Commit 039f9e6d authored by Nigel Kukard's avatar Nigel Kukard
Browse files

* Fixed potential buffer overflow when line length exceeds MAXLINE

- Thanks Raphael Marichez
parent 030849ac
......@@ -8,6 +8,7 @@
*
* policy daemon is used in conjuction with postfix to combat spam.
*
* Copyright (C) 2007 Nigel Kukard <nkukard@lbsd.net>
* Copyright (C) 2004 Cami Sardinha (cami@mweb.co.za)
*
*
......@@ -216,10 +217,11 @@ main(int argc, char **argv)
logmessage("DEBUG: fd: %d select(): fd %d is ready for read\n", sockfd, sockfd);
/* read as much data as we can */
rres = w_read(sockfd,buf[sockfd]);
rres = w_read(sockfd,buf[sockfd],MAXLINE);
switch (rres)
{
case -1:
case -3:
case -1:
w_close(sockfd); /* shut down socket */
FD_CLR(sockfd, &rallset); /* remove fd from read set */
client[numi] = -1; /* make descriptor available */
......
......@@ -5,6 +5,7 @@
*
* policy daemon is used in conjuction with postfix to combat spam.
*
* Copyright (C) 2007 Nigel Kukard <nkukard@lbsd.net>
* Copyright (C) 2004 Cami Sardinha (cami@mweb.co.za)
*
*
......@@ -59,7 +60,7 @@
/* CONFIGS */
#define PROJECT "policyd"
#define VERSION "v1.80"
#define VERSION "v1.81a"
/* Miscellaneous constants */
#define LISTENQ 1023 /* 2nd argument to listen() */
......@@ -221,7 +222,7 @@ unsigned long int mysql_timeout; /* mysql query timeout */
int cidr_ip_match (unsigned long ip, char *range);
pid_t w_fork(void);
const char *w_inet_ntop(int family, const void *addrptr, char *strptr, size_t len);
ssize_t w_read(unsigned int fd, char *ptr);
ssize_t w_read(unsigned int fd, char *ptr, size_t max_size);
ssize_t w_write(unsigned int fd, const void *vbuf);
ssize_t f_write(unsigned int volatile fd, const void *vptr, size_t n);
void w_close(unsigned int fd);
......
......@@ -7,6 +7,7 @@
*
* policy daemon is used in conjuction with postfix to combat spam.
*
* Copyright (C) 2007 Nigel Kukard <nkukard@lbsd.net>
* Copyright (C) 2004 Cami Sardinha (cami@mweb.co.za)
*
*
......@@ -147,7 +148,7 @@ w_listen(unsigned int fd, unsigned int backlog)
* return: number bytes read
*/
ssize_t
w_read(unsigned int fd, char *ptr)
w_read(unsigned int fd, char *ptr, size_t max_size)
{
ssize_t n;
size_t data_read = 0; /* for debug only */
......@@ -159,6 +160,16 @@ w_read(unsigned int fd, char *ptr)
buf_counter[fd]++;
buf_size[fd]++;
/* check if we've reached the end of the buffer */
if (buf_counter[fd] == max_size)
{
if (DEBUG > 2)
logmessage("DEBUG: fd: %d reached end of buffer, aborting\n", fd);
return -3;
}
/* need at least 2 bytes to check against */
if (buf_counter[fd] > 2)
{
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment