You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
165 lines
6.2 KiB
165 lines
6.2 KiB
diff -up openslp-2.0.0/common/slp_buffer.c.orig openslp-2.0.0/common/slp_buffer.c |
|
--- openslp-2.0.0/common/slp_buffer.c.orig 2012-12-11 00:31:53.000000000 +0100 |
|
+++ openslp-2.0.0/common/slp_buffer.c 2019-12-09 10:39:16.422058793 +0100 |
|
@@ -30,6 +30,13 @@ |
|
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
|
*-------------------------------------------------------------------------*/ |
|
|
|
+/* Copyright (c) 2019 VMware, Inc. |
|
+ * SPDX-License-Identifier: BSD-3-Clause |
|
+ * This file is provided under the BSD-3-Clause license. |
|
+ * See COPYING file for more details and other copyrights |
|
+ * that may apply. |
|
+ */ |
|
+ |
|
/** Functions for managing SLP message buffers. |
|
* |
|
* This file provides a higher level abstraction over malloc and free that |
|
@@ -153,4 +160,20 @@ void SLPBufferFree(SLPBuffer buf) |
|
xfree(buf); |
|
} |
|
|
|
+/** Report remaining free buffer size in bytes. |
|
+ * |
|
+ * Check if buffer is allocated and if so return bytes left in a |
|
+ * @c SLPBuffer object. |
|
+ * |
|
+ * @param[in] buf The SLPBuffer to be freed. |
|
+ */ |
|
+size_t |
|
+RemainingBufferSpace(SLPBuffer buf) |
|
+{ |
|
+ if (buf->allocated == 0) { |
|
+ return 0; |
|
+ } |
|
+ return buf->end - buf->curpos; |
|
+} |
|
+ |
|
/*=========================================================================*/ |
|
diff -up openslp-2.0.0/common/slp_buffer.h.orig openslp-2.0.0/common/slp_buffer.h |
|
--- openslp-2.0.0/common/slp_buffer.h.orig 2012-11-28 18:07:04.000000000 +0100 |
|
+++ openslp-2.0.0/common/slp_buffer.h 2019-12-09 10:39:16.422058793 +0100 |
|
@@ -30,6 +30,13 @@ |
|
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
|
*-------------------------------------------------------------------------*/ |
|
|
|
+/* Copyright (c) 2019 VMware, Inc. |
|
+ * SPDX-License-Identifier: BSD-3-Clause |
|
+ * This file is provided under the BSD-3-Clause license. |
|
+ * See COPYING file for more details and other copyrights |
|
+ * that may apply. |
|
+ */ |
|
+ |
|
/** Header file that defines SLP message buffer management routines. |
|
* |
|
* Includes structures, constants and functions that used to handle memory |
|
@@ -78,6 +85,8 @@ SLPBuffer SLPBufferListRemove(SLPBuffer |
|
|
|
SLPBuffer SLPBufferListAdd(SLPBuffer * list, SLPBuffer buf); |
|
|
|
+size_t RemainingBufferSpace(SLPBuffer buf); |
|
+ |
|
/*! @} */ |
|
|
|
#endif /* SLP_BUFFER_H_INCLUDED */ |
|
diff -up openslp-2.0.0/slpd/slpd_process.c.orig openslp-2.0.0/slpd/slpd_process.c |
|
--- openslp-2.0.0/slpd/slpd_process.c.orig 2019-12-09 10:39:16.420058789 +0100 |
|
+++ openslp-2.0.0/slpd/slpd_process.c 2019-12-09 10:39:16.422058793 +0100 |
|
@@ -30,6 +30,13 @@ |
|
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
|
*-------------------------------------------------------------------------*/ |
|
|
|
+/* Copyright (c) 2019 VMware, Inc. |
|
+ * SPDX-License-Identifier: BSD-3-Clause |
|
+ * This file is provided under the BSD-3-Clause license. |
|
+ * See COPYING file for more details and other copyrights |
|
+ * that may apply. |
|
+ */ |
|
+ |
|
/** Processes incoming SLP messages. |
|
* |
|
* @file slpd_process.c |
|
@@ -523,13 +530,27 @@ RESPOND: |
|
{ |
|
for (i = 0; i < db->urlcount; i++) |
|
{ |
|
- /* urlentry is the url from the db result */ |
|
urlentry = db->urlarray[i]; |
|
+ if (urlentry->opaque != NULL) { |
|
+ const int64_t newsize = size + urlentry->opaquelen; |
|
+ if (urlentry->opaquelen <= 0 || newsize > INT_MAX) |
|
+ { |
|
+ SLPDLog("Invalid opaquelen %d or sizeo of opaque url is too big, size=%d\n", |
|
+ urlentry->opaquelen, size); |
|
+ errorcode = SLP_ERROR_PARSE_ERROR; |
|
+ goto FINISHED; |
|
+ } |
|
+ size += urlentry->opaquelen; |
|
+ } |
|
+ else |
|
+ { |
|
+ /* urlentry is the url from the db result */ |
|
+ size += urlentry->urllen + 6; /* 1 byte for reserved */ |
|
+ /* 2 bytes for lifetime */ |
|
+ /* 2 bytes for urllen */ |
|
+ /* 1 byte for authcount */ |
|
+ } |
|
|
|
- size += urlentry->urllen + 6; /* 1 byte for reserved */ |
|
- /* 2 bytes for lifetime */ |
|
- /* 2 bytes for urllen */ |
|
- /* 1 byte for authcount */ |
|
#ifdef ENABLE_SLPv2_SECURITY |
|
/* make room to include the authblock that was asked for */ |
|
if (G_SlpdProperty.securityEnabled |
|
@@ -603,7 +624,7 @@ RESPOND: |
|
urlentry = db->urlarray[i]; |
|
|
|
#ifdef ENABLE_SLPv1 |
|
- if (urlentry->opaque == 0) |
|
+ if (urlentry->opaque == NULL) |
|
{ |
|
/* url-entry reserved */ |
|
*result->curpos++ = 0; |
|
@@ -615,8 +636,18 @@ RESPOND: |
|
PutUINT16(&result->curpos, urlentry->urllen); |
|
|
|
/* url-entry url */ |
|
- memcpy(result->curpos, urlentry->url, urlentry->urllen); |
|
- result->curpos += urlentry->urllen; |
|
+ if (RemainingBufferSpace(result) >= urlentry->urllen) |
|
+ { |
|
+ memcpy(result->curpos, urlentry->url, urlentry->urllen); |
|
+ result->curpos = result->curpos + urlentry->urllen; |
|
+ } |
|
+ else |
|
+ { |
|
+ SLPDLog("Url too big (ask: %d have %" PRId64 "), failing request\n", |
|
+ urlentry->opaquelen, (int64_t) RemainingBufferSpace(result)); |
|
+ errorcode = SLP_ERROR_PARSE_ERROR; |
|
+ goto FINISHED; |
|
+ } |
|
|
|
/* url-entry auths */ |
|
*result->curpos++ = 0; |
|
@@ -630,8 +661,18 @@ RESPOND: |
|
|
|
/* TRICKY: Fix up the lifetime. */ |
|
TO_UINT16(urlentry->opaque + 1, urlentry->lifetime); |
|
- memcpy(result->curpos, urlentry->opaque, urlentry->opaquelen); |
|
- result->curpos += urlentry->opaquelen; |
|
+ if (RemainingBufferSpace(result) >= urlentry->opaquelen) |
|
+ { |
|
+ memcpy(result->curpos, urlentry->opaque, urlentry->opaquelen); |
|
+ result->curpos = result->curpos + urlentry->opaquelen; |
|
+ } |
|
+ else |
|
+ { |
|
+ SLPDLog("Opaque Url too big (ask: %d have %" PRId64 "), failing request\n", |
|
+ urlentry->opaquelen, (int64_t) RemainingBufferSpace(result)); |
|
+ errorcode = SLP_ERROR_PARSE_ERROR; |
|
+ goto FINISHED; |
|
+ } |
|
} |
|
} |
|
}
|
|
|