external/cde
1
0
Fork 0
mirror of git://git.code.sf.net/p/cdesktopenv/code synced 2025-03-09 15:50:02 +00:00
Code Issues Releases Wiki Activity

DtSvc/dtspcd: fixes for VU#172583

Browse source
This commit is contained in:
Jon Trulson 2012-05-26 19:09:33 -06:00
parent a2959aa768
commit b4f3efb692
3 changed files with 33 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
cde/lib/DtSvc/DtEncap/spc-error.c
View file

@ -771,6 +771,15 @@ SPCError *SPC_Lookup_Error(int errornum)
spc_error_struct.use_errno = FALSE; spc_error_struct.use_errno = FALSE;
break; break;
/* JET - buffer overflow attempt */
/* VU#172583 */
case SPC_Buffer_Overflow:
spc_error_struct.format = (XeString) "><Attempted Buffer Overflow from host %s.\nConnection dropped.";
spc_error_struct.severity = XeError;
spc_error_struct.use_errno = FALSE;
break;
default: default:
spc_error_struct.format = (XeString) "><Unknown error code"; spc_error_struct.format = (XeString) "><Unknown error code";
spc_error_struct.severity = XeError; spc_error_struct.severity = XeError;

18
cde/lib/DtSvc/DtEncap/spc-proto.c
View file

@ -461,6 +461,24 @@ protocol_request_ptr SPC_Read_Protocol(SPC_Connection_Ptr connection)
&channel_id, &prot->request_type, &dptr->len, &prot->seqno); &channel_id, &prot->request_type, &dptr->len, &prot->seqno);
prot->channel=SPC_Lookup_Channel(channel_id, connection); prot->channel=SPC_Lookup_Channel(channel_id, connection);
/* JET - 11/12/2001 - correct an exploitable buffer overrun where the user */
/* can supply a data len that is larger than the available buffer */
/* MAXREQLEN */
/* CERT - VU#172583 */
if (dptr->len >= MAXREQLEN)
{ /* we have a problem. Initiate DefCon 1 */
/* and launch our missiles. */
XeString connection_hostname = CONNECTION_HOSTNAME(connection);
SPC_Error(SPC_Buffer_Overflow, connection_hostname);
XeFree(connection_hostname);
SPC_Close_Connection(connection);
SPC_Free_Protocol_Ptr(prot);
return(SPC_ERROR);
}
/* read header */ /* read header */
len=SPC_Read_Chars(connection, dptr->len, dptr->data+REQUEST_HEADER_LENGTH); len=SPC_Read_Chars(connection, dptr->len, dptr->data+REQUEST_HEADER_LENGTH);

7
cde/lib/DtSvc/include/SPC/spcE.h
View file

@ -112,8 +112,13 @@
#define SPC_Bad_Permission 164 #define SPC_Bad_Permission 164
#define SPC_Cannot_Create_Netfilename 165 #define SPC_Cannot_Create_Netfilename 165
#define SPC_Protocol_Version_Error 166 #define SPC_Protocol_Version_Error 166
/* JET - a special error code for goobers trying to overflow our buffers. */
/* VU#172583 */
#define SPC_Buffer_Overflow 167
/* Keep this up to date with the last error number declared above */ /* Keep this up to date with the last error number declared above */
#define SPC_Max_Error 167 #define SPC_Max_Error 168
/* The definition of the SPC Error structure has been moved to spc.h /* The definition of the SPC Error structure has been moved to spc.h
(to make it public) */ (to make it public) */