+/*
+ * CDE - Common Desktop Environment
+ *
+ * Copyright (c) 1993-2012, The Open Group. All rights reserved.
+ *
+ * These libraries and programs are free software; you can
+ * redistribute them and/or modify them under the terms of the GNU
+ * Lesser General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ * These libraries and programs are distributed in the hope that
+ * they will be useful, but WITHOUT ANY WARRANTY; without even the
+ * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU Lesser General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with these librararies and programs; if not, write
+ * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
+ * Floor, Boston, MA 02110-1301 USA
+ */
/*
* $TOG: spc-proto.c /main/12 1999/10/14 16:00:27 mgreess $
* Language: C
#include <stdarg.h>
#include <sys/utsname.h>
#include <limits.h>
+#include <stdint.h>
#define X_INCLUDE_PWD_H
#define XOS_USE_XT_LOCKING
_DtSvcProcessLock();
conn=(SPC_Connection_Ptr) XeMalloc(sizeof(SPC_Connection));
/* Zero the connection */
- memset(conn, NULL, sizeof(SPC_Connection));
+ memset(conn, 0, sizeof(SPC_Connection));
conn->queued_remote_data = Xe_make_queue(FALSE);
conn->termination_id = (-1);
/* Init the socket id to "-1" because "0" is a valid file descriptor. */
if(!connection->connected)
return(SPC_ERROR);
- if((prot=SPC_New_Protocol_Ptr(NULL, NULL, NULL))==SPC_ERROR) {
+ if((prot=SPC_New_Protocol_Ptr(NULL, 0, 0))==SPC_ERROR) {
SPC_Close_Connection(connection);
return(SPC_ERROR);
}
&channel_id, &prot->request_type, &dptr->len, &prot->seqno);
prot->channel=SPC_Lookup_Channel(channel_id, connection);
+
+ /* JET - 11/12/2001 - correct an exploitable buffer overrun where the user */
+ /* can supply a data len that is larger than the available buffer */
+ /* MAXREQLEN */
+ /* CERT - VU#172583 */
+
+ if (dptr->len >= MAXREQLEN)
+ { /* we have a problem. Initiate DefCon 1 */
+ /* and launch our missiles. */
+ XeString connection_hostname = CONNECTION_HOSTNAME(connection);
+
+ SPC_Error(SPC_Buffer_Overflow, connection_hostname);
+ XeFree(connection_hostname);
+ SPC_Close_Connection(connection);
+ SPC_Free_Protocol_Ptr(prot);
+ return(SPC_ERROR);
+ }
+
/* read header */
len=SPC_Read_Chars(connection, dptr->len, dptr->data+REQUEST_HEADER_LENGTH);
XeQueue tmpqueue;
protocol_request_ptr prot;
- if(tmpqueue=channel->queued_remote_data) {
- while(prot=(protocol_request_ptr)Xe_pop_queue(tmpqueue))
+ if((tmpqueue=channel->queued_remote_data)) {
+ while((prot=(protocol_request_ptr)Xe_pop_queue(tmpqueue)))
SPC_Free_Protocol_Ptr(prot);
}
dptr->data[dptr->offset+dptr->len]=0;
fprintf(SPC_Print_Protocol,
- "%s channel: %x, request: %d, length: %d, seq: %d data: %s\n",
+ "%s channel: %p, request: %d, length: %d, seq: %d data: %s\n",
name, proto->channel, proto->request_type, dptr->len, proto->seqno,
dptr->data+dptr->offset);
/* We are overloading the "channel" field. We put the cid rather */
/* than the actual channel pointer in when we pass it to the other */
/* side of the connection. */
- prot_request->channel=(SPC_Channel_Ptr)(channel ? channel->cid : 0);
+ prot_request->channel=(SPC_Channel_Ptr) (intptr_t) (channel ? channel->cid : 0);
switch (request) {
if(this_str == NULL)
this_str = NULL_STR;
- if(*this_str == NULL)
+ if(*this_str == '\0')
this_str = EMPTY_STR;
tmp_len=strlen(this_str)+1; /* Room for NULL char */
if((bytes_left-tmp_len) < 1) {
- *buf=NULL;
+ *buf='\0';
prot->dataptr->len=numbytes+1;
SPC_Write_Single_Prot_Request(connection, name, prot);
SPC_Free_Protocol_Ptr(prot);
}
if(numbytes) {
- *buf=NULL;
+ *buf='\0';
prot->dataptr->len=numbytes+1;
SPC_Write_Single_Prot_Request(connection, (XeString)" <-- ENVIRON_RESET", prot);
SPC_Free_Protocol_Ptr(prot);
len=strlen(bufptr)+1; /* len is string SIZE (with room for NULL) */
*tmpidx=(XeString)XeMalloc(len);
strncpy(*tmpidx, bufptr, len);
- (*tmpidx)[len-1]=NULL;
+ (*tmpidx)[len-1]='\0';
bufptr+= len;
}
*tmpidx=NULL;