A FPEnumerate request with a reply size of ~8192 or more can cause

a buffer overrun in the dsi->data field. Revealed while testing with loadtest
from the testsuite. Use new constant REPLY_PARAM_MAXLEN to back off in time.

diff --git a/bin/cnid/cnid2_create.in b/bin/cnid/cnid2_create.in
index 53b64c0e0cd4922915a821fcb0bb1138c40eb131..f66601e08b172622d6b7e4b15129a49934b8c34c 100755 (executable)
--- a/bin/cnid/cnid2_create.in
+++ b/bin/cnid/cnid2_create.in
@@ -1,5 +1,15 @@
 #!@PERL@
 
+#
+# Upgrade version 1 CNID databases to version 2
+#
+# $Id: cnid2_create.in,v 1.1.2.2 2004-01-02 17:20:57 lenneis Exp $
+#
+# Copyright (C) Joerg Lenneis 2003
+# All Rights Reserved.  See COPYRIGHT.
+#
+#
+
 use strict;
 
 

diff --git a/etc/afpd/enumerate.c b/etc/afpd/enumerate.c
index 5875cc8fd130e144a7c83dcf69770d89cc5e312e..8fd284ce4fe6d9d0a07602f581aada63f447d80b 100644 (file)
--- a/etc/afpd/enumerate.c
+++ b/etc/afpd/enumerate.c
@@ -1,5 +1,5 @@
 /*
- * $Id: enumerate.c,v 1.39.2.2.2.1 2003-09-09 16:42:20 didg Exp $
+ * $Id: enumerate.c,v 1.39.2.2.2.2 2004-01-02 17:20:57 lenneis Exp $
  *
  * Copyright (c) 1990,1993 Regents of The University of Michigan.
  * All Rights Reserved.  See COPYRIGHT.
@@ -215,6 +215,13 @@ for_each_dirent(const struct vol *vol, char *name, dir_loop fn, void *data)
     return ret;
 }
 
+/* This is the maximal length of a single entry for a file/dir in the reply
+   block if all bits in the file/dir bitmap are set: header(4) + params(104) +
+   macnamelength(1) + macname(31) + utf8(4) + utf8namelen(2) + utf8name(255) +
+   oddpadding(1) */
+
+#define REPLY_PARAM_MAXLEN (4 + 104 + 1 + MACFILELEN + 4 + 2 + 255 + 1)
+
 /* ----------------------------- */
 static int enumerate(obj, ibuf, ibuflen, rbuf, rbuflen, ext )
 AFPObj       *obj;
@@ -312,7 +319,7 @@ int     ext;
     header = (ext)?4:2;
     header *=sizeof( u_char );
     
-    maxsz = min(maxsz, *rbuflen);
+    maxsz = min(maxsz, *rbuflen - REPLY_PARAM_MAXLEN);
     o_path = cname( vol, dir, &ibuf );
 
     if (afp_errno == AFPERR_NOOBJ)