Re: Please let ekg_1.5+20050411-3 into sarge

[Marcin Owsiany <porridge@debian.org>]

On Tue, May 24, 2005 at 08:03:50PM +0200, Marcin Owsiany wrote:
> An interdiff from -2 is attached.

This time it is.

Marcin
-- 
Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

diff -u ekg-1.5+20050411/debian/changelog ekg-1.5+20050411/debian/changelog
--- ekg-1.5+20050411/debian/changelog	2005-05-08 23:03:30.000000000 +0200
+++ ekg-1.5+20050411/debian/changelog	2005-05-24 19:14:30.000000000 +0200
@@ -1,3 +1,16 @@
+ekg (1:1.5+20050411-3) unstable; urgency=high
+
+  * Applied patches selected from upstream CVS, to fix the following important
+    issues in libgadu:
+     - fix a DCC related DoS condition (missing check for 0 return value from
+       read())
+     - fix a mistake of setting errno to 0 instead of passing appropriate
+       value to library user
+     - add input parameter checks whose lack could cause a DoS
+     - fix a few variable signedness errors
+
+ -- Marcin Owsiany <porridge@debian.org>  Tue, 24 May 2005 19:09:33 +0200
+
 ekg (1:1.5+20050411-2) unstable; urgency=high
 
   * Applied patches selected from upstream CVS, to fix the following important
diff -u ekg-1.5+20050411/lib/events.c ekg-1.5+20050411/lib/events.c
--- ekg-1.5+20050411/lib/events.c	2005-05-08 22:39:33.000000000 +0200
+++ ekg-1.5+20050411/lib/events.c	2005-05-24 19:06:30.000000000 +0200
@@ -1,4 +1,4 @@
-/* $Id: events.c,v 1.86 2005/04/12 15:39:22 szalik Exp $ */
+/* $Id: events.c,v 1.87 2005/05/22 08:41:55 wojtekka Exp $ */
 
 /*
  *  (C) Copyright 2001-2003 Wojtek Kaniewski <wojtekka@irc.pl>
@@ -167,7 +167,7 @@
  *  - e - opis zdarzenia
  *  - 
  */
-static void gg_image_queue_parse(struct gg_event *e, char *p, int len, struct gg_session *sess, uin_t sender)
+static void gg_image_queue_parse(struct gg_event *e, char *p, unsigned int len, struct gg_session *sess, uin_t sender)
 {
 	struct gg_msg_image_reply *i = (void*) p;
 	struct gg_image_queue *q, *qq;
@@ -394,7 +394,7 @@
 					goto malformed;
 				}
 
-				gg_image_queue_parse(e, p, (int)(packet_end - p), sess, gg_fix32(r->sender));
+				gg_image_queue_parse(e, p, (unsigned int)(packet_end - p), sess, gg_fix32(r->sender));
 
 				return 0;
 			}
@@ -471,7 +471,7 @@
 		case GG_NOTIFY_REPLY:
 		{
 			struct gg_notify_reply *n = (void*) p;
-			int count, i;
+			unsigned int count, i;
 			char *tmp;
 
 			gg_debug(GG_DEBUG_MISC, "// gg_watch_fd_connected() received a notify reply\n");
@@ -720,7 +720,7 @@
 
 			if (h->length > 1) {
 				char *tmp;
-				int len = (sess->userlist_reply) ? strlen(sess->userlist_reply) : 0;
+				unsigned int len = (sess->userlist_reply) ? strlen(sess->userlist_reply) : 0;
 				
 				gg_debug(GG_DEBUG_MISC, "userlist_reply=%p, len=%d\n", sess->userlist_reply, len);
 				
diff -u ekg-1.5+20050411/lib/libgadu.c ekg-1.5+20050411/lib/libgadu.c
--- ekg-1.5+20050411/lib/libgadu.c	2005-05-08 22:39:34.000000000 +0200
+++ ekg-1.5+20050411/lib/libgadu.c	2005-05-24 19:06:27.000000000 +0200
@@ -1,4 +1,4 @@
-/* $Id: libgadu.c,v 1.144 2005/04/12 15:39:22 szalik Exp $ */
+/* $Id: libgadu.c,v 1.146 2005/05/23 16:38:38 wojtekka Exp $ */
 
 /*
  *  (C) Copyright 2001-2003 Wojtek Kaniewski <wojtekka@irc.pl>
@@ -72,7 +72,7 @@
 #ifdef __GNUC__
 __attribute__ ((unused))
 #endif
-= "$Id: libgadu.c,v 1.144 2005/04/12 15:39:22 szalik Exp $";
+= "$Id: libgadu.c,v 1.146 2005/05/23 16:38:38 wojtekka Exp $";
 #endif 
 
 /*
@@ -455,7 +455,9 @@
  *
  *  - sess - opis sesji
  *
- * w przypadku błędu NULL, kod błędu w errno.
+ * w przypadku błędu NULL, kod błędu w errno. należy zwrócić uwagę, że gdy
+ * połączenie jest nieblokujące, a kod błędu wynosi EAGAIN, nie udało się
+ * odczytać całego pakietu i nie należy tego traktować jako błąd.
  */
 void *gg_recv_packet(struct gg_session *sess)
 {
@@ -486,7 +488,7 @@
 			gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() header recv(%d,%p,%d) = %d\n", sess->fd, &h + sess->header_done, sizeof(h) - sess->header_done, ret);
 
 			if (!ret) {
-				errno = 0;
+				errno = ECONNRESET;
 				gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() header recv() failed: connection broken\n");
 				return NULL;
 			}
@@ -551,11 +553,20 @@
 	while (size > 0) {
 		ret = gg_read(sess, buf + sizeof(h) + offset, size);
 		gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() body recv(%d,%p,%d) = %d\n", sess->fd, buf + sizeof(h) + offset, size, ret);
+		if (!ret) {
+			gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() body recv() failed: connection broken\n");
+			errno = ECONNRESET;
+			return NULL;
+		}
 		if (ret > -1 && ret <= size) {
 			offset += ret;
 			size -= ret;
 		} else if (ret == -1) {	
+			int errno2 = errno;
+
 			gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() body recv() failed (errno=%d, %s)\n", errno, strerror(errno));
+			errno = errno2;
+
 			if (errno == EAGAIN) {
 				gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() %d bytes received, %d left\n", offset, size);
 				sess->recv_buf = buf;
only in patch2:
unchanged:
--- ekg-1.5+20050411.orig/lib/common.c	2005-03-20 01:43:44.000000000 +0100
+++ ekg-1.5+20050411/lib/common.c	2005-05-24 19:06:29.000000000 +0200
@@ -1,4 +1,4 @@
-/* $Id: common.c,v 1.68 2005/03/20 00:43:44 szalik Exp $ */
+/* $Id: common.c,v 1.70 2005/05/23 16:27:15 wojtekka Exp $ */
 
 /*
  *  (C) Copyright 2001-2002 Wojtek Kaniewski <wojtekka@irc.pl>
@@ -294,12 +294,16 @@
  *  - buf - wskaźnik do bufora
  *  - length - długość bufora
  *
- * jeśli trafi na błąd odczytu, zwraca NULL. inaczej zwraca buf.
+ * jeśli trafi na błąd odczytu lub podano nieprawidłowe parametry, zwraca NULL.
+ * inaczej zwraca buf.
  */
 char *gg_read_line(int sock, char *buf, int length)
 {
 	int ret;
 
+	if (!buf || length < 0)
+		return NULL;
+
 	for (; length > 1; buf++, length--) {
 		do {
 			if ((ret = read(sock, buf, 1)) == -1 && errno != EINTR) {
@@ -360,7 +364,7 @@
 {
 	char *q, *buf, hex[] = "0123456789abcdef";
 	const char *p;
-	int size = 0;
+	unsigned int size = 0;
 
 	if (!str)
 		str = "";
@@ -412,18 +416,18 @@
 	va_start(ap, format);
 
 	for (j = 0; j < strlen(format); j++) {
-		unsigned char *arg, buf[16];
+		char *arg, buf[16];
 
 		if (format[j] == 'u') {
 			snprintf(buf, sizeof(buf), "%d", va_arg(ap, uin_t));
 			arg = buf;
 		} else {
-			if (!(arg = va_arg(ap, unsigned char*)))
+			if (!(arg = va_arg(ap, char*)))
 				arg = "";
 		}	
 
 		i = 0;
-		while ((c = (int) arg[i++]) != 0) {
+		while ((c = (unsigned char) arg[i++]) != 0) {
 			a = (c ^ b) + (c << 8);
 			b = (a >> 24) | (a << 8);
 		}
@@ -613,7 +617,7 @@
 char *gg_base64_encode(const char *buf)
 {
 	char *out, *res;
-	int i = 0, j = 0, k = 0, len = strlen(buf);
+	unsigned int i = 0, j = 0, k = 0, len = strlen(buf);
 	
 	res = out = malloc((len / 3 + 1) * 4 + 2);
 
@@ -671,7 +675,7 @@
 {
 	char *res, *save, *foo, val;
 	const char *end;
-	int index = 0;
+	unsigned int index = 0;
 
 	if (!buf)
 		return NULL;
@@ -765,7 +769,7 @@
 static void gg_crc32_make_table()
 {
 	uint32_t h = 1;
-	int i, j;
+	unsigned int i, j;
 
 	memset(gg_crc32_table, 0, sizeof(gg_crc32_table));
 
@@ -795,6 +799,9 @@
 	if (!gg_crc32_initialized)
 		gg_crc32_make_table();
 
+	if (!buf || len < 0)
+		return crc;
+
 	crc ^= 0xffffffffL;
 
 	while (len--)
only in patch2:
unchanged:
--- ekg-1.5+20050411.orig/lib/dcc.c	2005-03-20 01:43:44.000000000 +0100
+++ ekg-1.5+20050411/lib/dcc.c	2005-05-24 19:06:30.000000000 +0200
@@ -1,4 +1,4 @@
-/* $Id: dcc.c,v 1.68 2005/03/20 00:43:44 szalik Exp $ */
+/* $Id: dcc.c,v 1.69 2005/05/22 08:41:54 wojtekka Exp $ */
 
 /*
  *  (C) Copyright 2001-2002 Wojtek Kaniewski <wojtekka@irc.pl>
@@ -52,9 +52,9 @@
  *  - buf - bufor z danymi
  *  - size - rozmiar danych
  */
-static void gg_dcc_debug_data(const char *prefix, int fd, const void *buf, int size)
+static void gg_dcc_debug_data(const char *prefix, int fd, const void *buf, unsigned int size)
 {
-	int i;
+	unsigned int i;
 	
 	gg_debug(GG_DEBUG_MISC, "++ gg_dcc %s (fd=%d,len=%d)", prefix, fd, size);