Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-7]: src/common/lib/libprop Pull up following revision(s) (request...
details: https://anonhg.NetBSD.org/src/rev/be1c3296edc6
branches: netbsd-7
changeset: 799342:be1c3296edc6
user: snj <snj%NetBSD.org@localhost>
date: Sat May 16 18:02:14 2015 +0000
description:
Pull up following revision(s) (requested by christos in ticket #782):
common/lib/libprop/prop_kern.c: revision 1.19
common/lib/libprop/prop_object.c: revision 1.30
common/lib/libprop/prop_object_impl.h: revision 1.32
Limit size of xml buffer for userland requests (From Mateusz Kocielski)
--
Don't treat NUL (EOF) as SPACE. All the code that uses _PROP_ISSPACE() checks
explicitly for _PROP_EOF() anyway, and this can be abused to cause run beyond
the end of buffer DoS (Mateusz Kocielski)
--
Now that _PROP_ISSPACE does not include the EOF check, put the check for
EOF inside the loop. Also fix another unbounded loop that did not check for
EOF. From Mateusz Kocielski
diffstat:
common/lib/libprop/prop_kern.c | 5 ++++-
common/lib/libprop/prop_object.c | 23 +++++++++++++----------
common/lib/libprop/prop_object_impl.h | 5 ++---
3 files changed, 19 insertions(+), 14 deletions(-)
diffs (92 lines):
diff -r 328754934b7d -r be1c3296edc6 common/lib/libprop/prop_kern.c
--- a/common/lib/libprop/prop_kern.c Sat May 16 17:58:46 2015 +0000
+++ b/common/lib/libprop/prop_kern.c Sat May 16 18:02:14 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: prop_kern.c,v 1.17.22.1 2014/12/31 06:44:00 snj Exp $ */
+/* $NetBSD: prop_kern.c,v 1.17.22.2 2015/05/16 18:02:14 snj Exp $ */
/*-
* Copyright (c) 2006, 2009 The NetBSD Foundation, Inc.
@@ -407,6 +407,9 @@
char *buf;
int error;
+ if (pref->pref_len >= prop_object_copyin_limit)
+ return EINVAL;
+
/*
* Allocate an extra byte so we can guarantee NUL-termination.
*
diff -r 328754934b7d -r be1c3296edc6 common/lib/libprop/prop_object.c
--- a/common/lib/libprop/prop_object.c Sat May 16 17:58:46 2015 +0000
+++ b/common/lib/libprop/prop_object.c Sat May 16 18:02:14 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: prop_object.c,v 1.29 2013/10/18 18:26:20 martin Exp $ */
+/* $NetBSD: prop_object.c,v 1.29.4.1 2015/05/16 18:02:14 snj Exp $ */
/*-
* Copyright (c) 2006, 2007 The NetBSD Foundation, Inc.
@@ -416,10 +416,11 @@
ctx->poic_tagname = cp;
- while (!_PROP_ISSPACE(*cp) && *cp != '/' && *cp != '>')
+ while (!_PROP_ISSPACE(*cp) && *cp != '/' && *cp != '>') {
+ if (_PROP_EOF(*cp))
+ return (false);
cp++;
- if (_PROP_EOF(*cp))
- return (false);
+ }
ctx->poic_tagname_len = cp - ctx->poic_tagname;
@@ -462,10 +463,11 @@
ctx->poic_tagattr = cp;
- while (!_PROP_ISSPACE(*cp) && *cp != '=')
+ while (!_PROP_ISSPACE(*cp) && *cp != '=') {
+ if (_PROP_EOF(*cp))
+ return (false);
cp++;
- if (_PROP_EOF(*cp))
- return (false);
+ }
ctx->poic_tagattr_len = cp - ctx->poic_tagattr;
@@ -477,10 +479,11 @@
return (false);
ctx->poic_tagattrval = cp;
- while (*cp != '\"')
+ while (*cp != '\"') {
+ if (_PROP_EOF(*cp))
+ return (false);
cp++;
- if (_PROP_EOF(*cp))
- return (false);
+ }
ctx->poic_tagattrval_len = cp - ctx->poic_tagattrval;
cp++;
diff -r 328754934b7d -r be1c3296edc6 common/lib/libprop/prop_object_impl.h
--- a/common/lib/libprop/prop_object_impl.h Sat May 16 17:58:46 2015 +0000
+++ b/common/lib/libprop/prop_object_impl.h Sat May 16 18:02:14 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: prop_object_impl.h,v 1.31 2012/07/27 09:10:59 pooka Exp $ */
+/* $NetBSD: prop_object_impl.h,v 1.31.12.1 2015/05/16 18:02:14 snj Exp $ */
/*-
* Copyright (c) 2006 The NetBSD Foundation, Inc.
@@ -112,8 +112,7 @@
#define _PROP_EOF(c) ((c) == '\0')
#define _PROP_ISSPACE(c) \
- ((c) == ' ' || (c) == '\t' || (c) == '\n' || (c) == '\r' || \
- _PROP_EOF(c))
+ ((c) == ' ' || (c) == '\t' || (c) == '\n' || (c) == '\r')
#define _PROP_TAG_MATCH(ctx, t) \
_prop_object_internalize_match((ctx)->poic_tagname, \
Home |
Main Index |
Thread Index |
Old Index