@@ -1,3 +1,9 @@

+Mon May  1 19:54:57 CEST 2006 (tk)

+----------------------------------

+  * freshclam/manager.c: fix possible buffer overflow

+    Reported by Ulf Harnhammar <metaur*telia.com> and Peter <remllov_*gmx.de>

+    See http://www.clamav.net/security/0.88.2.html for details.

+

 Sun Apr 30 19:23:35 BST 2006 (njh)

 ----------------------------------

   * libclamav/mbox.c:	Fix compilation error on CYGWIN (correctly this time)

@@ -704,9 +704,9 @@ struct cl_cvd *remote_cvdhead(const char *file, int socketfd, const char *hostna

 	*ims = 1;

     }

-    ch = buffer;

-    i = 0;

-    while (1) {

+    i = 3;

+    ch = buffer + i;

+    while(i < sizeof(buffer)) {

       if (*ch == '\n' && *(ch - 1) == '\r' && *(ch - 2) == '\n' && *(ch - 3) == '\r') {

 	ch++;

 	i++;

@@ -714,7 +714,12 @@ struct cl_cvd *remote_cvdhead(const char *file, int socketfd, const char *hostna

       }

       ch++;

       i++;

-    }  

+    }

+

+    if(sizeof(buffer) - i < 512) {

+	mprintf("@Malformed CVD header detected.\n");

+	return NULL;

+    }

     memset(head, 0, sizeof(head));

@@ -805,7 +810,7 @@ int get_database(const char *dbfile, int socketfd, const char *file, const char

     while (1) {

       /* recv one byte at a time, until we reach \r\n\r\n */

-      if(recv(socketfd, buffer + i, 1, 0) == -1) {

+      if((i >= sizeof(buffer)) || recv(socketfd, buffer + i, 1, 0) == -1) {

         logg("^Error while reading database from %s\n", hostname);

         close(fd);

         unlink(file);