Re: Please let ekg_1.5+20050411-3 into sarge
On Tue, May 24, 2005 at 08:03:50PM +0200, Marcin Owsiany wrote:
> An interdiff from -2 is attached.
This time it is.
Marcin
--
Marcin Owsiany <porridge@debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
diff -u ekg-1.5+20050411/debian/changelog ekg-1.5+20050411/debian/changelog
--- ekg-1.5+20050411/debian/changelog 2005-05-08 23:03:30.000000000 +0200
+++ ekg-1.5+20050411/debian/changelog 2005-05-24 19:14:30.000000000 +0200
@@ -1,3 +1,16 @@
+ekg (1:1.5+20050411-3) unstable; urgency=high
+
+ * Applied patches selected from upstream CVS, to fix the following important
+ issues in libgadu:
+ - fix a DCC related DoS condition (missing check for 0 return value from
+ read())
+ - fix a mistake of setting errno to 0 instead of passing appropriate
+ value to library user
+ - add input parameter checks whose lack could cause a DoS
+ - fix a few variable signedness errors
+
+ -- Marcin Owsiany <porridge@debian.org> Tue, 24 May 2005 19:09:33 +0200
+
ekg (1:1.5+20050411-2) unstable; urgency=high
* Applied patches selected from upstream CVS, to fix the following important
diff -u ekg-1.5+20050411/lib/events.c ekg-1.5+20050411/lib/events.c
--- ekg-1.5+20050411/lib/events.c 2005-05-08 22:39:33.000000000 +0200
+++ ekg-1.5+20050411/lib/events.c 2005-05-24 19:06:30.000000000 +0200
@@ -1,4 +1,4 @@
-/* $Id: events.c,v 1.86 2005/04/12 15:39:22 szalik Exp $ */
+/* $Id: events.c,v 1.87 2005/05/22 08:41:55 wojtekka Exp $ */
/*
* (C) Copyright 2001-2003 Wojtek Kaniewski <wojtekka@irc.pl>
@@ -167,7 +167,7 @@
* - e - opis zdarzenia
* -
*/
-static void gg_image_queue_parse(struct gg_event *e, char *p, int len, struct gg_session *sess, uin_t sender)
+static void gg_image_queue_parse(struct gg_event *e, char *p, unsigned int len, struct gg_session *sess, uin_t sender)
{
struct gg_msg_image_reply *i = (void*) p;
struct gg_image_queue *q, *qq;
@@ -394,7 +394,7 @@
goto malformed;
}
- gg_image_queue_parse(e, p, (int)(packet_end - p), sess, gg_fix32(r->sender));
+ gg_image_queue_parse(e, p, (unsigned int)(packet_end - p), sess, gg_fix32(r->sender));
return 0;
}
@@ -471,7 +471,7 @@
case GG_NOTIFY_REPLY:
{
struct gg_notify_reply *n = (void*) p;
- int count, i;
+ unsigned int count, i;
char *tmp;
gg_debug(GG_DEBUG_MISC, "// gg_watch_fd_connected() received a notify reply\n");
@@ -720,7 +720,7 @@
if (h->length > 1) {
char *tmp;
- int len = (sess->userlist_reply) ? strlen(sess->userlist_reply) : 0;
+ unsigned int len = (sess->userlist_reply) ? strlen(sess->userlist_reply) : 0;
gg_debug(GG_DEBUG_MISC, "userlist_reply=%p, len=%d\n", sess->userlist_reply, len);
diff -u ekg-1.5+20050411/lib/libgadu.c ekg-1.5+20050411/lib/libgadu.c
--- ekg-1.5+20050411/lib/libgadu.c 2005-05-08 22:39:34.000000000 +0200
+++ ekg-1.5+20050411/lib/libgadu.c 2005-05-24 19:06:27.000000000 +0200
@@ -1,4 +1,4 @@
-/* $Id: libgadu.c,v 1.144 2005/04/12 15:39:22 szalik Exp $ */
+/* $Id: libgadu.c,v 1.146 2005/05/23 16:38:38 wojtekka Exp $ */
/*
* (C) Copyright 2001-2003 Wojtek Kaniewski <wojtekka@irc.pl>
@@ -72,7 +72,7 @@
#ifdef __GNUC__
__attribute__ ((unused))
#endif
-= "$Id: libgadu.c,v 1.144 2005/04/12 15:39:22 szalik Exp $";
+= "$Id: libgadu.c,v 1.146 2005/05/23 16:38:38 wojtekka Exp $";
#endif
/*
@@ -455,7 +455,9 @@
*
* - sess - opis sesji
*
- * w przypadku błędu NULL, kod błędu w errno.
+ * w przypadku błędu NULL, kod błędu w errno. należy zwrócić uwagę, że gdy
+ * połączenie jest nieblokujące, a kod błędu wynosi EAGAIN, nie udało się
+ * odczytać całego pakietu i nie należy tego traktować jako błąd.
*/
void *gg_recv_packet(struct gg_session *sess)
{
@@ -486,7 +488,7 @@
gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() header recv(%d,%p,%d) = %d\n", sess->fd, &h + sess->header_done, sizeof(h) - sess->header_done, ret);
if (!ret) {
- errno = 0;
+ errno = ECONNRESET;
gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() header recv() failed: connection broken\n");
return NULL;
}
@@ -551,11 +553,20 @@
while (size > 0) {
ret = gg_read(sess, buf + sizeof(h) + offset, size);
gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() body recv(%d,%p,%d) = %d\n", sess->fd, buf + sizeof(h) + offset, size, ret);
+ if (!ret) {
+ gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() body recv() failed: connection broken\n");
+ errno = ECONNRESET;
+ return NULL;
+ }
if (ret > -1 && ret <= size) {
offset += ret;
size -= ret;
} else if (ret == -1) {
+ int errno2 = errno;
+
gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() body recv() failed (errno=%d, %s)\n", errno, strerror(errno));
+ errno = errno2;
+
if (errno == EAGAIN) {
gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() %d bytes received, %d left\n", offset, size);
sess->recv_buf = buf;
only in patch2:
unchanged:
--- ekg-1.5+20050411.orig/lib/common.c 2005-03-20 01:43:44.000000000 +0100
+++ ekg-1.5+20050411/lib/common.c 2005-05-24 19:06:29.000000000 +0200
@@ -1,4 +1,4 @@
-/* $Id: common.c,v 1.68 2005/03/20 00:43:44 szalik Exp $ */
+/* $Id: common.c,v 1.70 2005/05/23 16:27:15 wojtekka Exp $ */
/*
* (C) Copyright 2001-2002 Wojtek Kaniewski <wojtekka@irc.pl>
@@ -294,12 +294,16 @@
* - buf - wskaźnik do bufora
* - length - długość bufora
*
- * jeśli trafi na błąd odczytu, zwraca NULL. inaczej zwraca buf.
+ * jeśli trafi na błąd odczytu lub podano nieprawidłowe parametry, zwraca NULL.
+ * inaczej zwraca buf.
*/
char *gg_read_line(int sock, char *buf, int length)
{
int ret;
+ if (!buf || length < 0)
+ return NULL;
+
for (; length > 1; buf++, length--) {
do {
if ((ret = read(sock, buf, 1)) == -1 && errno != EINTR) {
@@ -360,7 +364,7 @@
{
char *q, *buf, hex[] = "0123456789abcdef";
const char *p;
- int size = 0;
+ unsigned int size = 0;
if (!str)
str = "";
@@ -412,18 +416,18 @@
va_start(ap, format);
for (j = 0; j < strlen(format); j++) {
- unsigned char *arg, buf[16];
+ char *arg, buf[16];
if (format[j] == 'u') {
snprintf(buf, sizeof(buf), "%d", va_arg(ap, uin_t));
arg = buf;
} else {
- if (!(arg = va_arg(ap, unsigned char*)))
+ if (!(arg = va_arg(ap, char*)))
arg = "";
}
i = 0;
- while ((c = (int) arg[i++]) != 0) {
+ while ((c = (unsigned char) arg[i++]) != 0) {
a = (c ^ b) + (c << 8);
b = (a >> 24) | (a << 8);
}
@@ -613,7 +617,7 @@
char *gg_base64_encode(const char *buf)
{
char *out, *res;
- int i = 0, j = 0, k = 0, len = strlen(buf);
+ unsigned int i = 0, j = 0, k = 0, len = strlen(buf);
res = out = malloc((len / 3 + 1) * 4 + 2);
@@ -671,7 +675,7 @@
{
char *res, *save, *foo, val;
const char *end;
- int index = 0;
+ unsigned int index = 0;
if (!buf)
return NULL;
@@ -765,7 +769,7 @@
static void gg_crc32_make_table()
{
uint32_t h = 1;
- int i, j;
+ unsigned int i, j;
memset(gg_crc32_table, 0, sizeof(gg_crc32_table));
@@ -795,6 +799,9 @@
if (!gg_crc32_initialized)
gg_crc32_make_table();
+ if (!buf || len < 0)
+ return crc;
+
crc ^= 0xffffffffL;
while (len--)
only in patch2:
unchanged:
--- ekg-1.5+20050411.orig/lib/dcc.c 2005-03-20 01:43:44.000000000 +0100
+++ ekg-1.5+20050411/lib/dcc.c 2005-05-24 19:06:30.000000000 +0200
@@ -1,4 +1,4 @@
-/* $Id: dcc.c,v 1.68 2005/03/20 00:43:44 szalik Exp $ */
+/* $Id: dcc.c,v 1.69 2005/05/22 08:41:54 wojtekka Exp $ */
/*
* (C) Copyright 2001-2002 Wojtek Kaniewski <wojtekka@irc.pl>
@@ -52,9 +52,9 @@
* - buf - bufor z danymi
* - size - rozmiar danych
*/
-static void gg_dcc_debug_data(const char *prefix, int fd, const void *buf, int size)
+static void gg_dcc_debug_data(const char *prefix, int fd, const void *buf, unsigned int size)
{
- int i;
+ unsigned int i;
gg_debug(GG_DEBUG_MISC, "++ gg_dcc %s (fd=%d,len=%d)", prefix, fd, size);
Reply to: