101 lines
3.7 KiB
Plaintext
101 lines
3.7 KiB
Plaintext
$OpenBSD: patch-src_tftp_c,v 1.6 2009/08/31 18:01:01 rui Exp $
|
|
|
|
CVE-2009-2957,2958
|
|
plus gcc2 fixes to struct errmess, struct oackmess, struct datamess from kili
|
|
|
|
--- src/tftp.c.orig Mon Jun 8 22:12:43 2009
|
|
+++ src/tftp.c Sun Aug 30 22:21:35 2009
|
|
@@ -192,20 +192,21 @@ void tftp_request(struct listener *listen, time_t now)
|
|
|
|
while ((opt = next(&p, end)))
|
|
{
|
|
- if (strcasecmp(opt, "blksize") == 0 &&
|
|
- (opt = next(&p, end)) &&
|
|
- !(daemon->options & OPT_TFTP_NOBLOCK))
|
|
+ if (strcasecmp(opt, "blksize") == 0)
|
|
{
|
|
- transfer->blocksize = atoi(opt);
|
|
- if (transfer->blocksize < 1)
|
|
- transfer->blocksize = 1;
|
|
- if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
|
|
- transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
|
|
- transfer->opt_blocksize = 1;
|
|
- transfer->block = 0;
|
|
+ if ((opt = next(&p, end)) &&
|
|
+ !(daemon->options & OPT_TFTP_NOBLOCK))
|
|
+ {
|
|
+ transfer->blocksize = atoi(opt);
|
|
+ if (transfer->blocksize < 1)
|
|
+ transfer->blocksize = 1;
|
|
+ if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
|
|
+ transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
|
|
+ transfer->opt_blocksize = 1;
|
|
+ transfer->block = 0;
|
|
+ }
|
|
}
|
|
-
|
|
- if (strcasecmp(opt, "tsize") == 0 && next(&p, end) && !transfer->netascii)
|
|
+ else if (strcasecmp(opt, "tsize") == 0 && next(&p, end) && !transfer->netascii)
|
|
{
|
|
transfer->opt_transize = 1;
|
|
transfer->block = 0;
|
|
@@ -217,17 +218,17 @@ void tftp_request(struct listener *listen, time_t now)
|
|
{
|
|
if (daemon->tftp_prefix[0] == '/')
|
|
daemon->namebuff[0] = 0;
|
|
- strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME);
|
|
+ strncat(daemon->namebuff, daemon->tftp_prefix, (MAXDNAME-1) - strlen(daemon->namebuff));
|
|
if (daemon->tftp_prefix[strlen(daemon->tftp_prefix)-1] != '/')
|
|
- strncat(daemon->namebuff, "/", MAXDNAME);
|
|
+ strncat(daemon->namebuff, "/", (MAXDNAME-1) - strlen(daemon->namebuff));
|
|
|
|
if (daemon->options & OPT_TFTP_APREF)
|
|
{
|
|
size_t oldlen = strlen(daemon->namebuff);
|
|
struct stat statbuf;
|
|
|
|
- strncat(daemon->namebuff, inet_ntoa(peer.sin_addr), MAXDNAME);
|
|
- strncat(daemon->namebuff, "/", MAXDNAME);
|
|
+ strncat(daemon->namebuff, inet_ntoa(peer.sin_addr), (MAXDNAME-1) - strlen(daemon->namebuff));
|
|
+ strncat(daemon->namebuff, "/", (MAXDNAME-1) - strlen(daemon->namebuff));
|
|
|
|
/* remove unique-directory if it doesn't exist */
|
|
if (stat(daemon->namebuff, &statbuf) == -1 || !S_ISDIR(statbuf.st_mode))
|
|
@@ -245,8 +246,7 @@ void tftp_request(struct listener *listen, time_t now)
|
|
}
|
|
else if (filename[0] == '/')
|
|
daemon->namebuff[0] = 0;
|
|
- strncat(daemon->namebuff, filename, MAXDNAME);
|
|
- daemon->namebuff[MAXDNAME-1] = 0;
|
|
+ strncat(daemon->namebuff, filename, (MAXDNAME-1) - strlen(daemon->namebuff));
|
|
|
|
/* check permissions and open file */
|
|
if ((transfer->file = check_tftp_fileperm(&len)))
|
|
@@ -481,7 +481,7 @@ static ssize_t tftp_err(int err, char *packet, char *m
|
|
{
|
|
struct errmess {
|
|
unsigned short op, err;
|
|
- char message[];
|
|
+ char message[0];
|
|
} *mess = (struct errmess *)packet;
|
|
ssize_t ret = 4;
|
|
char *errstr = strerror(errno);
|
|
@@ -508,7 +508,7 @@ static ssize_t get_block(char *packet, struct tftp_tra
|
|
char *p;
|
|
struct oackmess {
|
|
unsigned short op;
|
|
- char data[];
|
|
+ char data[0];
|
|
} *mess = (struct oackmess *)packet;
|
|
|
|
p = mess->data;
|
|
@@ -531,7 +531,7 @@ static ssize_t get_block(char *packet, struct tftp_tra
|
|
/* send data packet */
|
|
struct datamess {
|
|
unsigned short op, block;
|
|
- unsigned char data[];
|
|
+ unsigned char data[0];
|
|
} *mess = (struct datamess *)packet;
|
|
|
|
size_t size = transfer->file->size - transfer->offset;
|