...
|
...
|
@@ -2167,6 +2167,32 @@ static char *pe_ordinal(char *dll, uint16_t ord)
|
2167
|
2167
|
return cli_strdup(name);
|
2168
|
2168
|
}
|
2169
|
2169
|
|
|
2170
|
+static int validate_impname(const char *name, uint32_t length, int dll)
|
|
2171
|
+{
|
|
2172
|
+ uint32_t i = 0;
|
|
2173
|
+ const char *c = name;
|
|
2174
|
+
|
|
2175
|
+ cli_dbgmsg("%s\n", name);
|
|
2176
|
+
|
|
2177
|
+ if (!name || length == 0)
|
|
2178
|
+ return CL_SUCCESS;
|
|
2179
|
+
|
|
2180
|
+ while (i < length && *c != '\0') {
|
|
2181
|
+ if ((*c >= '0' && *c <= '9') ||
|
|
2182
|
+ (*c >= 'a' && *c <= 'z') ||
|
|
2183
|
+ (*c >= 'A' && *c <= 'Z') ||
|
|
2184
|
+ (*c == '_') ||
|
|
2185
|
+ (dll && *c == '.')) {
|
|
2186
|
+
|
|
2187
|
+ c++;
|
|
2188
|
+ i++;
|
|
2189
|
+ } else
|
|
2190
|
+ return CL_BREAK;
|
|
2191
|
+ }
|
|
2192
|
+
|
|
2193
|
+ return CL_SUCCESS;
|
|
2194
|
+}
|
|
2195
|
+
|
2170
|
2196
|
static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, uint32_t *itsz, struct pe_image_import_descriptor *image, char *dllname, struct cli_exe_section *exe_sections, uint16_t nsections, uint32_t hdr_size, int pe_plus, int *first){
|
2171
|
2197
|
uint32_t toff, offset;
|
2172
|
2198
|
fmap_t *map = *ctx->fmap;
|
...
|
...
|
@@ -2214,6 +2240,8 @@ static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, uint32_t *itsz, s
|
2214
|
2214
|
} \
|
2215
|
2215
|
\
|
2216
|
2216
|
funclen = strlen(funcname); \
|
|
2217
|
+ if (validate_impname(funcname, funclen, 1) != CL_SUCCESS) \
|
|
2218
|
+ break; \
|
2217
|
2219
|
\
|
2218
|
2220
|
fname = cli_calloc(funclen + dlllen + 3, sizeof(char)); \
|
2219
|
2221
|
if (fname == NULL) { \
|
...
|
...
|
@@ -2366,7 +2394,8 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c
|
2366
|
2366
|
}
|
2367
|
2367
|
|
2368
|
2368
|
if ((buffer = fmap_need_off_once(map, offset, MIN(PE_MAXNAMESIZE, fsize-offset))) != NULL) {
|
2369
|
|
- /* TODO - sanitize dllname */
|
|
2369
|
+ if (validate_impname(dllname, MIN(PE_MAXNAMESIZE, fsize-offset), 1) != CL_SUCCESS)
|
|
2370
|
+ break;
|
2370
|
2371
|
dllname = strndup(buffer, MIN(PE_MAXNAMESIZE, fsize-offset));
|
2371
|
2372
|
if (dllname == NULL) {
|
2372
|
2373
|
cli_dbgmsg("IMPTBL: cannot duplicate dll name\n");
|