shaba/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2024-12-25 23:21:26 +03:00
Code

second part of the security fix for xmlNanoFTPConnect() and

Browse Source 
* nanoftp.c nanohttp.c: second part of the security fix for
  xmlNanoFTPConnect() and xmlNanoHTTPConnectHost().
Daniel
This commit is contained in:
Daniel Veillard 2004-10-27 09:39:50 +00:00
parent 95ddcd3266
commit 8e2c9792e9
3 changed files with 47 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -1,3 +1,8 @@
Wed Oct 27 11:44:35 CEST 2004 Daniel Veillard <daniel@veillard.com>
* nanoftp.c nanohttp.c: second part of the security fix for
xmlNanoFTPConnect() and xmlNanoHTTPConnectHost().
Tue Oct 26 23:57:02 CEST 2004 Daniel Veillard <daniel@veillard.com> Tue Oct 26 23:57:02 CEST 2004 Daniel Veillard <daniel@veillard.com>
* nanoftp.c: applied fixes for a couple of potential security problems * nanoftp.c: applied fixes for a couple of potential security problems

40
nanoftp.c
View File

@ -1106,22 +1106,25 @@ xmlNanoFTPConnect(void *ctx) {
if (!tmp) { if (!tmp) {
if (result) if (result)
freeaddrinfo (result); freeaddrinfo (result);
__xmlIOErr(XML_FROM_FTP, 0, "getaddrinfo failed");
return (-1); return (-1);
} }
else { if (tmp->ai_addrlen > sizeof(ctxt->ftpAddr)) {
if (tmp->ai_family == AF_INET6) { __xmlIOErr(XML_FROM_FTP, 0, "gethostbyname address mismatch");
memcpy (&ctxt->ftpAddr, tmp->ai_addr, tmp->ai_addrlen); return (-1);
((struct sockaddr_in6 *) &ctxt->ftpAddr)->sin6_port = htons (port);
ctxt->controlFd = socket (AF_INET6, SOCK_STREAM, 0);
}
else {
memcpy (&ctxt->ftpAddr, tmp->ai_addr, tmp->ai_addrlen);
((struct sockaddr_in *) &ctxt->ftpAddr)->sin_port = htons (port);
ctxt->controlFd = socket (AF_INET, SOCK_STREAM, 0);
}
addrlen = tmp->ai_addrlen;
freeaddrinfo (result);
} }
if (tmp->ai_family == AF_INET6) {
memcpy (&ctxt->ftpAddr, tmp->ai_addr, tmp->ai_addrlen);
((struct sockaddr_in6 *) &ctxt->ftpAddr)->sin6_port = htons (port);
ctxt->controlFd = socket (AF_INET6, SOCK_STREAM, 0);
}
else {
memcpy (&ctxt->ftpAddr, tmp->ai_addr, tmp->ai_addrlen);
((struct sockaddr_in *) &ctxt->ftpAddr)->sin_port = htons (port);
ctxt->controlFd = socket (AF_INET, SOCK_STREAM, 0);
}
addrlen = tmp->ai_addrlen;
freeaddrinfo (result);
} }
else else
#endif #endif
@ -1134,10 +1137,15 @@ xmlNanoFTPConnect(void *ctx) {
__xmlIOErr(XML_FROM_FTP, 0, "gethostbyname failed"); __xmlIOErr(XML_FROM_FTP, 0, "gethostbyname failed");
return (-1); return (-1);
} }
if (hp->h_length >
sizeof(((struct sockaddr_in *)&ctxt->ftpAddr)->sin_addr)) {
__xmlIOErr(XML_FROM_FTP, 0, "gethostbyname address mismatch");
return (-1);
}
/* /*
* Prepare the socket * Prepare the socket
*/ */
((struct sockaddr_in *)&ctxt->ftpAddr)->sin_family = AF_INET; ((struct sockaddr_in *)&ctxt->ftpAddr)->sin_family = AF_INET;
memcpy (&((struct sockaddr_in *)&ctxt->ftpAddr)->sin_addr, memcpy (&((struct sockaddr_in *)&ctxt->ftpAddr)->sin_addr,
hp->h_addr_list[0], hp->h_length); hp->h_addr_list[0], hp->h_length);

18
nanohttp.c
View File

@ -1072,11 +1072,21 @@ xmlNanoHTTPConnectHost(const char *host, int port)
for (res = result; res; res = res->ai_next) { for (res = result; res; res = res->ai_next) {
if (res->ai_family == AF_INET || res->ai_family == AF_INET6) { if (res->ai_family == AF_INET || res->ai_family == AF_INET6) {
if (res->ai_family == AF_INET6) { if (res->ai_family == AF_INET6) {
if (res->ai_addrlen > sizeof(sockin6)) {
__xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n");
freeaddrinfo (result);
return (-1);
}
memcpy (&sockin6, res->ai_addr, res->ai_addrlen); memcpy (&sockin6, res->ai_addr, res->ai_addrlen);
sockin6.sin6_port = htons (port); sockin6.sin6_port = htons (port);
addr = (struct sockaddr *)&sockin6; addr = (struct sockaddr *)&sockin6;
} }
else { else {
if (res->ai_addrlen > sizeof(sockin)) {
__xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n");
freeaddrinfo (result);
return (-1);
}
memcpy (&sockin, res->ai_addr, res->ai_addrlen); memcpy (&sockin, res->ai_addr, res->ai_addrlen);
sockin.sin_port = htons (port); sockin.sin_port = htons (port);
addr = (struct sockaddr *)&sockin; addr = (struct sockaddr *)&sockin;
@ -1141,6 +1151,10 @@ xmlNanoHTTPConnectHost(const char *host, int port)
for (i = 0; h->h_addr_list[i]; i++) { for (i = 0; h->h_addr_list[i]; i++) {
if (h->h_addrtype == AF_INET) { if (h->h_addrtype == AF_INET) {
/* A records (IPv4) */ /* A records (IPv4) */
if ((unsigned int) h->h_length > sizeof(ia)) {
__xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n");
return (-1);
}
memcpy (&ia, h->h_addr_list[i], h->h_length); memcpy (&ia, h->h_addr_list[i], h->h_length);
sockin.sin_family = h->h_addrtype; sockin.sin_family = h->h_addrtype;
sockin.sin_addr = ia; sockin.sin_addr = ia;
@ -1149,6 +1163,10 @@ xmlNanoHTTPConnectHost(const char *host, int port)
#ifdef SUPPORT_IP6 #ifdef SUPPORT_IP6
} else if (have_ipv6 () && (h->h_addrtype == AF_INET6)) { } else if (have_ipv6 () && (h->h_addrtype == AF_INET6)) {
/* AAAA records (IPv6) */ /* AAAA records (IPv6) */
if ((unsigned int) h->h_length > sizeof(ia6)) {
__xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n");
return (-1);
}
memcpy (&ia6, h->h_addr_list[i], h->h_length); memcpy (&ia6, h->h_addr_list[i], h->h_length);
sockin6.sin6_family = h->h_addrtype; sockin6.sin6_family = h->h_addrtype;
sockin6.sin6_addr = ia6; sockin6.sin6_addr = ia6;