->end - buffer->curpos) + if(srvrqst->scopelistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -269,7 +276,7 @@ srvrqst->predicatever = 2; /* SLPv2 predicate (LDAPv3) */ srvrqst->predicatelen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(srvrqst->predicatelen > buffer->end - buffer->curpos) + if(srvrqst->predicatelen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -358,10 +365,14 @@ return result; } + if(buffer->end - buffer->curpos < 2) + { + return SLP_ERROR_PARSE_ERROR; + } /* parse the service type */ srvreg->srvtypelen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(srvreg->srvtypelen > buffer->end - buffer->curpos) + if(srvreg->srvtypelen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -372,7 +383,7 @@ /* parse the scope list */ srvreg->scopelistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(srvreg->scopelistlen > buffer->end - buffer->curpos) + if(srvreg->scopelistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -383,7 +394,7 @@ /* parse the attribute list*/ srvreg->attrlistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(srvreg->attrlistlen > buffer->end - buffer->curpos) + if(srvreg->attrlistlen + 1 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -447,6 +458,10 @@ } /* parse the tag list */ + if(buffer->end - buffer->curpos < 2) + { + return SLP_ERROR_PARSE_ERROR; + } srvdereg->taglistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; if(srvdereg->taglistlen > buffer->end - buffer->curpos) @@ -482,7 +497,7 @@ /* parse the prlist */ attrrqst->prlistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(attrrqst->prlistlen > buffer->end - buffer->curpos) + if(attrrqst->prlistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -492,7 +507,7 @@ /* parse the url */ attrrqst->urllen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(attrrqst->urllen > buffer->end - buffer->curpos) + if(attrrqst->urllen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -503,7 +518,7 @@ /* parse the scope list */ attrrqst->scopelistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(attrrqst->scopelistlen > buffer->end - buffer->curpos) + if(attrrqst->scopelistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -514,7 +529,7 @@ /* parse the taglist string */ attrrqst->taglistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(attrrqst->taglistlen > buffer->end - buffer->curpos) + if(attrrqst->taglistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -563,7 +578,7 @@ /* parse out the attrlist */ attrrply->attrlistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(attrrply->attrlistlen > buffer->end - buffer->curpos) + if(attrrply->attrlistlen + 1 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -619,13 +634,17 @@ buffer->curpos = buffer->curpos + 2; /* parse out the bootstamp */ + if(buffer->end - buffer->curpos < 6) + { + return SLP_ERROR_PARSE_ERROR; + } daadvert->bootstamp = AsUINT32(buffer->curpos); buffer->curpos = buffer->curpos + 4; /* parse out the url */ daadvert->urllen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(daadvert->urllen > buffer->end - buffer->curpos) + if(daadvert->urllen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -635,7 +654,7 @@ /* parse the scope list */ daadvert->scopelistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(daadvert->scopelistlen > buffer->end - buffer->curpos) + if(daadvert->scopelistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -645,7 +664,7 @@ /* parse the attr list */ daadvert->attrlistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(daadvert->attrlistlen > buffer->end - buffer->curpos) + if(daadvert->attrlistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -655,7 +674,7 @@ /* parse the SPI list */ daadvert->spilistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(daadvert->spilistlen > buffer->end - buffer->curpos) + if(daadvert->spilistlen + 1 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -704,7 +723,7 @@ /* parse out the url */ saadvert->urllen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(saadvert->urllen > buffer->end - buffer->curpos) + if(saadvert->urllen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -714,7 +733,7 @@ /* parse the scope list */ saadvert->scopelistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(saadvert->scopelistlen > buffer->end - buffer->curpos) + if(saadvert->scopelistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -724,7 +743,7 @@ /* parse the attr list */ saadvert->attrlistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(saadvert->attrlistlen > buffer->end - buffer->curpos) + if(saadvert->attrlistlen + 1 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -769,7 +788,7 @@ /* parse the prlist */ srvtyperqst->prlistlen = AsUINT16(buffer->curpos); buffer->curpos += 2; - if(srvtyperqst->prlistlen > buffer->end - buffer->curpos) + if(srvtyperqst->prlistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -794,6 +813,10 @@ } /* parse the scope list */ + if(buffer->end - buffer->curpos < 2) + { + return SLP_ERROR_PARSE_ERROR; + } srvtyperqst->scopelistlen = AsUINT16(buffer->curpos); buffer->curpos += 2; if(srvtyperqst->scopelistlen > buffer->end - buffer->curpos) --- ./common/slp_network.c.audit 2003-03-05 09:04:55.000000000 -0700 +++ ./common/slp_network.c 2005-03-14 12:09:19.067942416 -0700 @@ -315,7 +315,7 @@ /* EINVAL parse error */ /*=========================================================================*/ { - int xferbytes; + int xferbytes, recvlen; fd_set readfds; char peek[16]; int peeraddrlen = sizeof(struct sockaddr_in); @@ -374,13 +374,17 @@ /* Read the rest of the message */ /*------------------------------*/ /* check the version */ - if(*peek == 2) + if(xferbytes >= 5 && *peek == 2) { /* Check the buffer size to make sure it is sane */ if(AsUINT24(peek + 2) < 0xffff) { /* allocate the recvmsg big enough for the whole message */ - *buf = SLPBufferRealloc(*buf, AsUINT24(peek + 2)); + recvlen = AsUINT24(peek + 2); + /* one byte is minimum */ + if (recvlen <= 0) + recvlen = 1; + *buf = SLPBufferRealloc(*buf, recvlen); if(*buf) { while((*buf)->curpos < (*buf)->end) --- ./common/slp_v1message.c.orig 2005-02-15 16:52:12.613798586 +0000 +++ ./common/slp_v1message.c 2005-02-15 18:26:47.632848004 +0000 @@ -60,6 +60,11 @@ /* SLP_ERROR_PARSE_ERROR. */ /*=========================================================================*/ { + if (buffer->end - buffer->start < 12) + { + /* invalid length 12 bytes is the smallest v1 message*/ + return SLP_ERROR_PARSE_ERROR; + } header->version = *(buffer->curpos); header->functionid = *(buffer->curpos + 1); @@ -85,10 +90,8 @@ return SLP_ERROR_CHARSET_NOT_UNDERSTOOD; } - if(header->length != buffer->end - buffer->start || - header->length < 12) + if(header->length != buffer->end - buffer->start) { - /* invalid length 12 bytes is the smallest v1 message*/ return SLP_ERROR_PARSE_ERROR; } @@ -114,7 +117,7 @@ int result; /* make sure that min size is met */ - if(buffer->end - buffer->curpos < 6) + if(buffer->end - buffer->curpos < 4) { return SLP_ERROR_PARSE_ERROR; } @@ -160,7 +163,7 @@ int result; /* make sure that min size is met */ - if(buffer->end - buffer->curpos < 10) + if(buffer->end - buffer->curpos < 4) { return SLP_ERROR_PARSE_ERROR; } @@ -168,7 +171,7 @@ /* parse the prlist */ srvrqst->prlistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(srvrqst->prlistlen > buffer->end - buffer->curpos) + if(srvrqst->prlistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -272,6 +275,10 @@ srvreg->srvtypelen = tmp - srvreg->srvtype; /* parse the attribute list */ + if(buffer->end - buffer->curpos < 2) + { + return SLP_ERROR_PARSE_ERROR; + } srvreg->attrlistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; if(srvreg->attrlistlen > buffer->end - buffer->curpos) @@ -335,7 +342,7 @@ srvdereg->urlentry.lifetime = 0; /* not present in SLPv1 */ srvdereg->urlentry.urllen = AsUINT16(buffer->curpos); buffer->curpos += 2; - if(srvdereg->urlentry.urllen > buffer->end - buffer->curpos) + if(srvdereg->urlentry.urllen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -381,7 +388,7 @@ /* parse the prlist */ attrrqst->prlistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(attrrqst->prlistlen > buffer->end - buffer->curpos) + if(attrrqst->prlistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -396,7 +403,7 @@ /* parse the url */ attrrqst->urllen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(attrrqst->urllen > buffer->end - buffer->curpos) + if(attrrqst->urllen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -411,7 +418,7 @@ /* parse the scope list */ attrrqst->scopelistlen = AsUINT16(buffer->curpos); buffer->curpos = buffer->curpos + 2; - if(attrrqst->scopelistlen > buffer->end - buffer->curpos) + if(attrrqst->scopelistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -469,7 +476,7 @@ /* parse the prlist */ srvtyperqst->prlistlen = AsUINT16(buffer->curpos); buffer->curpos += 2; - if(srvtyperqst->prlistlen > buffer->end - buffer->curpos) + if(srvtyperqst->prlistlen + 2 > buffer->end - buffer->curpos) { return SLP_ERROR_PARSE_ERROR; } @@ -504,6 +511,10 @@ } /* parse the scope list */ + if(buffer->end - buffer->curpos < 2) + { + return SLP_ERROR_PARSE_ERROR; + } srvtyperqst->scopelistlen = AsUINT16(buffer->curpos); buffer->curpos += 2; if(srvtyperqst->scopelistlen > buffer->end - buffer->curpos) --- ./libslp/libslp_parse.c.orig 2005-02-15 18:39:01.505072256 +0000 +++ ./libslp/libslp_parse.c 2005-02-15 18:41:21.510075488 +0000 @@ -168,7 +168,10 @@ if((isTag) && strchr(ATTRIBUTE_BAD_TAG, *current_inbuf)) return(SLP_PARSE_ERROR); - if(strchr(ATTRIBUTE_RESERVE_STRING, *current_inbuf)) + if((strchr(ATTRIBUTE_RESERVE_STRING, *current_inbuf)) || + ((*current_inbuf >= 0x00) && (*current_inbuf <= 0x1F)) || + (*current_inbuf == 0x7F) + ) amount_of_escape_characters++; current_inbuf++; --- ./slpd/slpd_incoming.c.audit 2002-05-01 09:47:21.000000000 -0600 +++ ./slpd/slpd_incoming.c 2005-03-14 12:19:13.264542709 -0700 @@ -189,26 +189,28 @@ MSG_PEEK, (struct sockaddr *)&(sock->peeraddr), &peeraddrlen); - if (bytesread <= 0) + if (bytesread > 0 && bytesread >= (*peek == 2 ? 5 : 4)) { - sock->state = SOCKET_CLOSE; - return; - } - - if (*peek == 2) - { - recvlen = AsUINT24(peek + 2); - } - else if (*peek == 1) /* SLPv1 packet */ - { - recvlen = AsUINT16(peek + 2); + if (*peek == 2) + { + recvlen = AsUINT24(peek + 2); + } + else if (*peek == 1) /* SLPv1 packet */ + { + recvlen = AsUINT16(peek + 2); + } + else + { + /* Version not supported */ + SLPDLog("WARNING - Version %i not supported from %s", + *peek, + inet_ntoa(sock->peeraddr.sin_addr)); + sock->state = SOCKET_CLOSE; + return; + } } else { - /* Version not supported */ - SLPDLog("WARNING - Version %i not supported from %s", - *peek, - inet_ntoa(sock->peeraddr.sin_addr)); sock->state = SOCKET_CLOSE; return; } @@ -222,6 +224,10 @@ sock->state = SOCKET_CLOSE; return; } + + /* one byte is minimum */ + if (recvlen <= 0) + recvlen = 1; /* allocate the recvbuf big enough for the whole message */ sock->recvbuf = SLPBufferRealloc(sock->recvbuf,recvlen); @@ -270,7 +276,7 @@ } else { - /* error in recv() */ + /* error in recv() or eof */ sock->state = SOCKET_CLOSE; } } --- ./slpd/slpd_outgoing.c.audit 2002-05-01 09:47:21.000000000 -0600 +++ ./slpd/slpd_outgoing.c 2005-03-14 12:24:35.433451033 -0700 @@ -206,7 +206,7 @@ MSG_PEEK, (struct sockaddr *)&(sock->peeraddr), &peeraddrlen); - if ( bytesread > 0 ) + if ( bytesread >= 5 && *peek == 2 ) { /* Check the version */ @@ -239,6 +239,10 @@ return; } + /* one byte is minimum */ + if (recvlen <= 0) + recvlen = 1; + /* allocate the recvbuf big enough for the whole message */ sock->recvbuf = SLPBufferRealloc(sock->recvbuf,recvlen); if ( sock->recvbuf ) @@ -251,7 +255,7 @@ sock->state = SOCKET_CLOSE; } } - else + else if ( bytesread == -1 ) { #ifdef WIN32 if ( WSAEWOULDBLOCK != WSAGetLastError() ) @@ -264,6 +268,10 @@ OutgoingStreamReconnect(socklist,sock); } } + else + { + sock->state = SOCKET_CLOSE; + } } if ( sock->state == STREAM_READ ) --- ./slpd/slpd_v1process.c.orig 2005-02-15 17:05:42.710057099 +0000 +++ ./slpd/slpd_v1process.c 2005-02-15 17:29:06.518563216 +0000 @@ -808,11 +808,16 @@ { /* SLPv1 messages are handled only by DAs */ errorcode = SLP_ERROR_VER_NOT_SUPPORTED; + return errorcode; } /* Parse just the message header the reset the buffer "curpos" pointer */ recvbuf->curpos = recvbuf->start; errorcode = SLPv1MessageParseHeader(recvbuf, &header); + if (errorcode != 0) + { + return errorcode; + } /* TRICKY: Duplicate SRVREG recvbufs *before* parsing them */ /* it because we are going to keep them in the */