DtSvc/dtspcd: fixes for VU#172583

2025-03-09 15:50:02 +00:00 · 2012-05-26 19:09:33 -06:00 · 2012-05-26 19:09:33 -06:00 · b4f3efb692
commit b4f3efb692
parent a2959aa768
3 changed files with 33 additions and 1 deletions
--- a/cde/lib/DtSvc/DtEncap/spc-error.c
+++ b/cde/lib/DtSvc/DtEncap/spc-error.c
@ -771,6 +771,15 @@ SPCError *SPC_Lookup_Error(int errornum)
    spc_error_struct.use_errno = FALSE;
    break;

+    /* JET - buffer overflow attempt */
+    /* VU#172583 */
+  case SPC_Buffer_Overflow:
+    spc_error_struct.format    = (XeString) "><Attempted Buffer Overflow from host %s.\nConnection dropped.";
+    spc_error_struct.severity  = XeError;
+    spc_error_struct.use_errno = FALSE;
+    break;
+
+
  default:
    spc_error_struct.format    = (XeString) "><Unknown error code";
    spc_error_struct.severity  = XeError;
--- a/cde/lib/DtSvc/DtEncap/spc-proto.c
+++ b/cde/lib/DtSvc/DtEncap/spc-proto.c
@ -461,6 +461,24 @@ protocol_request_ptr SPC_Read_Protocol(SPC_Connection_Ptr connection)
 	      &channel_id, &prot->request_type, &dptr->len, &prot->seqno);
  prot->channel=SPC_Lookup_Channel(channel_id, connection);
  
+
+  /* JET - 11/12/2001 - correct an exploitable buffer overrun where the user */
+  /* can supply a data len that is larger than the available buffer */
+  /* MAXREQLEN */
+  /* CERT - VU#172583 */
+
+  if (dptr->len >= MAXREQLEN)
+    {				/* we have a problem.  Initiate DefCon 1 */
+				/* and launch our missiles. */
+      XeString connection_hostname = CONNECTION_HOSTNAME(connection);
+
+      SPC_Error(SPC_Buffer_Overflow, connection_hostname);
+      XeFree(connection_hostname);
+      SPC_Close_Connection(connection);
+      SPC_Free_Protocol_Ptr(prot);
+      return(SPC_ERROR);
+    }
+
  /* read header */
  
  len=SPC_Read_Chars(connection, dptr->len, dptr->data+REQUEST_HEADER_LENGTH);
--- a/cde/lib/DtSvc/include/SPC/spcE.h
+++ b/cde/lib/DtSvc/include/SPC/spcE.h
@ -112,8 +112,13 @@
 #define SPC_Bad_Permission     164
 #define SPC_Cannot_Create_Netfilename	165
 #define SPC_Protocol_Version_Error 	166
+
+/* JET - a special error code for goobers trying to overflow our buffers. */
+/* VU#172583 */
+#define SPC_Buffer_Overflow    167
+
 /* Keep this up to date with the last error number declared above */
-#define SPC_Max_Error          167
+#define SPC_Max_Error          168

 /* The definition of the SPC Error structure has been moved to spc.h
   (to make it public) */