Attachment #121689 for bug #164719

View | Details | Raw Unified | Return to bug 164719
Collapse All | Expand All





PORTNAME=	bip
PORTVERSION=	0.8.8
PORTREVISION=	1
CATEGORIES=	irc
MASTER_SITES=	https://projects.duckcorp.org/attachments/download/39/


COMMENT=	A simple IRC proxy with SSL support

LICENSE=	GPLv2

GNU_CONFIGURE=	yes
LDFLAGS+=	-L${LOCALBASE}/lib
USE_GMAKE=	yes


USE_OPENSSL=	yes

PATCH_STRIP=	-p1
PLIST_FILES=	bin/bip bin/bipmkpw
SUB_FILES=	pkg-message
MAN1=		bip.1 bipmkpw.1




commit 222a33cb84a2e52ad55a88900b7895bf9dd0262c
Author: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>
Date:   Sat Jan 7 11:41:02 2012 +0100

    Buffer Overflow: check against the implicit size of select() arrays
    
    Reported by Julien Tinnes (Fix #269)
    exit is called when the listening socket can not be created

diff --git a/src/bip.c b/src/bip.c
index d46ee2b..b4ac706 100644
--- a/src/bip.c
+++ b/src/bip.c
@@ -1311,7 +1311,7 @@ int main(int argc, char **argv)
 	close(fd);
 
 	bip.listener = listen_new(conf_ip, conf_port, conf_css);
-	if (!bip.listener)
+	if (!bip.listener || bip.listener->connected == CONN_ERROR)
 		fatal("Could not create listening socket");
 
 	for (;;) {
commit 222a33cb84a2e52ad55a88900b7895bf9dd0262c
Author: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>
Date:   Sat Jan 7 11:41:02 2012 +0100

    Buffer Overflow: check against the implicit size of select() arrays
    
    Reported by Julien Tinnes (Fix #269)
    exit is called when the listening socket can not be created

diff --git a/src/connection.c b/src/connection.c
index 07ab431..5c4c24a 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -124,6 +124,18 @@ static void connect_trynext(connection_t *cn)
 			continue;
 		}
 
+		if (cn->handle >= FD_SETSIZE) {
+			mylog(LOG_WARN, "too many fd used, close socket %d",
+					cn->handle);
+
+			if (close(cn->handle) == -1)
+				mylog(LOG_WARN, "Error on socket close: %s",
+						strerror(errno));
+
+			cn->handle = -1;
+			break;
+		}
+
 		socket_set_nonblock(cn->handle);
 
 		if (cn->connecting_data->src) {
@@ -789,13 +801,8 @@ list_t *wait_event(list_t *cn_list, int *msec, int *nc)
 		/*
 		 * This shouldn't happen ! just in case...
 		 */
-		if (cn->handle < 0) {
-			mylog(LOG_WARN, "wait_event invalid socket %d",
-					cn->handle);
-			if (cn_is_connected(cn))
-				cn->connected = CONN_ERROR;
-			continue;
-		}
+		if (cn->handle < 0 || cn->handle >= FD_SETSIZE)
+			fatal("wait_event invalid socket %d", cn->handle);
 
 		/* exceptions are OOB and disconnections */
 		FD_SET(cn->handle, &fds_except);
@@ -966,6 +973,18 @@ static void create_listening_socket(char *hostname, char *port,
 			continue;
 		}
 
+		if (cn->handle >= FD_SETSIZE) {
+			mylog(LOG_WARN, "too many fd used, close listening socket %d",
+					cn->handle);
+
+			if (close(cn->handle) == -1)
+				mylog(LOG_WARN, "Error on socket close: %s",
+						strerror(errno));
+
+			cn->handle = -1;
+			break;
+		}
+
 		if (setsockopt(cn->handle, SOL_SOCKET, SO_REUSEADDR,
 					(char *)&multi_client,
 					sizeof(multi_client)) < 0) {
@@ -1113,10 +1132,21 @@ connection_t *accept_new(connection_t *cn)
 
 	mylog(LOG_DEBUG, "Trying to accept new client on %d", cn->handle);
 	err = accept(cn->handle, &sa, &sa_len);
+
 	if (err < 0) {
-		mylog(LOG_ERROR, "accept failed: %s", strerror(errno));
+		fatal("accept failed: %s", strerror(errno));
+	}
+
+	if (err >= FD_SETSIZE) {
+		mylog(LOG_WARN, "too many client connected, close %d", err);
+
+		if (close(err) == -1)
+			mylog(LOG_WARN, "Error on socket close: %s",
+					strerror(errno));
+
 		return NULL;
 	}
+
 	socket_set_nonblock(err);
 
 	conn = connection_init(cn->anti_flood, cn->ssl, cn->timeout, 0);
commit 222a33cb84a2e52ad55a88900b7895bf9dd0262c
Author: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>
Date:   Sat Jan 7 11:41:02 2012 +0100

    Buffer Overflow: check against the implicit size of select() arrays
    
    Reported by Julien Tinnes (Fix #269)
    exit is called when the listening socket can not be created

diff --git a/src/irc.c b/src/irc.c
index ebc1b34..147a315 100644
--- a/src/irc.c
+++ b/src/irc.c
@@ -2439,9 +2439,10 @@ void bip_on_event(bip_t *bip, connection_t *conn)
 
 	if (conn == bip->listener) {
 		struct link_client *n = irc_accept_new(conn);
-		assert(n);
-		list_add_last(&bip->conn_list, CONN(n));
-		list_add_last(&bip->connecting_client_list, n);
+		if (n) {
+			list_add_last(&bip->conn_list, CONN(n));
+			list_add_last(&bip->connecting_client_list, n);
+		}
 		return;
 	}
 

Return to bug 164719

Lines 7-12 Link Here

(-)Makefile (+3 lines)
7		7
8	PORTNAME= bip	8	PORTNAME= bip
9	PORTVERSION= 0.8.8	9	PORTVERSION= 0.8.8
		10	PORTREVISION= 1
10	CATEGORIES= irc	11	CATEGORIES= irc
11	MASTER_SITES= https://projects.duckcorp.org/attachments/download/39/	12	MASTER_SITES= https://projects.duckcorp.org/attachments/download/39/
12		13
Lines 14-19 Link Here
14	COMMENT= A simple IRC proxy with SSL support	15	COMMENT= A simple IRC proxy with SSL support
15		16
16	LICENSE= GPLv2	17	LICENSE= GPLv2
		18
17	GNU_CONFIGURE= yes	19	GNU_CONFIGURE= yes
18	LDFLAGS+= -L${LOCALBASE}/lib	20	LDFLAGS+= -L${LOCALBASE}/lib
19	USE_GMAKE= yes	21	USE_GMAKE= yes
Lines 21-26 Link Here
21		23
22	USE_OPENSSL= yes	24	USE_OPENSSL= yes
23		25
		26	PATCH_STRIP= -p1
24	PLIST_FILES= bin/bip bin/bipmkpw	27	PLIST_FILES= bin/bip bin/bipmkpw
25	SUB_FILES= pkg-message	28	SUB_FILES= pkg-message
26	MAN1= bip.1 bipmkpw.1	29	MAN1= bip.1 bipmkpw.1

Added Link Here

(-)files/patch-bip-269 (+139 lines)
1	commit 222a33cb84a2e52ad55a88900b7895bf9dd0262c
2	Author: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>
3	Date: Sat Jan 7 11:41:02 2012 +0100
4
5	Buffer Overflow: check against the implicit size of select() arrays
6
7	Reported by Julien Tinnes (Fix #269)
8	exit is called when the listening socket can not be created
9
10	diff --git a/src/bip.c b/src/bip.c
11	index d46ee2b..b4ac706 100644
12	--- a/src/bip.c
13	+++ b/src/bip.c
14	@@ -1311,7 +1311,7 @@ int main(int argc, char **argv)
15	close(fd);
16
17	bip.listener = listen_new(conf_ip, conf_port, conf_css);
18	- if (!bip.listener)
19	+ if (!bip.listener \|\| bip.listener->connected == CONN_ERROR)
20	fatal("Could not create listening socket");
21
22	for (;;) {
23	commit 222a33cb84a2e52ad55a88900b7895bf9dd0262c
24	Author: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>
25	Date: Sat Jan 7 11:41:02 2012 +0100
26
27	Buffer Overflow: check against the implicit size of select() arrays
28
29	Reported by Julien Tinnes (Fix #269)
30	exit is called when the listening socket can not be created
31
32	diff --git a/src/connection.c b/src/connection.c
33	index 07ab431..5c4c24a 100644
34	--- a/src/connection.c
35	+++ b/src/connection.c
36	@@ -124,6 +124,18 @@ static void connect_trynext(connection_t *cn)
37	continue;
38	}
39
40	+ if (cn->handle >= FD_SETSIZE) {
41	+ mylog(LOG_WARN, "too many fd used, close socket %d",
42	+ cn->handle);
43	+
44	+ if (close(cn->handle) == -1)
45	+ mylog(LOG_WARN, "Error on socket close: %s",
46	+ strerror(errno));
47	+
48	+ cn->handle = -1;
49	+ break;
50	+ }
51	+
52	socket_set_nonblock(cn->handle);
53
54	if (cn->connecting_data->src) {
55	@@ -789,13 +801,8 @@ list_t wait_event(list_t cn_list, int msec, int nc)
56	/*
57	* This shouldn't happen ! just in case...
58	*/
59	- if (cn->handle < 0) {
60	- mylog(LOG_WARN, "wait_event invalid socket %d",
61	- cn->handle);
62	- if (cn_is_connected(cn))
63	- cn->connected = CONN_ERROR;
64	- continue;
65	- }
66	+ if (cn->handle < 0 \|\| cn->handle >= FD_SETSIZE)
67	+ fatal("wait_event invalid socket %d", cn->handle);
68
69	/* exceptions are OOB and disconnections */
70	FD_SET(cn->handle, &fds_except);
71	@@ -966,6 +973,18 @@ static void create_listening_socket(char hostname, char port,
72	continue;
73	}
74
75	+ if (cn->handle >= FD_SETSIZE) {
76	+ mylog(LOG_WARN, "too many fd used, close listening socket %d",
77	+ cn->handle);
78	+
79	+ if (close(cn->handle) == -1)
80	+ mylog(LOG_WARN, "Error on socket close: %s",
81	+ strerror(errno));
82	+
83	+ cn->handle = -1;
84	+ break;
85	+ }
86	+
87	if (setsockopt(cn->handle, SOL_SOCKET, SO_REUSEADDR,
88	(char *)&multi_client,
89	sizeof(multi_client)) < 0) {
90	@@ -1113,10 +1132,21 @@ connection_t accept_new(connection_t cn)
91
92	mylog(LOG_DEBUG, "Trying to accept new client on %d", cn->handle);
93	err = accept(cn->handle, &sa, &sa_len);
94	+
95	if (err < 0) {
96	- mylog(LOG_ERROR, "accept failed: %s", strerror(errno));
97	+ fatal("accept failed: %s", strerror(errno));
98	+ }
99	+
100	+ if (err >= FD_SETSIZE) {
101	+ mylog(LOG_WARN, "too many client connected, close %d", err);
102	+
103	+ if (close(err) == -1)
104	+ mylog(LOG_WARN, "Error on socket close: %s",
105	+ strerror(errno));
106	+
107	return NULL;
108	}
109	+
110	socket_set_nonblock(err);
111
112	conn = connection_init(cn->anti_flood, cn->ssl, cn->timeout, 0);
113	commit 222a33cb84a2e52ad55a88900b7895bf9dd0262c
114	Author: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>
115	Date: Sat Jan 7 11:41:02 2012 +0100
116
117	Buffer Overflow: check against the implicit size of select() arrays
118
119	Reported by Julien Tinnes (Fix #269)
120	exit is called when the listening socket can not be created
121
122	diff --git a/src/irc.c b/src/irc.c
123	index ebc1b34..147a315 100644
124	--- a/src/irc.c
125	+++ b/src/irc.c
126	@@ -2439,9 +2439,10 @@ void bip_on_event(bip_t bip, connection_t conn)
127
128	if (conn == bip->listener) {
129	struct link_client *n = irc_accept_new(conn);
130	- assert(n);
131	- list_add_last(&bip->conn_list, CONN(n));
132	- list_add_last(&bip->connecting_client_list, n);
133	+ if (n) {
134	+ list_add_last(&bip->conn_list, CONN(n));
135	+ list_add_last(&bip->connecting_client_list, n);
136	+ }
137	return;
138	}
139