From b4f3efb6922097cb6566e804e1f0f2671b3c2ca9 Mon Sep 17 00:00:00 2001
From: Jon Trulson <jon@radscan.com>
Date: Sat, 26 May 2012 19:09:33 -0600
Subject: [PATCH] DtSvc/dtspcd: fixes for VU#172583

---
 cde/lib/DtSvc/DtEncap/spc-error.c |  9 +++++++++
 cde/lib/DtSvc/DtEncap/spc-proto.c | 18 ++++++++++++++++++
 cde/lib/DtSvc/include/SPC/spcE.h  |  7 ++++++-
 3 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/cde/lib/DtSvc/DtEncap/spc-error.c b/cde/lib/DtSvc/DtEncap/spc-error.c
index 78839c24..67fe2352 100644
--- a/cde/lib/DtSvc/DtEncap/spc-error.c
+++ b/cde/lib/DtSvc/DtEncap/spc-error.c
@@ -771,6 +771,15 @@ SPCError *SPC_Lookup_Error(int errornum)
     spc_error_struct.use_errno = FALSE;
     break;
 
+    /* JET - buffer overflow attempt */
+    /* VU#172583 */
+  case SPC_Buffer_Overflow:
+    spc_error_struct.format    = (XeString) "><Attempted Buffer Overflow from host %s.\nConnection dropped.";
+    spc_error_struct.severity  = XeError;
+    spc_error_struct.use_errno = FALSE;
+    break;
+
+
   default:
     spc_error_struct.format    = (XeString) "><Unknown error code";
     spc_error_struct.severity  = XeError;
diff --git a/cde/lib/DtSvc/DtEncap/spc-proto.c b/cde/lib/DtSvc/DtEncap/spc-proto.c
index d5f1070e..33a3981d 100644
--- a/cde/lib/DtSvc/DtEncap/spc-proto.c
+++ b/cde/lib/DtSvc/DtEncap/spc-proto.c
@@ -461,6 +461,24 @@ protocol_request_ptr SPC_Read_Protocol(SPC_Connection_Ptr connection)
 	      &channel_id, &prot->request_type, &dptr->len, &prot->seqno);
   prot->channel=SPC_Lookup_Channel(channel_id, connection);
   
+
+  /* JET - 11/12/2001 - correct an exploitable buffer overrun where the user */
+  /* can supply a data len that is larger than the available buffer */
+  /* MAXREQLEN */
+  /* CERT - VU#172583 */
+
+  if (dptr->len >= MAXREQLEN)
+    {				/* we have a problem.  Initiate DefCon 1 */
+				/* and launch our missiles. */
+      XeString connection_hostname = CONNECTION_HOSTNAME(connection);
+
+      SPC_Error(SPC_Buffer_Overflow, connection_hostname);
+      XeFree(connection_hostname);
+      SPC_Close_Connection(connection);
+      SPC_Free_Protocol_Ptr(prot);
+      return(SPC_ERROR);
+    }
+
   /* read header */
   
   len=SPC_Read_Chars(connection, dptr->len, dptr->data+REQUEST_HEADER_LENGTH);
diff --git a/cde/lib/DtSvc/include/SPC/spcE.h b/cde/lib/DtSvc/include/SPC/spcE.h
index 00e67c25..2978ed3c 100644
--- a/cde/lib/DtSvc/include/SPC/spcE.h
+++ b/cde/lib/DtSvc/include/SPC/spcE.h
@@ -112,8 +112,13 @@
 #define SPC_Bad_Permission     164
 #define SPC_Cannot_Create_Netfilename	165
 #define SPC_Protocol_Version_Error 	166
+
+/* JET - a special error code for goobers trying to overflow our buffers. */
+/* VU#172583 */
+#define SPC_Buffer_Overflow    167
+
 /* Keep this up to date with the last error number declared above */
-#define SPC_Max_Error          167
+#define SPC_Max_Error          168
 
 /* The definition of the SPC Error structure has been moved to spc.h
    (to make it public) */
-- 
2.25.1