[devel] [PATCH for apt v2 12/21] Fortify against buffer overflows

Aleksei Nikiforov darktemplar на altlinux.org
Чт Дек 12 12:57:21 MSK 2019


Found via cppcheck:
(warning) sscanf() without field width limits can crash with huge input data.
---
 apt/methods/http.cc | 7 +++++--
 apt/methods/http.h  | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/apt/methods/http.cc b/apt/methods/http.cc
index 6d9a642..6b5c2a5 100644
--- a/apt/methods/http.cc
+++ b/apt/methods/http.cc
@@ -72,6 +72,9 @@ bool Debug = false;
 #define default_port 80
 #endif /* USE_TLS */
 
+#define STR_HELPER(x) #x
+#define STR(x) STR_HELPER(x)
+
 // CircleBuf::CircleBuf - Circular input buffer				/*{{{*/
 // ---------------------------------------------------------------------
 /* */
@@ -534,7 +537,7 @@ bool ServerState::HeaderLine(const string &Line)
       // Evil servers return no version
       if (Line[4] == '/')
       {
-	 if (sscanf(Line.c_str(),"HTTP/%u.%u %u %[^\n]",&Major,&Minor,
+	 if (sscanf(Line.c_str(),"HTTP/%u.%u %u %" STR(MAXLEN) "[^\n]",&Major,&Minor,
 		    &Result,Code) != 4)
 	    return _error->Error(_("The http server sent an invalid reply header"));
       }
@@ -542,7 +545,7 @@ bool ServerState::HeaderLine(const string &Line)
       {
 	 Major = 0;
 	 Minor = 9;
-	 if (sscanf(Line.c_str(),"HTTP %u %[^\n]",&Result,Code) != 2)
+	 if (sscanf(Line.c_str(),"HTTP %u %" STR(MAXLEN) "[^\n]",&Result,Code) != 2)
 	    return _error->Error(_("The http server sent an invalid reply header"));
       }
 
diff --git a/apt/methods/http.h b/apt/methods/http.h
index 642a813..9e4d2be 100644
--- a/apt/methods/http.h
+++ b/apt/methods/http.h
@@ -86,7 +86,7 @@ struct ServerState
    unsigned int Major;
    unsigned int Minor;
    unsigned int Result;
-   char Code[MAXLEN];
+   char Code[MAXLEN + 1];
    
    // These are some statistics from the last parsed header lines
    unsigned long long Size;
-- 
2.24.1



Подробная информация о списке рассылки Devel