[devel] [PATCH for apt v2 12/21] Fortify against buffer overflows
Aleksei Nikiforov
darktemplar на altlinux.org
Чт Дек 12 12:57:21 MSK 2019
Found via cppcheck:
(warning) sscanf() without field width limits can crash with huge input data.
---
apt/methods/http.cc | 7 +++++--
apt/methods/http.h | 2 +-
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/apt/methods/http.cc b/apt/methods/http.cc
index 6d9a642..6b5c2a5 100644
--- a/apt/methods/http.cc
+++ b/apt/methods/http.cc
@@ -72,6 +72,9 @@ bool Debug = false;
#define default_port 80
#endif /* USE_TLS */
+#define STR_HELPER(x) #x
+#define STR(x) STR_HELPER(x)
+
// CircleBuf::CircleBuf - Circular input buffer /*{{{*/
// ---------------------------------------------------------------------
/* */
@@ -534,7 +537,7 @@ bool ServerState::HeaderLine(const string &Line)
// Evil servers return no version
if (Line[4] == '/')
{
- if (sscanf(Line.c_str(),"HTTP/%u.%u %u %[^\n]",&Major,&Minor,
+ if (sscanf(Line.c_str(),"HTTP/%u.%u %u %" STR(MAXLEN) "[^\n]",&Major,&Minor,
&Result,Code) != 4)
return _error->Error(_("The http server sent an invalid reply header"));
}
@@ -542,7 +545,7 @@ bool ServerState::HeaderLine(const string &Line)
{
Major = 0;
Minor = 9;
- if (sscanf(Line.c_str(),"HTTP %u %[^\n]",&Result,Code) != 2)
+ if (sscanf(Line.c_str(),"HTTP %u %" STR(MAXLEN) "[^\n]",&Result,Code) != 2)
return _error->Error(_("The http server sent an invalid reply header"));
}
diff --git a/apt/methods/http.h b/apt/methods/http.h
index 642a813..9e4d2be 100644
--- a/apt/methods/http.h
+++ b/apt/methods/http.h
@@ -86,7 +86,7 @@ struct ServerState
unsigned int Major;
unsigned int Minor;
unsigned int Result;
- char Code[MAXLEN];
+ char Code[MAXLEN + 1];
// These are some statistics from the last parsed header lines
unsigned long long Size;
--
2.24.1
Подробная информация о списке рассылки Devel