File: 0026-Fix-buffer-overflows-in-sprintf-usage.patch

package info (click to toggle)
httptunnel 3.3%2Bdfsg-6
  • links: PTS
  • area: main
  • in suites: forky, sid
  • size: 1,500 kB
  • sloc: ansic: 4,754; makefile: 26; sh: 4
file content (79 lines) | stat: -rw-r--r-- 2,403 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
 
From: gdm85 <gdm85@users.noreply.github.com>
Date: Sat, 28 Jul 2018 12:35:48 +0200
Subject: Fix buffer overflows in sprintf() usage

Applied-Upstream: commit:f5b5e697c9a61e4ff8571224b34e200b5c6e8295
---
 http.c   | 20 ++++++++++----------
 tunnel.c |  2 +-
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/http.c b/http.c
index ef2833e..af668ab 100644
--- a/http.c
+++ b/http.c
@@ -18,7 +18,7 @@ static inline ssize_t
 http_method (int fd, Http_destination *dest,
 	     Http_method method, ssize_t length)
 {
-  char str[1024]; /* FIXME: possible buffer overflow */
+  char str[1024];
   Http_request *request;
   ssize_t n;
 
@@ -28,21 +28,21 @@ http_method (int fd, Http_destination *dest,
       return -1;
     }
 
-  n = 0;
-  if (dest->proxy_name != NULL)
-    n = sprintf (str, "http://%s:%d", dest->host_name, dest->host_port);
-  sprintf (str + n, "%s%ld", dest->base_uri, time (NULL));
+  if (dest->proxy_name == NULL)
+    snprintf (str, sizeof(str), "%s:%ld", dest->base_uri, time (NULL));
+  else
+    snprintf (str, sizeof(str), "http://%s:%d%s%ld", dest->host_name, dest->host_port, dest->base_uri, time (NULL));
 
   request = http_create_request (method, str, 1, 1);
   if (request == NULL)
     return -1;
 
-  sprintf (str, "%s:%d", dest->host_name, dest->host_port);
+  snprintf (str, sizeof(str), "%s:%d", dest->host_name, dest->host_port);
   http_add_header (&request->header, "Host", str);
 
   if (length >= 0)
     {
-      sprintf (str, "%ld", length);
+      snprintf (str, sizeof(str), "%ld", length);
       http_add_header (&request->header, "Content-Length", str);
     }
 
@@ -747,11 +747,11 @@ http_parse_request (int fd, Http_request **request_)
 ssize_t
 http_write_request (int fd, Http_request *request)
 {
-  char str[1024]; /* FIXME: buffer overflow */
+  char str[1024];
   ssize_t n = 0;
   size_t m;
-  
-  m = sprintf (str, "%s %s HTTP/%d.%d\r\n",
+
+  m = snprintf (str, sizeof(str), "%s %s HTTP/%d.%d\r\n",
 	       http_method_to_string (request->method),
 	       request->uri,
 	       request->major_version,
diff --git a/tunnel.c b/tunnel.c
index 304ba59..d2850a9 100644
--- a/tunnel.c
+++ b/tunnel.c
@@ -1168,7 +1168,7 @@ tunnel_accept (Tunnel *tunnel)
 
 	      tunnel_out_setsockopts (tunnel->out_fd);
 
-	      sprintf (str,
+	      snprintf (str, sizeof(str),
 "HTTP/1.1 200 OK\r\n"
 /* "Date: %s\r\n" */
 /* "Server: %s\r\n" */