diff options
| author | Fritz Elfert <felfert@to.com> | 2002-07-11 17:15:53 +0000 |
|---|---|---|
| committer | Fritz Elfert <felfert@to.com> | 2002-07-11 17:15:53 +0000 |
| commit | b1f7f0c63370d447adb8d1b188beed65777fe232 (patch) | |
| tree | ee527ffce62ea19ca8d9c3d7e4f1c7ee1bb331aa | |
| parent | 6e69acee769a72e39fed628f637ec22589d6832c (diff) | |
| download | plptools-b1f7f0c63370d447adb8d1b188beed65777fe232.tar.gz plptools-b1f7f0c63370d447adb8d1b188beed65777fe232.tar.bz2 plptools-b1f7f0c63370d447adb8d1b188beed65777fe232.zip | |
- Fixed a possible exploit when using telnet (or any other network
client) connecting to ncpd.
| -rw-r--r-- | lib/ppsocket.cc | 2 | ||||
| -rw-r--r-- | ncpd/socketchan.cc | 7 |
2 files changed, 9 insertions, 0 deletions
diff --git a/lib/ppsocket.cc b/lib/ppsocket.cc index 0053436..8940148 100644 --- a/lib/ppsocket.cc +++ b/lib/ppsocket.cc @@ -297,6 +297,8 @@ getBufferStore(bufferStore & a, bool wait) return -1; } l = ntohl(l); + if (l > 16384) + return -1; bp = buff = new unsigned char[l]; while (l > 0) { int j = recv(bp, l, MSG_NOSIGNAL); diff --git a/ncpd/socketchan.cc b/ncpd/socketchan.cc index 407464a..371befd 100644 --- a/ncpd/socketchan.cc +++ b/ncpd/socketchan.cc @@ -207,6 +207,13 @@ socketPoll() // // All commands begin with "NCP$". + if (memchr(a.getString(), 0, a.getLen()) == 0) { + // Not 0 terminated, -> invalid + cerr << "ncpd: command " << a << " unrecognized." + << endl; + return; + } + // There is a magic process name called "NCP$INFO.*" // which is announced by the rfsvfactory. This causes a // response to be issued containing the NCP version |