From owner-svn-src-all@FreeBSD.ORG Mon Jun 15 21:54:26 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A7E31065725; Mon, 15 Jun 2009 21:54:26 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 8671F8FC17; Mon, 15 Jun 2009 21:54:26 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n5FLsQ5Y003002; Mon, 15 Jun 2009 21:54:26 GMT (envelope-from stas@svn.freebsd.org) Received: (from stas@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n5FLsQaH003001; Mon, 15 Jun 2009 21:54:26 GMT (envelope-from stas@svn.freebsd.org) Message-Id: <200906152154.n5FLsQaH003001@svn.freebsd.org> From: Stanislav Sedov Date: Mon, 15 Jun 2009 21:54:26 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-6@freebsd.org X-SVN-Group: stable-6 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r194268 - in stable/6/contrib/ipfilter: . lib X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jun 2009 21:54:28 -0000 Author: stas Date: Mon Jun 15 21:54:26 2009 New Revision: 194268 URL: http://svn.freebsd.org/changeset/base/194268 Log: MFC r193043: - Prevent buffer overflow in IPFilter's load_http function used to load ipfilter tables via http by the user-level ippool utility. Previously the 1024-byte buffer used to store a http request coudld easily overflow if the length of the hostname part of the url passes exceeded 496 bytes. - Use snprintf to prevent possieble buffer overflows in future. - Do not try to close the descriptor twice on failure. Modified: stable/6/contrib/ipfilter/ (props changed) stable/6/contrib/ipfilter/lib/load_http.c Modified: stable/6/contrib/ipfilter/lib/load_http.c ============================================================================== --- stable/6/contrib/ipfilter/lib/load_http.c Mon Jun 15 21:52:27 2009 (r194267) +++ stable/6/contrib/ipfilter/lib/load_http.c Mon Jun 15 21:54:26 2009 (r194268) @@ -14,11 +14,13 @@ alist_t * load_http(char *url) { - int fd, len, left, port, endhdr, removed; - char *s, *t, *u, buffer[1024], *myurl; + char *s, *t, *u, buffer[1044], *myurl; alist_t *a, *rtop, *rbot; struct sockaddr_in sin; struct hostent *host; + size_t avail; + int fd, len, left, port, endhdr, removed; + int error; /* * More than this would just be absurd. @@ -32,7 +34,14 @@ load_http(char *url) rtop = NULL; rbot = NULL; - sprintf(buffer, "GET %s HTTP/1.0\r\n", url); + avail = sizeof(buffer); + error = snprintf(buffer, avail, "GET %s HTTP/1.0\r\n", url); + + /* + * error is always less then avail due to the constraint on + * the url length above. + */ + avail -= error; myurl = strdup(url); if (myurl == NULL) @@ -51,7 +60,11 @@ load_http(char *url) if (u != NULL) s = u + 1; /* AUTH */ - sprintf(buffer + strlen(buffer), "Host: %s\r\n\r\n", s); + error = snprintf(buffer + strlen(buffer), avail, "Host: %s\r\n\r\n", s); + if (error >= avail) { + fprintf(stderr, "URL is too large: %s\n", url); + goto done; + } u = strchr(s, ':'); if (u != NULL) { @@ -83,16 +96,12 @@ load_http(char *url) if (fd == -1) goto done; - if (connect(fd, (struct sockaddr *)&sin, sizeof(sin)) == -1) { - close(fd); + if (connect(fd, (struct sockaddr *)&sin, sizeof(sin)) == -1) goto done; - } len = strlen(buffer); - if (write(fd, buffer, len) != len) { - close(fd); + if (write(fd, buffer, len) != len) goto done; - } s = buffer; endhdr = 0;