git-svn: trunk@1940
Tomasz Kojm authored on 2006/05/02 02:57:09... | ... |
@@ -1,3 +1,9 @@ |
1 |
+Mon May 1 19:54:57 CEST 2006 (tk) |
|
2 |
+---------------------------------- |
|
3 |
+ * freshclam/manager.c: fix possible buffer overflow |
|
4 |
+ Reported by Ulf Harnhammar <metaur*telia.com> and Peter <remllov_*gmx.de> |
|
5 |
+ See http://www.clamav.net/security/0.88.2.html for details. |
|
6 |
+ |
|
1 | 7 |
Sun Apr 30 19:23:35 BST 2006 (njh) |
2 | 8 |
---------------------------------- |
3 | 9 |
* libclamav/mbox.c: Fix compilation error on CYGWIN (correctly this time) |
... | ... |
@@ -704,9 +704,9 @@ struct cl_cvd *remote_cvdhead(const char *file, int socketfd, const char *hostna |
704 | 704 |
*ims = 1; |
705 | 705 |
} |
706 | 706 |
|
707 |
- ch = buffer; |
|
708 |
- i = 0; |
|
709 |
- while (1) { |
|
707 |
+ i = 3; |
|
708 |
+ ch = buffer + i; |
|
709 |
+ while(i < sizeof(buffer)) { |
|
710 | 710 |
if (*ch == '\n' && *(ch - 1) == '\r' && *(ch - 2) == '\n' && *(ch - 3) == '\r') { |
711 | 711 |
ch++; |
712 | 712 |
i++; |
... | ... |
@@ -714,7 +714,12 @@ struct cl_cvd *remote_cvdhead(const char *file, int socketfd, const char *hostna |
714 | 714 |
} |
715 | 715 |
ch++; |
716 | 716 |
i++; |
717 |
- } |
|
717 |
+ } |
|
718 |
+ |
|
719 |
+ if(sizeof(buffer) - i < 512) { |
|
720 |
+ mprintf("@Malformed CVD header detected.\n"); |
|
721 |
+ return NULL; |
|
722 |
+ } |
|
718 | 723 |
|
719 | 724 |
memset(head, 0, sizeof(head)); |
720 | 725 |
|
... | ... |
@@ -805,7 +810,7 @@ int get_database(const char *dbfile, int socketfd, const char *file, const char |
805 | 805 |
while (1) { |
806 | 806 |
/* recv one byte at a time, until we reach \r\n\r\n */ |
807 | 807 |
|
808 |
- if(recv(socketfd, buffer + i, 1, 0) == -1) { |
|
808 |
+ if((i >= sizeof(buffer)) || recv(socketfd, buffer + i, 1, 0) == -1) { |
|
809 | 809 |
logg("^Error while reading database from %s\n", hostname); |
810 | 810 |
close(fd); |
811 | 811 |
unlink(file); |