Browse code
Stop buffer overflows for files with very long suffixes
git-svn-id: file:///var/lib/svn/clamav-devel/trunk/clamav-devel@306 77e5149b-7576-45b1-b177-96237e5ba77b
Nigel Horne authored on 2004/02/18 22:32:34Showing 2 changed files
| ... | ... |
@@ -1,3 +1,8 @@ |
| 1 |
+Wed Feb 18 13:35:59 GMT 2004 (njh) |
|
| 2 |
+---------------------------------- |
|
| 3 |
+ * libclamav: Handle buffer overflows on files with long suffixes |
|
| 4 |
+ * clamav-milter: Added --dont-log-clean argument |
|
| 5 |
+ |
|
| 1 | 6 |
Wed Feb 18 10:12:54 GMT 2004 (njh) |
| 2 | 7 |
---------------------------------- |
| 3 | 8 |
* libclamav: Found some occurances of Yaha |
| ... | ... |
@@ -17,6 +17,9 @@ |
| 17 | 17 |
* |
| 18 | 18 |
* Change History: |
| 19 | 19 |
* $Log: mbox.c,v $ |
| 20 |
+ * Revision 1.46 2004/02/18 13:29:19 nigelhorne |
|
| 21 |
+ * Stop buffer overflows for files with very long suffixes |
|
| 22 |
+ * |
|
| 20 | 23 |
* Revision 1.45 2004/02/18 10:07:40 nigelhorne |
| 21 | 24 |
* Find some Yaha |
| 22 | 25 |
* |
| ... | ... |
@@ -126,7 +129,7 @@ |
| 126 | 126 |
* Compilable under SCO; removed duplicate code with message.c |
| 127 | 127 |
* |
| 128 | 128 |
*/ |
| 129 |
-static char const rcsid[] = "$Id: mbox.c,v 1.45 2004/02/18 10:07:40 nigelhorne Exp $"; |
|
| 129 |
+static char const rcsid[] = "$Id: mbox.c,v 1.46 2004/02/18 13:29:19 nigelhorne Exp $"; |
|
| 130 | 130 |
|
| 131 | 131 |
#if HAVE_CONFIG_H |
| 132 | 132 |
#include "clamav-config.h" |
| ... | ... |
@@ -1677,7 +1680,7 @@ static bool |
| 1677 | 1677 |
saveFile(const blob *b, const char *dir) |
| 1678 | 1678 |
{
|
| 1679 | 1679 |
unsigned long nbytes = blobGetDataSize(b); |
| 1680 |
- size_t len = 0; |
|
| 1680 |
+ size_t suffixLen = 0; |
|
| 1681 | 1681 |
int fd; |
| 1682 | 1682 |
const char *cptr, *suffix; |
| 1683 | 1683 |
unsigned char *data; |
| ... | ... |
@@ -1703,16 +1706,22 @@ saveFile(const blob *b, const char *dir) |
| 1703 | 1703 |
suffix = strrchr(cptr, '.'); |
| 1704 | 1704 |
if(suffix == NULL) |
| 1705 | 1705 |
suffix = ""; |
| 1706 |
- else |
|
| 1707 |
- len = strlen(suffix); |
|
| 1706 |
+ else {
|
|
| 1707 |
+ suffixLen = strlen(suffix); |
|
| 1708 |
+ if(suffixLen > 4) {
|
|
| 1709 |
+ /* Found a full stop which isn't a suffix */ |
|
| 1710 |
+ suffix = ""; |
|
| 1711 |
+ suffixLen = 0; |
|
| 1712 |
+ } |
|
| 1713 |
+ } |
|
| 1708 | 1714 |
} |
| 1709 | 1715 |
cli_dbgmsg("Saving attachment in %s/%s\n", dir, cptr);
|
| 1710 | 1716 |
|
| 1711 | 1717 |
/* |
| 1712 | 1718 |
* Allow for very long filenames. We have to truncate them to fit |
| 1713 | 1719 |
*/ |
| 1714 |
- snprintf(filename, sizeof(filename) - 1 - len, "%s/%.*sXXXXXX", dir, |
|
| 1715 |
- (int)(sizeof(filename) - 9 - len - strlen(dir)), cptr); |
|
| 1720 |
+ snprintf(filename, sizeof(filename) - 1 - suffixLen, "%s/%.*sXXXXXX", dir, |
|
| 1721 |
+ (int)(sizeof(filename) - 9 - suffixLen - strlen(dir)), cptr); |
|
| 1716 | 1722 |
|
| 1717 | 1723 |
/* |
| 1718 | 1724 |
* TODO: add a HAVE_MKSTEMP property |
| ... | ... |
@@ -1726,6 +1735,7 @@ saveFile(const blob *b, const char *dir) |
| 1726 | 1726 |
|
| 1727 | 1727 |
if(fd < 0) {
|
| 1728 | 1728 |
cli_errmsg("Can't create temporary file %s: %s\n", filename, strerror(errno));
|
| 1729 |
+ printf("%d %d %d\n", suffixLen, sizeof(filename), strlen(filename));
|
|
| 1729 | 1730 |
return FALSE; |
| 1730 | 1731 |
} |
| 1731 | 1732 |
|
| ... | ... |
@@ -1733,7 +1743,7 @@ saveFile(const blob *b, const char *dir) |
| 1733 | 1733 |
* Add the suffix back to the end of the filename. Tut-tut, filenames |
| 1734 | 1734 |
* should be independant of their usage on UNIX type systems. |
| 1735 | 1735 |
*/ |
| 1736 |
- if(len > 1) {
|
|
| 1736 |
+ if(suffixLen > 1) {
|
|
| 1737 | 1737 |
char stub[NAME_MAX + 1]; |
| 1738 | 1738 |
|
| 1739 | 1739 |
snprintf(stub, sizeof(stub), "%s%s", filename, suffix); |