From 7eb9340e874129c8c446d6e349670f6b0d23206d Mon Sep 17 00:00:00 2001 From: lenneis Date: Fri, 2 Jan 2004 17:20:57 +0000 Subject: [PATCH] A FPEnumerate request with a reply size of ~8192 or more can cause a buffer overrun in the dsi->data field. Revealed while testing with loadtest from the testsuite. Use new constant REPLY_PARAM_MAXLEN to back off in time. --- bin/cnid/cnid2_create.in | 10 ++++++++++ etc/afpd/enumerate.c | 11 +++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/bin/cnid/cnid2_create.in b/bin/cnid/cnid2_create.in index 53b64c0e..f66601e0 100755 --- a/bin/cnid/cnid2_create.in +++ b/bin/cnid/cnid2_create.in @@ -1,5 +1,15 @@ #!@PERL@ +# +# Upgrade version 1 CNID databases to version 2 +# +# $Id: cnid2_create.in,v 1.1.2.2 2004-01-02 17:20:57 lenneis Exp $ +# +# Copyright (C) Joerg Lenneis 2003 +# All Rights Reserved. See COPYRIGHT. +# +# + use strict; diff --git a/etc/afpd/enumerate.c b/etc/afpd/enumerate.c index 5875cc8f..8fd284ce 100644 --- a/etc/afpd/enumerate.c +++ b/etc/afpd/enumerate.c @@ -1,5 +1,5 @@ /* - * $Id: enumerate.c,v 1.39.2.2.2.1 2003-09-09 16:42:20 didg Exp $ + * $Id: enumerate.c,v 1.39.2.2.2.2 2004-01-02 17:20:57 lenneis Exp $ * * Copyright (c) 1990,1993 Regents of The University of Michigan. * All Rights Reserved. See COPYRIGHT. @@ -215,6 +215,13 @@ for_each_dirent(const struct vol *vol, char *name, dir_loop fn, void *data) return ret; } +/* This is the maximal length of a single entry for a file/dir in the reply + block if all bits in the file/dir bitmap are set: header(4) + params(104) + + macnamelength(1) + macname(31) + utf8(4) + utf8namelen(2) + utf8name(255) + + oddpadding(1) */ + +#define REPLY_PARAM_MAXLEN (4 + 104 + 1 + MACFILELEN + 4 + 2 + 255 + 1) + /* ----------------------------- */ static int enumerate(obj, ibuf, ibuflen, rbuf, rbuflen, ext ) AFPObj *obj; @@ -312,7 +319,7 @@ int ext; header = (ext)?4:2; header *=sizeof( u_char ); - maxsz = min(maxsz, *rbuflen); + maxsz = min(maxsz, *rbuflen - REPLY_PARAM_MAXLEN); o_path = cname( vol, dir, &ibuf ); if (afp_errno == AFPERR_NOOBJ) -- 2.39.2