|
 |
e632d0 |
diff -up openslp-2.0.0/common/slp_buffer.c.orig openslp-2.0.0/common/slp_buffer.c
|
|
|
e632d0 |
--- openslp-2.0.0/common/slp_buffer.c.orig 2012-12-11 00:31:53.000000000 +0100
|
|
|
e632d0 |
+++ openslp-2.0.0/common/slp_buffer.c 2019-12-09 10:39:16.422058793 +0100
|
|
|
e632d0 |
@@ -30,6 +30,13 @@
|
|
|
e632d0 |
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
e632d0 |
*-------------------------------------------------------------------------*/
|
|
|
e632d0 |
|
|
|
e632d0 |
+/* Copyright (c) 2019 VMware, Inc.
|
|
|
e632d0 |
+ * SPDX-License-Identifier: BSD-3-Clause
|
|
|
e632d0 |
+ * This file is provided under the BSD-3-Clause license.
|
|
|
e632d0 |
+ * See COPYING file for more details and other copyrights
|
|
|
e632d0 |
+ * that may apply.
|
|
|
e632d0 |
+ */
|
|
|
e632d0 |
+
|
|
|
e632d0 |
/** Functions for managing SLP message buffers.
|
|
|
e632d0 |
*
|
|
|
e632d0 |
* This file provides a higher level abstraction over malloc and free that
|
|
|
e632d0 |
@@ -153,4 +160,20 @@ void SLPBufferFree(SLPBuffer buf)
|
|
|
e632d0 |
xfree(buf);
|
|
|
e632d0 |
}
|
|
|
e632d0 |
|
|
|
e632d0 |
+/** Report remaining free buffer size in bytes.
|
|
|
e632d0 |
+ *
|
|
|
e632d0 |
+ * Check if buffer is allocated and if so return bytes left in a
|
|
|
e632d0 |
+ * @c SLPBuffer object.
|
|
|
e632d0 |
+ *
|
|
|
e632d0 |
+ * @param[in] buf The SLPBuffer to be freed.
|
|
|
e632d0 |
+ */
|
|
|
e632d0 |
+size_t
|
|
|
e632d0 |
+RemainingBufferSpace(SLPBuffer buf)
|
|
|
e632d0 |
+{
|
|
|
e632d0 |
+ if (buf->allocated == 0) {
|
|
|
e632d0 |
+ return 0;
|
|
|
e632d0 |
+ }
|
|
|
e632d0 |
+ return buf->end - buf->curpos;
|
|
|
e632d0 |
+}
|
|
|
e632d0 |
+
|
|
|
e632d0 |
/*=========================================================================*/
|
|
|
e632d0 |
diff -up openslp-2.0.0/common/slp_buffer.h.orig openslp-2.0.0/common/slp_buffer.h
|
|
|
e632d0 |
--- openslp-2.0.0/common/slp_buffer.h.orig 2012-11-28 18:07:04.000000000 +0100
|
|
|
e632d0 |
+++ openslp-2.0.0/common/slp_buffer.h 2019-12-09 10:39:16.422058793 +0100
|
|
|
e632d0 |
@@ -30,6 +30,13 @@
|
|
|
e632d0 |
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
e632d0 |
*-------------------------------------------------------------------------*/
|
|
|
e632d0 |
|
|
|
e632d0 |
+/* Copyright (c) 2019 VMware, Inc.
|
|
|
e632d0 |
+ * SPDX-License-Identifier: BSD-3-Clause
|
|
|
e632d0 |
+ * This file is provided under the BSD-3-Clause license.
|
|
|
e632d0 |
+ * See COPYING file for more details and other copyrights
|
|
|
e632d0 |
+ * that may apply.
|
|
|
e632d0 |
+ */
|
|
|
e632d0 |
+
|
|
|
e632d0 |
/** Header file that defines SLP message buffer management routines.
|
|
|
e632d0 |
*
|
|
|
e632d0 |
* Includes structures, constants and functions that used to handle memory
|
|
|
e632d0 |
@@ -78,6 +85,8 @@ SLPBuffer SLPBufferListRemove(SLPBuffer
|
|
|
e632d0 |
|
|
|
e632d0 |
SLPBuffer SLPBufferListAdd(SLPBuffer * list, SLPBuffer buf);
|
|
|
e632d0 |
|
|
|
e632d0 |
+size_t RemainingBufferSpace(SLPBuffer buf);
|
|
|
e632d0 |
+
|
|
|
e632d0 |
/*! @} */
|
|
|
e632d0 |
|
|
|
e632d0 |
#endif /* SLP_BUFFER_H_INCLUDED */
|
|
|
e632d0 |
diff -up openslp-2.0.0/slpd/slpd_process.c.orig openslp-2.0.0/slpd/slpd_process.c
|
|
|
e632d0 |
--- openslp-2.0.0/slpd/slpd_process.c.orig 2019-12-09 10:39:16.420058789 +0100
|
|
|
e632d0 |
+++ openslp-2.0.0/slpd/slpd_process.c 2019-12-09 10:39:16.422058793 +0100
|
|
|
e632d0 |
@@ -30,6 +30,13 @@
|
|
|
e632d0 |
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
e632d0 |
*-------------------------------------------------------------------------*/
|
|
|
e632d0 |
|
|
|
e632d0 |
+/* Copyright (c) 2019 VMware, Inc.
|
|
|
e632d0 |
+ * SPDX-License-Identifier: BSD-3-Clause
|
|
|
e632d0 |
+ * This file is provided under the BSD-3-Clause license.
|
|
|
e632d0 |
+ * See COPYING file for more details and other copyrights
|
|
|
e632d0 |
+ * that may apply.
|
|
|
e632d0 |
+ */
|
|
|
e632d0 |
+
|
|
|
e632d0 |
/** Processes incoming SLP messages.
|
|
|
e632d0 |
*
|
|
|
e632d0 |
* @file slpd_process.c
|
|
|
e632d0 |
@@ -523,13 +530,27 @@ RESPOND:
|
|
|
e632d0 |
{
|
|
|
e632d0 |
for (i = 0; i < db->urlcount; i++)
|
|
|
e632d0 |
{
|
|
|
e632d0 |
- /* urlentry is the url from the db result */
|
|
|
e632d0 |
urlentry = db->urlarray[i];
|
|
|
e632d0 |
+ if (urlentry->opaque != NULL) {
|
|
|
e632d0 |
+ const int64_t newsize = size + urlentry->opaquelen;
|
|
|
e632d0 |
+ if (urlentry->opaquelen <= 0 || newsize > INT_MAX)
|
|
|
e632d0 |
+ {
|
|
|
e632d0 |
+ SLPDLog("Invalid opaquelen %d or sizeo of opaque url is too big, size=%d\n",
|
|
|
e632d0 |
+ urlentry->opaquelen, size);
|
|
|
e632d0 |
+ errorcode = SLP_ERROR_PARSE_ERROR;
|
|
|
e632d0 |
+ goto FINISHED;
|
|
|
e632d0 |
+ }
|
|
|
e632d0 |
+ size += urlentry->opaquelen;
|
|
|
e632d0 |
+ }
|
|
|
e632d0 |
+ else
|
|
|
e632d0 |
+ {
|
|
|
e632d0 |
+ /* urlentry is the url from the db result */
|
|
|
e632d0 |
+ size += urlentry->urllen + 6; /* 1 byte for reserved */
|
|
|
e632d0 |
+ /* 2 bytes for lifetime */
|
|
|
e632d0 |
+ /* 2 bytes for urllen */
|
|
|
e632d0 |
+ /* 1 byte for authcount */
|
|
|
e632d0 |
+ }
|
|
|
e632d0 |
|
|
|
e632d0 |
- size += urlentry->urllen + 6; /* 1 byte for reserved */
|
|
|
e632d0 |
- /* 2 bytes for lifetime */
|
|
|
e632d0 |
- /* 2 bytes for urllen */
|
|
|
e632d0 |
- /* 1 byte for authcount */
|
|
|
e632d0 |
#ifdef ENABLE_SLPv2_SECURITY
|
|
|
e632d0 |
/* make room to include the authblock that was asked for */
|
|
|
e632d0 |
if (G_SlpdProperty.securityEnabled
|
|
|
e632d0 |
@@ -603,7 +624,7 @@ RESPOND:
|
|
|
e632d0 |
urlentry = db->urlarray[i];
|
|
|
e632d0 |
|
|
|
e632d0 |
#ifdef ENABLE_SLPv1
|
|
|
e632d0 |
- if (urlentry->opaque == 0)
|
|
|
e632d0 |
+ if (urlentry->opaque == NULL)
|
|
|
e632d0 |
{
|
|
|
e632d0 |
/* url-entry reserved */
|
|
|
e632d0 |
*result->curpos++ = 0;
|
|
|
e632d0 |
@@ -615,8 +636,18 @@ RESPOND:
|
|
|
e632d0 |
PutUINT16(&result->curpos, urlentry->urllen);
|
|
|
e632d0 |
|
|
|
e632d0 |
/* url-entry url */
|
|
|
e632d0 |
- memcpy(result->curpos, urlentry->url, urlentry->urllen);
|
|
|
e632d0 |
- result->curpos += urlentry->urllen;
|
|
|
e632d0 |
+ if (RemainingBufferSpace(result) >= urlentry->urllen)
|
|
|
e632d0 |
+ {
|
|
|
e632d0 |
+ memcpy(result->curpos, urlentry->url, urlentry->urllen);
|
|
|
e632d0 |
+ result->curpos = result->curpos + urlentry->urllen;
|
|
|
e632d0 |
+ }
|
|
|
e632d0 |
+ else
|
|
|
e632d0 |
+ {
|
|
|
e632d0 |
+ SLPDLog("Url too big (ask: %d have %" PRId64 "), failing request\n",
|
|
|
e632d0 |
+ urlentry->opaquelen, (int64_t) RemainingBufferSpace(result));
|
|
|
e632d0 |
+ errorcode = SLP_ERROR_PARSE_ERROR;
|
|
|
e632d0 |
+ goto FINISHED;
|
|
|
e632d0 |
+ }
|
|
|
e632d0 |
|
|
|
e632d0 |
/* url-entry auths */
|
|
|
e632d0 |
*result->curpos++ = 0;
|
|
|
e632d0 |
@@ -630,8 +661,18 @@ RESPOND:
|
|
|
e632d0 |
|
|
|
e632d0 |
/* TRICKY: Fix up the lifetime. */
|
|
|
e632d0 |
TO_UINT16(urlentry->opaque + 1, urlentry->lifetime);
|
|
|
e632d0 |
- memcpy(result->curpos, urlentry->opaque, urlentry->opaquelen);
|
|
|
e632d0 |
- result->curpos += urlentry->opaquelen;
|
|
|
e632d0 |
+ if (RemainingBufferSpace(result) >= urlentry->opaquelen)
|
|
|
e632d0 |
+ {
|
|
|
e632d0 |
+ memcpy(result->curpos, urlentry->opaque, urlentry->opaquelen);
|
|
|
e632d0 |
+ result->curpos = result->curpos + urlentry->opaquelen;
|
|
|
e632d0 |
+ }
|
|
|
e632d0 |
+ else
|
|
|
e632d0 |
+ {
|
|
|
e632d0 |
+ SLPDLog("Opaque Url too big (ask: %d have %" PRId64 "), failing request\n",
|
|
|
e632d0 |
+ urlentry->opaquelen, (int64_t) RemainingBufferSpace(result));
|
|
|
e632d0 |
+ errorcode = SLP_ERROR_PARSE_ERROR;
|
|
|
e632d0 |
+ goto FINISHED;
|
|
|
e632d0 |
+ }
|
|
|
e632d0 |
}
|
|
|
e632d0 |
}
|
|
|
e632d0 |
}
|