|
|
@@ -1,245 +0,0 @@
|
|
|
-Security Bugfixes (CAN-2005-0490)
|
|
|
-http://www.idefense.com/application/poi/display?id=202&type=vulnerabilities
|
|
|
-http://www.idefense.com/application/poi/display?id=203&type=vulnerabilities
|
|
|
-
|
|
|
-Index: lib/base64.c
|
|
|
---- lib/base64.c.orig 2004-12-15 02:38:25 +0100
|
|
|
-+++ lib/base64.c 2005-02-23 13:26:01 +0100
|
|
|
-@@ -79,7 +79,7 @@
|
|
|
- * Given a base64 string at src, decode it into the memory pointed to by
|
|
|
- * dest. Returns the length of the decoded data.
|
|
|
- */
|
|
|
--size_t Curl_base64_decode(const char *src, char *dest)
|
|
|
-+size_t Curl_base64_decode(const char *src, unsigned char **outptr)
|
|
|
- {
|
|
|
- int length = 0;
|
|
|
- int equalsTerm = 0;
|
|
|
-@@ -87,6 +87,9 @@
|
|
|
- int numQuantums;
|
|
|
- unsigned char lastQuantum[3];
|
|
|
- size_t rawlen=0;
|
|
|
-+ unsigned char *newstr;
|
|
|
-+
|
|
|
-+ *outptr = NULL;
|
|
|
-
|
|
|
- while((src[length] != '=') && src[length])
|
|
|
- length++;
|
|
|
-@@ -97,15 +100,22 @@
|
|
|
-
|
|
|
- rawlen = (numQuantums * 3) - equalsTerm;
|
|
|
-
|
|
|
-+ newstr = malloc(rawlen+1);
|
|
|
-+ if(!newstr)
|
|
|
-+ return 0;
|
|
|
-+
|
|
|
-+ *outptr = newstr;
|
|
|
-+
|
|
|
- for(i = 0; i < numQuantums - 1; i++) {
|
|
|
-- decodeQuantum((unsigned char *)dest, src);
|
|
|
-- dest += 3; src += 4;
|
|
|
-+ decodeQuantum((unsigned char *)newstr, src);
|
|
|
-+ newstr += 3; src += 4;
|
|
|
- }
|
|
|
-
|
|
|
- decodeQuantum(lastQuantum, src);
|
|
|
- for(i = 0; i < 3 - equalsTerm; i++)
|
|
|
-- dest[i] = lastQuantum[i];
|
|
|
-+ newstr[i] = lastQuantum[i];
|
|
|
-
|
|
|
-+ newstr[i] = 0; /* zero terminate */
|
|
|
- return rawlen;
|
|
|
- }
|
|
|
-
|
|
|
-Index: lib/base64.h
|
|
|
---- lib/base64.h.orig 2004-11-29 13:11:46 +0100
|
|
|
-+++ lib/base64.h 2005-02-23 13:26:01 +0100
|
|
|
-@@ -23,5 +23,5 @@
|
|
|
- * $Id: base64.h,v 1.15 2004/11/29 12:11:46 bagder Exp $
|
|
|
- ***************************************************************************/
|
|
|
- size_t Curl_base64_encode(const char *input, size_t size, char **str);
|
|
|
--size_t Curl_base64_decode(const char *source, char *dest);
|
|
|
-+size_t Curl_base64_decode(const char *source, unsigned char **outptr);
|
|
|
- #endif
|
|
|
-Index: lib/http_negotiate.c
|
|
|
---- lib/http_negotiate.c.orig 2004-08-05 20:52:54 +0200
|
|
|
-+++ lib/http_negotiate.c 2005-02-23 13:26:01 +0100
|
|
|
-@@ -166,12 +166,7 @@
|
|
|
-
|
|
|
- len = strlen(header);
|
|
|
- if (len > 0) {
|
|
|
-- int rawlen;
|
|
|
-- input_token.length = (len+3)/4 * 3;
|
|
|
-- input_token.value = malloc(input_token.length);
|
|
|
-- if (input_token.value == NULL)
|
|
|
-- return ENOMEM;
|
|
|
-- rawlen = Curl_base64_decode(header, input_token.value);
|
|
|
-+ int rawlen = Curl_base64_decode(header, &input_token.value);
|
|
|
- if (rawlen < 0)
|
|
|
- return -1;
|
|
|
- input_token.length = rawlen;
|
|
|
-Index: lib/http_ntlm.c
|
|
|
---- lib/http_ntlm.c.orig 2004-12-08 00:09:41 +0100
|
|
|
-+++ lib/http_ntlm.c 2005-02-23 13:26:01 +0100
|
|
|
-@@ -103,7 +103,6 @@
|
|
|
- header++;
|
|
|
-
|
|
|
- if(checkprefix("NTLM", header)) {
|
|
|
-- unsigned char buffer[256];
|
|
|
- header += strlen("NTLM");
|
|
|
-
|
|
|
- while(*header && isspace((int)*header))
|
|
|
-@@ -123,17 +122,22 @@
|
|
|
- (40) Target Information (optional) security buffer(*)
|
|
|
- 32 (48) start of data block
|
|
|
- */
|
|
|
--
|
|
|
-- size_t size = Curl_base64_decode(header, (char *)buffer);
|
|
|
-+ size_t size;
|
|
|
-+ unsigned char *buffer;
|
|
|
-+ size = Curl_base64_decode(header, &buffer);
|
|
|
-+ if(!buffer)
|
|
|
-+ return CURLNTLM_BAD;
|
|
|
-
|
|
|
- ntlm->state = NTLMSTATE_TYPE2; /* we got a type-2 */
|
|
|
-
|
|
|
- if(size >= 48)
|
|
|
- /* the nonce of interest is index [24 .. 31], 8 bytes */
|
|
|
- memcpy(ntlm->nonce, &buffer[24], 8);
|
|
|
-+ /* FIX: add an else here! */
|
|
|
-
|
|
|
- /* at index decimal 20, there's a 32bit NTLM flag field */
|
|
|
-
|
|
|
-+ free(buffer);
|
|
|
- }
|
|
|
- else {
|
|
|
- if(ntlm->state >= NTLMSTATE_TYPE1)
|
|
|
-Index: lib/krb4.c
|
|
|
---- lib/krb4.c.orig 2004-11-11 17:34:24 +0100
|
|
|
-+++ lib/krb4.c 2005-02-23 13:26:01 +0100
|
|
|
-@@ -199,7 +199,8 @@
|
|
|
- {
|
|
|
- int ret;
|
|
|
- char *p;
|
|
|
-- int len;
|
|
|
-+ unsigned char *ptr;
|
|
|
-+ size_t len;
|
|
|
- KTEXT_ST adat;
|
|
|
- MSG_DAT msg_data;
|
|
|
- int checksum;
|
|
|
-@@ -275,11 +276,17 @@
|
|
|
- return AUTH_ERROR;
|
|
|
- }
|
|
|
- p += 5;
|
|
|
-- len = Curl_base64_decode(p, (char *)adat.dat);
|
|
|
-- if(len < 0) {
|
|
|
-+ len = Curl_base64_decode(p, &ptr);
|
|
|
-+ if(len > sizeof(adat.dat)-1) {
|
|
|
-+ free(ptr);
|
|
|
-+ len=0;
|
|
|
-+ }
|
|
|
-+ if(!len || !ptr) {
|
|
|
- Curl_failf(data, "Failed to decode base64 from server");
|
|
|
- return AUTH_ERROR;
|
|
|
- }
|
|
|
-+ memcpy((char *)adat.dat, ptr, len);
|
|
|
-+ free(ptr);
|
|
|
- adat.length = len;
|
|
|
- ret = krb_rd_safe(adat.dat, adat.length, &d->key,
|
|
|
- (struct sockaddr_in *)hisctladdr,
|
|
|
-@@ -317,10 +324,11 @@
|
|
|
- char *name;
|
|
|
- char *p;
|
|
|
- char passwd[100];
|
|
|
-- int tmp;
|
|
|
-+ size_t tmp;
|
|
|
- ssize_t nread;
|
|
|
- int save;
|
|
|
- CURLcode result;
|
|
|
-+ unsigned char *ptr;
|
|
|
-
|
|
|
- save = Curl_set_command_prot(conn, prot_private);
|
|
|
-
|
|
|
-@@ -346,12 +354,18 @@
|
|
|
- }
|
|
|
-
|
|
|
- p += 2;
|
|
|
-- tmp = Curl_base64_decode(p, (char *)tkt.dat);
|
|
|
-- if(tmp < 0) {
|
|
|
-+ tmp = Curl_base64_decode(p, &ptr);
|
|
|
-+ if(tmp >= sizeof(tkt.dat)) {
|
|
|
-+ free(ptr);
|
|
|
-+ tmp=0;
|
|
|
-+ }
|
|
|
-+ if(!tmp || !ptr) {
|
|
|
- Curl_failf(conn->data, "Failed to decode base64 in reply.\n");
|
|
|
- Curl_set_command_prot(conn, save);
|
|
|
- return CURLE_FTP_WEIRD_SERVER_REPLY;
|
|
|
- }
|
|
|
-+ memcpy((char *)tkt.dat, ptr, tmp);
|
|
|
-+ free(ptr);
|
|
|
- tkt.length = tmp;
|
|
|
- tktcopy.length = tkt.length;
|
|
|
-
|
|
|
-Index: lib/security.c
|
|
|
---- lib/security.c.orig 2004-12-15 03:32:04 +0100
|
|
|
-+++ lib/security.c 2005-02-23 13:26:01 +0100
|
|
|
-@@ -297,13 +297,15 @@
|
|
|
- Curl_sec_read_msg(struct connectdata *conn, char *s, int level)
|
|
|
- {
|
|
|
- int len;
|
|
|
-- char *buf;
|
|
|
-+ unsigned char *buf;
|
|
|
- int code;
|
|
|
-
|
|
|
-- buf = malloc(strlen(s));
|
|
|
-- len = Curl_base64_decode(s + 4, buf); /* XXX */
|
|
|
-+ len = Curl_base64_decode(s + 4, &buf); /* XXX */
|
|
|
-+ if(len > 0)
|
|
|
-+ len = (conn->mech->decode)(conn->app_data, buf, len, level, conn);
|
|
|
-+ else
|
|
|
-+ return -1;
|
|
|
-
|
|
|
-- len = (conn->mech->decode)(conn->app_data, buf, len, level, conn);
|
|
|
- if(len < 0) {
|
|
|
- free(buf);
|
|
|
- return -1;
|
|
|
-@@ -314,10 +316,10 @@
|
|
|
- if(buf[3] == '-')
|
|
|
- code = 0;
|
|
|
- else
|
|
|
-- sscanf(buf, "%d", &code);
|
|
|
-+ sscanf((char *)buf, "%d", &code);
|
|
|
- if(buf[len-1] == '\n')
|
|
|
- buf[len-1] = '\0';
|
|
|
-- strcpy(s, buf);
|
|
|
-+ strcpy(s, (char *)buf);
|
|
|
- free(buf);
|
|
|
- return code;
|
|
|
- }
|
|
|
-Index: tests/server/getpart.c
|
|
|
---- tests/server/getpart.c.orig 2004-11-29 22:44:23 +0100
|
|
|
-+++ tests/server/getpart.c 2005-02-23 13:26:01 +0100
|
|
|
-@@ -61,11 +61,11 @@
|
|
|
- {
|
|
|
- size_t len = strlen(buffer);
|
|
|
- size_t needed_len = len + *stringlen + 1;
|
|
|
-- char buf64[256]; /* big enough? */
|
|
|
-+ unsigned char *buf64=NULL;
|
|
|
-
|
|
|
- if(base64) {
|
|
|
- /* decode the given buffer first */
|
|
|
-- len = Curl_base64_decode(buffer, buf64); /* updated len */
|
|
|
-+ len = Curl_base64_decode(buffer, &buf64); /* updated len */
|
|
|
- buffer = buf64;
|
|
|
- needed_len = len + *stringlen + 1; /* recalculate */
|
|
|
- }
|
|
|
-@@ -87,6 +87,9 @@
|
|
|
- *stringlen += len;
|
|
|
- string[*stringlen]=0;
|
|
|
-
|
|
|
-+ if(buf64)
|
|
|
-+ free(buf64);
|
|
|
-+
|
|
|
- return string;
|
|
|
- }
|
|
|
-
|
