[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_4-53-g86ecfee
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_4-53-g86ecfee |
Date: |
Sun, 05 Dec 2010 09:23:01 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=86ecfeed9948097dd9f34f2cefc49654521b3e69
The branch, master has been updated
via 86ecfeed9948097dd9f34f2cefc49654521b3e69 (commit)
from 3630971b24925c85d60abab24b314a7ce68c6a0b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 86ecfeed9948097dd9f34f2cefc49654521b3e69
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Dec 5 10:21:55 2010 +0100
Corrected buffer overflow in gnutls-serv by Tomas Mraz.
The gnutls-serv uses fixed allocated buffer for the response which can
be pretty long if a client certificate is presented to it and the http
header is large. This causes buffer overflow and heap corruption which
then leads to random segfaults or aborts.
It was reported originally here:
https://bugzilla.redhat.com/show_bug.cgi?id=659259
The attached patch changes sprintf calls in peer_print_info() to
snprintf so the buffer is never overflowed.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 7 +++++++
src/serv.c | 46 ++++++++++++++++++++--------------------------
2 files changed, 27 insertions(+), 26 deletions(-)
diff --git a/NEWS b/NEWS
index 2a78328..3bdd35c 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,13 @@ Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005,
2006, 2007, 2008, 2009, 2010 Free Software Foundation, Inc.
See the end for copying conditions.
+* Version 2.11.6 (unreleased)
+
+** gnutls-serv: Corrected a buffer overflow. Reported and patch by Tomas Mraz.
+
+** API and ABI modifications:
+No changes since last version.
+
* Version 2.11.5 (released 2010-12-01)
** libgnutls: Reverted default behavior for verification and
diff --git a/src/serv.c b/src/serv.c
index d7782b9..1d45c96 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -409,7 +409,7 @@ static const char DEFAULT_DATA[] =
/* Creates html with the current session information.
*/
-#define tmp2 &http_buffer[strlen(http_buffer)]
+#define tmp2 &http_buffer[strlen(http_buffer)], len-strlen(http_buffer)
static char *
peer_print_info (gnutls_session_t session, int *ret_length,
const char *header)
@@ -419,7 +419,7 @@ peer_print_info (gnutls_session_t session, int *ret_length,
size_t i, sesid_size;
char *http_buffer;
gnutls_kx_algorithm_t kx_alg;
- size_t len = 5 * 1024 + strlen (header);
+ size_t len = 20 * 1024 + strlen (header);
char *crtinfo = NULL;
size_t ncrtinfo = 0;
@@ -483,11 +483,11 @@ peer_print_info (gnutls_session_t session, int
*ret_length,
/* print session_id */
gnutls_session_get_id (session, sesid, &sesid_size);
- sprintf (tmp2, "\n<p>Session ID: <i>");
+ snprintf (tmp2, "\n<p>Session ID: <i>");
for (i = 0; i < sesid_size; i++)
- sprintf (tmp2, "%.2X", sesid[i]);
- sprintf (tmp2, "</i></p>\n");
- sprintf (tmp2,
+ snprintf (tmp2, "%.2X", sesid[i]);
+ snprintf (tmp2, "</i></p>\n");
+ snprintf (tmp2,
"<h5>If your browser supports session resuming, then you should see
the "
"same session ID, when you press the <b>reload</b> button.</h5>\n");
@@ -501,7 +501,7 @@ peer_print_info (gnutls_session_t session, int *ret_length,
if (gnutls_server_name_get (session, dns, &dns_size, &type, 0) == 0)
{
- sprintf (tmp2, "\n<p>Server Name: %s</p>\n", dns);
+ snprintf (tmp2, "\n<p>Server Name: %s</p>\n", dns);
}
}
@@ -512,7 +512,7 @@ peer_print_info (gnutls_session_t session, int *ret_length,
#ifdef ENABLE_SRP
if (kx_alg == GNUTLS_KX_SRP)
{
- sprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
+ snprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
gnutls_srp_server_get_username (session));
}
#endif
@@ -520,7 +520,7 @@ peer_print_info (gnutls_session_t session, int *ret_length,
#ifdef ENABLE_PSK
if (kx_alg == GNUTLS_KX_PSK)
{
- sprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
+ snprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
gnutls_psk_server_get_username (session));
}
#endif
@@ -528,7 +528,7 @@ peer_print_info (gnutls_session_t session, int *ret_length,
#ifdef ENABLE_ANON
if (kx_alg == GNUTLS_KX_ANON_DH)
{
- sprintf (tmp2,
+ snprintf (tmp2,
"<p> Connect using anonymous DH (prime of %d bits)</p>\n",
gnutls_dh_get_prime_bits (session));
}
@@ -536,7 +536,7 @@ peer_print_info (gnutls_session_t session, int *ret_length,
if (kx_alg == GNUTLS_KX_DHE_RSA || kx_alg == GNUTLS_KX_DHE_DSS)
{
- sprintf (tmp2,
+ snprintf (tmp2,
"Ephemeral DH using prime of <b>%d</b> bits.<br>\n",
gnutls_dh_get_prime_bits (session));
}
@@ -547,7 +547,7 @@ peer_print_info (gnutls_session_t session, int *ret_length,
tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session));
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2,
+ snprintf (tmp2,
"<TABLE border=1><TR><TD>Protocol version:</TD><TD>%s</TD></TR>\n",
tmp);
@@ -558,50 +558,44 @@ peer_print_info (gnutls_session_t session, int
*ret_length,
(session));
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2, "<TR><TD>Certificate Type:</TD><TD>%s</TD></TR>\n", tmp);
+ snprintf (tmp2, "<TR><TD>Certificate Type:</TD><TD>%s</TD></TR>\n", tmp);
}
tmp = gnutls_kx_get_name (kx_alg);
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2, "<TR><TD>Key Exchange:</TD><TD>%s</TD></TR>\n", tmp);
+ snprintf (tmp2, "<TR><TD>Key Exchange:</TD><TD>%s</TD></TR>\n", tmp);
tmp = gnutls_compression_get_name (gnutls_compression_get (session));
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2, "<TR><TD>Compression</TD><TD>%s</TD></TR>\n", tmp);
+ snprintf (tmp2, "<TR><TD>Compression</TD><TD>%s</TD></TR>\n", tmp);
tmp = gnutls_cipher_get_name (gnutls_cipher_get (session));
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2, "<TR><TD>Cipher</TD><TD>%s</TD></TR>\n", tmp);
+ snprintf (tmp2, "<TR><TD>Cipher</TD><TD>%s</TD></TR>\n", tmp);
tmp = gnutls_mac_get_name (gnutls_mac_get (session));
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2, "<TR><TD>MAC</TD><TD>%s</TD></TR>\n", tmp);
+ snprintf (tmp2, "<TR><TD>MAC</TD><TD>%s</TD></TR>\n", tmp);
tmp = gnutls_cipher_suite_get_name (kx_alg,
gnutls_cipher_get (session),
gnutls_mac_get (session));
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2, "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR></p></TABLE>\n",
+ snprintf (tmp2, "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR></p></TABLE>\n",
tmp);
if (crtinfo)
{
- strcat (http_buffer, "<hr><PRE>");
- strcat (http_buffer, crtinfo);
- strcat (http_buffer, "\n</PRE>\n");
+ snprintf(tmp2, "<hr><PRE>%s\n</PRE>\n", crtinfo);
free (crtinfo);
}
- strcat (http_buffer, "<hr><P>Your HTTP header was:<PRE>");
- strcat (http_buffer, header);
- strcat (http_buffer, "</PRE></P>");
-
- strcat (http_buffer, "\n" HTTP_END);
+ snprintf(tmp2, "<hr><P>Your HTTP header was:<PRE>%s</PRE></P>\n" HTTP_END,
header);
*ret_length = strlen (http_buffer);
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_11_4-53-g86ecfee,
Nikos Mavrogiannopoulos <=