Module Name: src
Committed By: snj
Date: Sat May 16 18:02:14 UTC 2015
Modified Files:
src/common/lib/libprop [netbsd-7]: prop_kern.c prop_object.c
prop_object_impl.h
Log Message:
Pull up following revision(s) (requested by christos in ticket #782):
common/lib/libprop/prop_kern.c: revision 1.19
common/lib/libprop/prop_object.c: revision 1.30
common/lib/libprop/prop_object_impl.h: revision 1.32
Limit size of xml buffer for userland requests (From Mateusz Kocielski)
--
Don't treat NUL (EOF) as SPACE. All the code that uses _PROP_ISSPACE() checks
explicitly for _PROP_EOF() anyway, and this can be abused to cause run beyond
the end of buffer DoS (Mateusz Kocielski)
--
Now that _PROP_ISSPACE does not include the EOF check, put the check for
EOF inside the loop. Also fix another unbounded loop that did not check for
EOF. From Mateusz Kocielski
To generate a diff of this commit:
cvs rdiff -u -r1.17.22.1 -r1.17.22.2 src/common/lib/libprop/prop_kern.c
cvs rdiff -u -r1.29 -r1.29.4.1 src/common/lib/libprop/prop_object.c
cvs rdiff -u -r1.31 -r1.31.12.1 src/common/lib/libprop/prop_object_impl.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/common/lib/libprop/prop_kern.c
diff -u src/common/lib/libprop/prop_kern.c:1.17.22.1 src/common/lib/libprop/prop_kern.c:1.17.22.2
--- src/common/lib/libprop/prop_kern.c:1.17.22.1 Wed Dec 31 06:44:00 2014
+++ src/common/lib/libprop/prop_kern.c Sat May 16 18:02:14 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: prop_kern.c,v 1.17.22.1 2014/12/31 06:44:00 snj Exp $ */
+/* $NetBSD: prop_kern.c,v 1.17.22.2 2015/05/16 18:02:14 snj Exp $ */
/*-
* Copyright (c) 2006, 2009 The NetBSD Foundation, Inc.
@@ -407,6 +407,9 @@ _prop_object_copyin(const struct plistre
char *buf;
int error;
+ if (pref->pref_len >= prop_object_copyin_limit)
+ return EINVAL;
+
/*
* Allocate an extra byte so we can guarantee NUL-termination.
*
Index: src/common/lib/libprop/prop_object.c
diff -u src/common/lib/libprop/prop_object.c:1.29 src/common/lib/libprop/prop_object.c:1.29.4.1
--- src/common/lib/libprop/prop_object.c:1.29 Fri Oct 18 18:26:20 2013
+++ src/common/lib/libprop/prop_object.c Sat May 16 18:02:14 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: prop_object.c,v 1.29 2013/10/18 18:26:20 martin Exp $ */
+/* $NetBSD: prop_object.c,v 1.29.4.1 2015/05/16 18:02:14 snj Exp $ */
/*-
* Copyright (c) 2006, 2007 The NetBSD Foundation, Inc.
@@ -416,10 +416,11 @@ _prop_object_internalize_find_tag(struct
ctx->poic_tagname = cp;
- while (!_PROP_ISSPACE(*cp) && *cp != '/' && *cp != '>')
+ while (!_PROP_ISSPACE(*cp) && *cp != '/' && *cp != '>') {
+ if (_PROP_EOF(*cp))
+ return (false);
cp++;
- if (_PROP_EOF(*cp))
- return (false);
+ }
ctx->poic_tagname_len = cp - ctx->poic_tagname;
@@ -462,10 +463,11 @@ _prop_object_internalize_find_tag(struct
ctx->poic_tagattr = cp;
- while (!_PROP_ISSPACE(*cp) && *cp != '=')
+ while (!_PROP_ISSPACE(*cp) && *cp != '=') {
+ if (_PROP_EOF(*cp))
+ return (false);
cp++;
- if (_PROP_EOF(*cp))
- return (false);
+ }
ctx->poic_tagattr_len = cp - ctx->poic_tagattr;
@@ -477,10 +479,11 @@ _prop_object_internalize_find_tag(struct
return (false);
ctx->poic_tagattrval = cp;
- while (*cp != '\"')
+ while (*cp != '\"') {
+ if (_PROP_EOF(*cp))
+ return (false);
cp++;
- if (_PROP_EOF(*cp))
- return (false);
+ }
ctx->poic_tagattrval_len = cp - ctx->poic_tagattrval;
cp++;
Index: src/common/lib/libprop/prop_object_impl.h
diff -u src/common/lib/libprop/prop_object_impl.h:1.31 src/common/lib/libprop/prop_object_impl.h:1.31.12.1
--- src/common/lib/libprop/prop_object_impl.h:1.31 Fri Jul 27 09:10:59 2012
+++ src/common/lib/libprop/prop_object_impl.h Sat May 16 18:02:14 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: prop_object_impl.h,v 1.31 2012/07/27 09:10:59 pooka Exp $ */
+/* $NetBSD: prop_object_impl.h,v 1.31.12.1 2015/05/16 18:02:14 snj Exp $ */
/*-
* Copyright (c) 2006 The NetBSD Foundation, Inc.
@@ -112,8 +112,7 @@ typedef enum {
#define _PROP_EOF(c) ((c) == '\0')
#define _PROP_ISSPACE(c) \
- ((c) == ' ' || (c) == '\t' || (c) == '\n' || (c) == '\r' || \
- _PROP_EOF(c))
+ ((c) == ' ' || (c) == '\t' || (c) == '\n' || (c) == '\r')
#define _PROP_TAG_MATCH(ctx, t) \
_prop_object_internalize_match((ctx)->poic_tagname, \
