[xml/sgml-commit] r303 - in packages/libxml2/branches/unstable: . debian
Mike Hommey
glandium-guest@haydn.debian.org
Thu, 28 Oct 2004 02:40:02 -0600
Author: glandium-guest
Date: 2004-10-28 02:38:43 -0600 (Thu, 28 Oct 2004)
New Revision: 303
Modified:
packages/libxml2/branches/unstable/debian/changelog
packages/libxml2/branches/unstable/nanoftp.c
packages/libxml2/branches/unstable/nanohttp.c
Log:
Fix Buffer Overflow [CAN-2004-0989]
Modified: packages/libxml2/branches/unstable/debian/changelog
===================================================================
--- packages/libxml2/branches/unstable/debian/changelog 2004-10-28 08:25:08 UTC (rev 302)
+++ packages/libxml2/branches/unstable/debian/changelog 2004-10-28 08:38:43 UTC (rev 303)
@@ -1,3 +1,10 @@
+libxml2 (2.6.11-5) unstable; urgency=high
+
+ * Backport patch from libxml2-2.6.15 to fix buffer overflows [nanohttp.c,
+ nanoftp.c, CAN-2004-0989]
+
+ -- Mike Hommey <mh@glandium.org> Thu, 28 Oct 2004 17:34:54 +0900
+
libxml2 (2.6.11-4) unstable; urgency=low
* The "let's do some clean up for sarge" release.
Modified: packages/libxml2/branches/unstable/nanoftp.c
===================================================================
--- packages/libxml2/branches/unstable/nanoftp.c 2004-10-28 08:25:08 UTC (rev 302)
+++ packages/libxml2/branches/unstable/nanoftp.c 2004-10-28 08:38:43 UTC (rev 303)
@@ -355,8 +355,13 @@
if (cur[0] == '[') {
cur++;
- while (cur[0] != ']')
+ while ((cur[0] != ']') && (indx < XML_NANO_MAX_URLBUF-1))
buf[indx++] = *cur++;
+ if (indx >= XML_NANO_MAX_URLBUF-1) {
+ xmlGenericError(xmlGenericErrorContext,
+ "\nxmlNanoFTPScanURL: %s", "Syntax Error\n");
+ return;
+ }
if (!strchr (buf, ':')) {
xmlGenericError (xmlGenericErrorContext, "\nxmlNanoFTPScanURL: %s",
@@ -604,8 +609,14 @@
if (cur[0] == '[') {
cur++;
- while (cur[0] != ']')
+ while ((cur[0] != ']') && (indx < XML_NANO_MAX_URLBUF-1))
buf[indx++] = *cur++;
+ if (indx >= XML_NANO_MAX_URLBUF-1) {
+ xmlGenericError (xmlGenericErrorContext,
+ "\nxmlNanoFTPScanProxy: %s", "Syntax error\n");
+ return;
+ }
+
if (!strchr (buf, ':')) {
xmlGenericError (xmlGenericErrorContext, "\nxmlNanoFTPScanProxy: %s",
"Use [IPv6]/IPv4 format\n");
@@ -1095,22 +1106,25 @@
if (!tmp) {
if (result)
freeaddrinfo (result);
+ __xmlIOErr(XML_FROM_FTP, 0, "getaddrinfo failed");
return (-1);
}
+ if (tmp->ai_addrlen > sizeof(ctxt->ftpAddr)) {
+ __xmlIOErr(XML_FROM_FTP, 0, "gethostbyname address mismatch");
+ return (-1);
+ }
+ if (tmp->ai_family == AF_INET6) {
+ memcpy (&ctxt->ftpAddr, tmp->ai_addr, tmp->ai_addrlen);
+ ((struct sockaddr_in6 *) &ctxt->ftpAddr)->sin6_port = htons (port);
+ ctxt->controlFd = socket (AF_INET6, SOCK_STREAM, 0);
+ }
else {
- if (tmp->ai_family == AF_INET6) {
- memcpy (&ctxt->ftpAddr, tmp->ai_addr, tmp->ai_addrlen);
- ((struct sockaddr_in6 *) &ctxt->ftpAddr)->sin6_port = htons (port);
- ctxt->controlFd = socket (AF_INET6, SOCK_STREAM, 0);
- }
- else {
- memcpy (&ctxt->ftpAddr, tmp->ai_addr, tmp->ai_addrlen);
- ((struct sockaddr_in *) &ctxt->ftpAddr)->sin_port = htons (port);
- ctxt->controlFd = socket (AF_INET, SOCK_STREAM, 0);
- }
- addrlen = tmp->ai_addrlen;
- freeaddrinfo (result);
+ memcpy (&ctxt->ftpAddr, tmp->ai_addr, tmp->ai_addrlen);
+ ((struct sockaddr_in *) &ctxt->ftpAddr)->sin_port = htons (port);
+ ctxt->controlFd = socket (AF_INET, SOCK_STREAM, 0);
}
+ addrlen = tmp->ai_addrlen;
+ freeaddrinfo (result);
}
else
#endif
@@ -1123,10 +1137,15 @@
__xmlIOErr(XML_FROM_FTP, 0, "gethostbyname failed");
return (-1);
}
+ if ((unsigned int) hp->h_length >
+ sizeof(((struct sockaddr_in *)&ctxt->ftpAddr)->sin_addr)) {
+ __xmlIOErr(XML_FROM_FTP, 0, "gethostbyname address mismatch");
+ return (-1);
+ }
- /*
- * Prepare the socket
- */
+ /*
+ * Prepare the socket
+ */
((struct sockaddr_in *)&ctxt->ftpAddr)->sin_family = AF_INET;
memcpy (&((struct sockaddr_in *)&ctxt->ftpAddr)->sin_addr,
hp->h_addr_list[0], hp->h_length);
Modified: packages/libxml2/branches/unstable/nanohttp.c
===================================================================
--- packages/libxml2/branches/unstable/nanohttp.c 2004-10-28 08:25:08 UTC (rev 302)
+++ packages/libxml2/branches/unstable/nanohttp.c 2004-10-28 08:38:43 UTC (rev 303)
@@ -1073,11 +1073,21 @@
for (res = result; res; res = res->ai_next) {
if (res->ai_family == AF_INET || res->ai_family == AF_INET6) {
if (res->ai_family == AF_INET6) {
+ if (res->ai_addrlen > sizeof(sockin6)) {
+ __xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n");
+ freeaddrinfo (result);
+ return (-1);
+ }
memcpy (&sockin6, res->ai_addr, res->ai_addrlen);
sockin6.sin6_port = htons (port);
addr = (struct sockaddr *)&sockin6;
}
else {
+ if (res->ai_addrlen > sizeof(sockin)) {
+ __xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n");
+ freeaddrinfo (result);
+ return (-1);
+ }
memcpy (&sockin, res->ai_addr, res->ai_addrlen);
sockin.sin_port = htons (port);
addr = (struct sockaddr *)&sockin;
@@ -1142,6 +1152,10 @@
for (i = 0; h->h_addr_list[i]; i++) {
if (h->h_addrtype == AF_INET) {
/* A records (IPv4) */
+ if ((unsigned int) h->h_length > sizeof(ia)) {
+ __xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n");
+ return (-1);
+ }
memcpy (&ia, h->h_addr_list[i], h->h_length);
sockin.sin_family = h->h_addrtype;
sockin.sin_addr = ia;
@@ -1150,6 +1164,10 @@
#ifdef SUPPORT_IP6
} else if (have_ipv6 () && (h->h_addrtype == AF_INET6)) {
/* AAAA records (IPv6) */
+ if ((unsigned int) h->h_length > sizeof(ia6)) {
+ __xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n");
+ return (-1);
+ }
memcpy (&ia6, h->h_addr_list[i], h->h_length);
sockin6.sin6_family = h->h_addrtype;
sockin6.sin6_addr = ia6;