[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1_100-12-g2d
|
From: |
Mats Erik Andersson |
|
Subject: |
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1_100-12-g2d4d6b7 |
|
Date: |
Fri, 15 Nov 2013 18:30:40 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Inetutils ".
The branch, master has been updated
via 2d4d6b7a24252f463bef8413ab2dffc9cac621e0 (commit)
from 804f20e073d6ec39e60796ee49f1e26f82a19959 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=2d4d6b7a24252f463bef8413ab2dffc9cac621e0
commit 2d4d6b7a24252f463bef8413ab2dffc9cac621e0
Author: Mats Erik Andersson <address@hidden>
Date: Fri Nov 15 17:43:07 2013 +0100
tftp: Buffer size checking.
During hardened compilation, a bogus string array defined
in <arpa/tftp.h> can cause false negatives.
diff --git a/ChangeLog b/ChangeLog
index 40f0f1c..2a1f676 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2013-11-15 Mats Erik Andersson <address@hidden>
+
+ tftp: Buffer size checking.
+ Hardened builds need a helping hand in interpreting
+ a bogus array length.
+
+ * src/tftp.c (makerequest): New variables ARGLEN, LEN.
+ Use them in calculating available space for file name.
+ [HAVE_STRUCT_TFTPHDR_TH_U]: Calculate CP using an offset
+ argument. Needed to prevent false negatives from stack
+ allocation protectors.
+
2013-11-05 Mats Erik Andersson <address@hidden>
Improve detection of readline.
diff --git a/src/tftp.c b/src/tftp.c
index 2d66322..f50abc1 100644
--- a/src/tftp.c
+++ b/src/tftp.c
@@ -1211,16 +1211,37 @@ makerequest (int request, const char *name, struct
tftphdr *tp,
const char *mode)
{
register char *cp;
+ size_t arglen, len;
tp->th_opcode = htons ((unsigned short) request);
#if HAVE_STRUCT_TFTPHDR_TH_U
- cp = tp->th_stuff;
+ /*
+ * GNU and BSD essentially, i.e. modulo a macro, define
+ * 'tftphdr.th_stuff' as a character array of length
+ * naught with GNU, and one with BSD!
+ *
+ * When compiling with stack protectors, like during
+ * hardened builds in Debian, every useful file name
+ * will overflow that limit. However, our code ensures
+ * '*tp' to be of length PKTSIZE. Assigning CP via an
+ * offset calculation avoids this issue.
+ */
+ cp = (char *) tp + (tp->th_stuff - (char *) tp);
#else
cp = (char *) &(tp->th_stuff);
#endif
- strcpy (cp, name);
- cp += strlen (name);
+
+ /* Available space for naming the target file. */
+ len = PKTSIZE - sizeof (struct tftphdr) - sizeof ("netascii");
+ arglen = strlen (name);
+
+ strncpy (cp, name, len);
+
+ cp += (arglen < len) ? arglen : len;
*cp++ = '\0';
+
+ /* Mode is either "netascii" or "octet", so is always fits
+ * based on our choice of LEN. */
strcpy (cp, mode);
cp += strlen (mode);
*cp++ = '\0';
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 12 ++++++++++++
src/tftp.c | 27 ++++++++++++++++++++++++---
2 files changed, 36 insertions(+), 3 deletions(-)
hooks/post-receive
--
GNU Inetutils
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1_100-12-g2d4d6b7,
Mats Erik Andersson <=