| blob | 2afc0aed3302639b8e8e13527b5ac3e8ab129cae |
1 diff -ur openslp-2.0.0.orig/common/slp_buffer.c openslp-2.0.0/common/slp_buffer.c
2 --- openslp-2.0.0.orig/common/slp_buffer.c 2012-12-10 15:31:53.000000000 -0800
3 +++ openslp-2.0.0/common/slp_buffer.c 2019-11-26 21:54:20.000000000 -0800
4 @@ -30,6 +30,13 @@
5 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
6 *-------------------------------------------------------------------------*/
8 +/* Copyright (c) 2019 VMware, Inc.
9 + * SPDX-License-Identifier: BSD-3-Clause
10 + * This file is provided under the BSD-3-Clause license.
11 + * See COPYING file for more details and other copyrights
12 + * that may apply.
13 + */
14 +
15 /** Functions for managing SLP message buffers.
16 *
17 * This file provides a higher level abstraction over malloc and free that
18 @@ -153,4 +160,20 @@
19 xfree(buf);
20 }
22 +/** Report remaining free buffer size in bytes.
23 + *
24 + * Check if buffer is allocated and if so return bytes left in a
25 + * @c SLPBuffer object.
26 + *
27 + * @param[in] buf The SLPBuffer to be freed.
28 + */
29 +size_t
30 +RemainingBufferSpace(SLPBuffer buf)
31 +{
32 + if (buf->allocated == 0) {
33 + return 0;
34 + }
35 + return buf->end - buf->curpos;
36 +}
37 +
38 /*=========================================================================*/
39 diff -ur openslp-2.0.0.orig/common/slp_buffer.h openslp-2.0.0/common/slp_buffer.h
40 --- openslp-2.0.0.orig/common/slp_buffer.h 2012-11-28 09:07:04.000000000 -0800
41 +++ openslp-2.0.0/common/slp_buffer.h 2019-11-26 21:54:32.000000000 -0800
42 @@ -30,6 +30,13 @@
43 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
44 *-------------------------------------------------------------------------*/
46 +/* Copyright (c) 2019 VMware, Inc.
47 + * SPDX-License-Identifier: BSD-3-Clause
48 + * This file is provided under the BSD-3-Clause license.
49 + * See COPYING file for more details and other copyrights
50 + * that may apply.
51 + */
52 +
53 /** Header file that defines SLP message buffer management routines.
54 *
55 * Includes structures, constants and functions that used to handle memory
56 @@ -78,6 +85,8 @@
58 SLPBuffer SLPBufferListAdd(SLPBuffer * list, SLPBuffer buf);
60 +size_t RemainingBufferSpace(SLPBuffer buf);
61 +
62 /*! @} */
64 #endif /* SLP_BUFFER_H_INCLUDED */
65 diff -ur openslp-2.0.0.orig/slpd/slpd_process.c openslp-2.0.0/slpd/slpd_process.c
66 --- openslp-2.0.0.orig/slpd/slpd_process.c 2012-12-12 09:38:54.000000000 -0800
67 +++ openslp-2.0.0/slpd/slpd_process.c 2019-11-26 21:55:10.000000000 -0800
68 @@ -30,6 +30,13 @@
69 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
70 *-------------------------------------------------------------------------*/
72 +/* Copyright (c) 2019 VMware, Inc.
73 + * SPDX-License-Identifier: BSD-3-Clause
74 + * This file is provided under the BSD-3-Clause license.
75 + * See COPYING file for more details and other copyrights
76 + * that may apply.
77 + */
78 +
79 /** Processes incoming SLP messages.
80 *
81 * @file slpd_process.c
82 @@ -514,13 +521,27 @@
83 {
84 for (i = 0; i < db->urlcount; i++)
85 {
86 - /* urlentry is the url from the db result */
87 urlentry = db->urlarray[i];
88 + if (urlentry->opaque != NULL) {
89 + const int64_t newsize = size + urlentry->opaquelen;
90 + if (urlentry->opaquelen <= 0 || newsize > INT_MAX)
91 + {
92 + SLPDLog("Invalid opaquelen %d or sizeo of opaque url is too big, size=%d\n",
93 + urlentry->opaquelen, size);
94 + errorcode = SLP_ERROR_PARSE_ERROR;
95 + goto FINISHED;
96 + }
97 + size += urlentry->opaquelen;
98 + }
99 + else
100 + {
101 + /* urlentry is the url from the db result */
102 + size += urlentry->urllen + 6; /* 1 byte for reserved */
103 + /* 2 bytes for lifetime */
104 + /* 2 bytes for urllen */
105 + /* 1 byte for authcount */
106 + }
108 - size += urlentry->urllen + 6; /* 1 byte for reserved */
109 - /* 2 bytes for lifetime */
110 - /* 2 bytes for urllen */
111 - /* 1 byte for authcount */
112 #ifdef ENABLE_SLPv2_SECURITY
113 /* make room to include the authblock that was asked for */
114 if (G_SlpdProperty.securityEnabled
115 @@ -594,7 +615,7 @@
116 urlentry = db->urlarray[i];
118 #ifdef ENABLE_SLPv1
119 - if (urlentry->opaque == 0)
120 + if (urlentry->opaque == NULL)
121 {
122 /* url-entry reserved */
123 *result->curpos++ = 0;
124 @@ -606,8 +627,18 @@
125 PutUINT16(&result->curpos, urlentry->urllen);
127 /* url-entry url */
128 - memcpy(result->curpos, urlentry->url, urlentry->urllen);
129 - result->curpos += urlentry->urllen;
130 + if (RemainingBufferSpace(result) >= urlentry->urllen)
131 + {
132 + memcpy(result->curpos, urlentry->url, urlentry->urllen);
133 + result->curpos = result->curpos + urlentry->urllen;
134 + }
135 + else
136 + {
137 + SLPDLog("Url too big (ask: %d have %" PRId64 "), failing request\n",
138 + urlentry->opaquelen, (int64_t) RemainingBufferSpace(result));
139 + errorcode = SLP_ERROR_PARSE_ERROR;
140 + goto FINISHED;
141 + }
143 /* url-entry auths */
144 *result->curpos++ = 0;
145 @@ -621,8 +652,18 @@
147 /* TRICKY: Fix up the lifetime. */
148 TO_UINT16(urlentry->opaque + 1, urlentry->lifetime);
149 - memcpy(result->curpos, urlentry->opaque, urlentry->opaquelen);
150 - result->curpos += urlentry->opaquelen;
151 + if (RemainingBufferSpace(result) >= urlentry->opaquelen)
152 + {
153 + memcpy(result->curpos, urlentry->opaque, urlentry->opaquelen);
154 + result->curpos = result->curpos + urlentry->opaquelen;
155 + }
156 + else
157 + {
158 + SLPDLog("Opaque Url too big (ask: %d have %" PRId64 "), failing request\n",
159 + urlentry->opaquelen, (int64_t) RemainingBufferSpace(result));
160 + errorcode = SLP_ERROR_PARSE_ERROR;
161 + goto FINISHED;
162 + }
163 }
164 }
165 }