From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa.local.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.1 From: Aleksei Nikiforov To: devel@lists.altlinux.org Date: Thu, 12 Dec 2019 12:57:21 +0300 Message-Id: <20191212095730.83787-13-darktemplar@altlinux.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20191212095730.83787-1-darktemplar@altlinux.org> References: <20191211234857.GB17949@altlinux.org> <20191212095730.83787-1-darktemplar@altlinux.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Cc: Aleksei Nikiforov Subject: [devel] [PATCH for apt v2 12/21] Fortify against buffer overflows X-BeenThere: devel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux Team development discussions List-Id: ALT Linux Team development discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Dec 2019 09:58:12 -0000 Archived-At: List-Archive: List-Post: Found via cppcheck: (warning) sscanf() without field width limits can crash with huge input data. --- apt/methods/http.cc | 7 +++++-- apt/methods/http.h | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/apt/methods/http.cc b/apt/methods/http.cc index 6d9a642..6b5c2a5 100644 --- a/apt/methods/http.cc +++ b/apt/methods/http.cc @@ -72,6 +72,9 @@ bool Debug = false; #define default_port 80 #endif /* USE_TLS */ +#define STR_HELPER(x) #x +#define STR(x) STR_HELPER(x) + // CircleBuf::CircleBuf - Circular input buffer /*{{{*/ // --------------------------------------------------------------------- /* */ @@ -534,7 +537,7 @@ bool ServerState::HeaderLine(const string &Line) // Evil servers return no version if (Line[4] == '/') { - if (sscanf(Line.c_str(),"HTTP/%u.%u %u %[^\n]",&Major,&Minor, + if (sscanf(Line.c_str(),"HTTP/%u.%u %u %" STR(MAXLEN) "[^\n]",&Major,&Minor, &Result,Code) != 4) return _error->Error(_("The http server sent an invalid reply header")); } @@ -542,7 +545,7 @@ bool ServerState::HeaderLine(const string &Line) { Major = 0; Minor = 9; - if (sscanf(Line.c_str(),"HTTP %u %[^\n]",&Result,Code) != 2) + if (sscanf(Line.c_str(),"HTTP %u %" STR(MAXLEN) "[^\n]",&Result,Code) != 2) return _error->Error(_("The http server sent an invalid reply header")); } diff --git a/apt/methods/http.h b/apt/methods/http.h index 642a813..9e4d2be 100644 --- a/apt/methods/http.h +++ b/apt/methods/http.h @@ -86,7 +86,7 @@ struct ServerState unsigned int Major; unsigned int Minor; unsigned int Result; - char Code[MAXLEN]; + char Code[MAXLEN + 1]; // These are some statistics from the last parsed header lines unsigned long long Size; -- 2.24.1