spc_error_struct.use_errno = FALSE;
break;
+ /* JET - buffer overflow attempt */
+ /* VU#172583 */
+ case SPC_Buffer_Overflow:
+ spc_error_struct.format = (XeString) "><Attempted Buffer Overflow from host %s.\nConnection dropped.";
+ spc_error_struct.severity = XeError;
+ spc_error_struct.use_errno = FALSE;
+ break;
+
+
default:
spc_error_struct.format = (XeString) "><Unknown error code";
spc_error_struct.severity = XeError;
&channel_id, &prot->request_type, &dptr->len, &prot->seqno);
prot->channel=SPC_Lookup_Channel(channel_id, connection);
+
+ /* JET - 11/12/2001 - correct an exploitable buffer overrun where the user */
+ /* can supply a data len that is larger than the available buffer */
+ /* MAXREQLEN */
+ /* CERT - VU#172583 */
+
+ if (dptr->len >= MAXREQLEN)
+ { /* we have a problem. Initiate DefCon 1 */
+ /* and launch our missiles. */
+ XeString connection_hostname = CONNECTION_HOSTNAME(connection);
+
+ SPC_Error(SPC_Buffer_Overflow, connection_hostname);
+ XeFree(connection_hostname);
+ SPC_Close_Connection(connection);
+ SPC_Free_Protocol_Ptr(prot);
+ return(SPC_ERROR);
+ }
+
/* read header */
len=SPC_Read_Chars(connection, dptr->len, dptr->data+REQUEST_HEADER_LENGTH);
#define SPC_Bad_Permission 164
#define SPC_Cannot_Create_Netfilename 165
#define SPC_Protocol_Version_Error 166
+
+/* JET - a special error code for goobers trying to overflow our buffers. */
+/* VU#172583 */
+#define SPC_Buffer_Overflow 167
+
/* Keep this up to date with the last error number declared above */
-#define SPC_Max_Error 167
+#define SPC_Max_Error 168
/* The definition of the SPC Error structure has been moved to spc.h
(to make it public) */
projects / oweals / cde.git / commitdiff