1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
|
*** src/lookups/dnsdb.c Tue Oct 5 09:32:08 2004
- --- dnsdb.c Wed Dec 29 09:36:13 2004
***************
*** 125,131 ****
/* If the type is PTR, we have to construct the relevant magic lookup
key. This code is now in a separate function. */
! if (type == T_PTR)
{
dns_build_reverse(keystring, buffer);
keystring = buffer;
- --- 125,131 ----
/* If the type is PTR, we have to construct the relevant magic lookup
key. This code is now in a separate function. */
! if (type == T_PTR && string_is_ip_address(keystring, NULL))
{
dns_build_reverse(keystring, buffer);
keystring = buffer;
*** src/host.c Tue Oct 5 09:32:08 2004
- --- host.c Wed Dec 29 09:43:17 2004
***************
*** 710,721 ****
if (*p == ':') p++;
! /* Split the address into components separated by colons. */
while (*p != 0)
{
int len = Ustrcspn(p, ":");
if (len == 0) nulloffset = ci;
component[ci++] = p;
p += len;
if (*p == ':') p++;
- --- 754,771 ----
if (*p == ':') p++;
! /* Split the address into components separated by colons. The input address
! is supposed to be checked for syntax. There was a case where this was
! overlooked; to guard against that happening again, check here and crash if
! there is a violation. */
while (*p != 0)
{
int len = Ustrcspn(p, ":");
if (len == 0) nulloffset = ci;
+ if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "Internal error: invalid IPv6 address \"%s\" passed to host_aton()",
+ address);
component[ci++] = p;
p += len;
if (*p == ':') p++;
*** src/auths/auth-spa.c Tue Oct 5 09:32:08 2004
- --- auth-spa.c Wed Dec 29 10:55:58 2004
***************
*** 404,411 ****
*out = '\0';
}
int
! spa_base64_to_bits (char *out, const char *in)
/* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */
{
int len = 0;
- --- 406,416 ----
*out = '\0';
}
+
+ /* The outlength parameter was added by PH, December 2004 */
+
int
! spa_base64_to_bits (char *out, int outlength, const char *in)
/* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */
{
int len = 0;
***************
*** 418,423 ****
- --- 423,430 ----
do
{
+ if (len >= outlength) /* Added by PH */
+ return (-1); /* Added by PH */
digit1 = in[0];
if (DECODE64 (digit1) == BAD)
return (-1);
***************
*** 435,445 ****
- --- 442,456 ----
++len;
if (digit3 != '=')
{
+ if (len >= outlength) /* Added by PH */
+ return (-1); /* Added by PH */
*out++ =
((DECODE64 (digit2) << 4) & 0xf0) | (DECODE64 (digit3) >> 2);
++len;
if (digit4 != '=')
{
+ if (len >= outlength) /* Added by PH */
+ return (-1); /* Added by PH */
*out++ = ((DECODE64 (digit3) << 6) & 0xc0) | DECODE64 (digit4);
++len;
}
*** src/auths/auth-spa.h Tue Oct 5 09:32:08 2004
- --- auth-spa.h Wed Dec 29 10:55:58 2004
***************
*** 9,14 ****
- --- 11,19 ----
* All the code used here was torn by Marc Prud'hommeaux out of the
* Samba project (by Andrew Tridgell, Jeremy Allison, and others).
*/
+
+ /* December 2004: The spa_base64_to_bits() function has no length checking in
+ it. I have added a check. PH */
/* It seems that some systems have existing but different definitions of some
of the following types. I received a complaint about "int16" causing
***************
*** 75,81 ****
#define spa_request_length(ptr) (((ptr)->buffer - (uint8x*)(ptr)) + (ptr)->bufIndex)
void spa_bits_to_base64 (unsigned char *, const unsigned char *, int);
! int spa_base64_to_bits(char *, const char *);
void spa_build_auth_response (SPAAuthChallenge *challenge,
SPAAuthResponse *response, char *user, char *password);
void spa_build_auth_request (SPAAuthRequest *request, char *user,
- --- 80,86 ----
#define spa_request_length(ptr) (((ptr)->buffer - (uint8x*)(ptr)) + (ptr)->bufIndex)
void spa_bits_to_base64 (unsigned char *, const unsigned char *, int);
! int spa_base64_to_bits(char *, int, const char *);
void spa_build_auth_response (SPAAuthChallenge *challenge,
SPAAuthResponse *response, char *user, char *password);
void spa_build_auth_request (SPAAuthRequest *request, char *user,
*** src/auths/spa.c Tue Oct 5 09:32:08 2004
- --- spa.c Wed Dec 29 10:55:58 2004
***************
*** 133,139 ****
return FAIL;
}
! if (spa_base64_to_bits((char *)(&request), (const char *)(data)) < 0)
{
DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
"request: %s\n", data);
- --- 135,141 ----
return FAIL;
}
! if (spa_base64_to_bits((char *)(&request), sizeof(request), (const char *)(data)) < 0)
{
DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
"request: %s\n", data);
***************
*** 153,159 ****
}
/* dump client response */
! if (spa_base64_to_bits((char *)(&response), (const char *)(data)) < 0)
{
DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
"response: %s\n", data);
- --- 155,161 ----
}
/* dump client response */
! if (spa_base64_to_bits((char *)(&response), sizeof(response), (const char *)(data)) < 0)
{
DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
"response: %s\n", data);
***************
*** 319,325 ****
/* convert the challenge into the challenge struct */
DSPA("\n\n%s authenticator: challenge (%s)\n\n",
ablock->name, buffer + 4);
! spa_base64_to_bits ((char *)(&challenge), (const char *)(buffer + 4));
spa_build_auth_response (&challenge, &response,
CS username, CS password);
- --- 324,330 ----
/* convert the challenge into the challenge struct */
DSPA("\n\n%s authenticator: challenge (%s)\n\n",
ablock->name, buffer + 4);
! spa_base64_to_bits ((char *)(&challenge), sizeof(challenge), (const char *)(buffer + 4));
spa_build_auth_response (&challenge, &response,
CS username, CS password);
|
GitWeb