FreeBSD Bugzilla – Attachment 121689 Details for
Bug 164719
[PATCH] irc/bip: update to fix CVE-2012-0806
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
bip-0.8.8_1.patch
bip-0.8.8_1.patch (text/plain), 5.02 KB, created by
Steve Wills
on 2012-02-02 20:50:10 UTC
(
hide
)
Description:
bip-0.8.8_1.patch
Filename:
MIME Type:
Creator:
Steve Wills
Created:
2012-02-02 20:50:10 UTC
Size:
5.02 KB
patch
obsolete
>Index: Makefile >=================================================================== >RCS file: /home/pcvs/ports/irc/bip/Makefile,v >retrieving revision 1.19 >diff -u -u -r1.19 Makefile >--- Makefile 23 Sep 2011 22:23:32 -0000 1.19 >+++ Makefile 2 Feb 2012 20:40:30 -0000 >@@ -7,6 +7,7 @@ > > PORTNAME= bip > PORTVERSION= 0.8.8 >+PORTREVISION= 1 > CATEGORIES= irc > MASTER_SITES= https://projects.duckcorp.org/attachments/download/39/ > >@@ -14,6 +15,7 @@ > COMMENT= A simple IRC proxy with SSL support > > LICENSE= GPLv2 >+ > GNU_CONFIGURE= yes > LDFLAGS+= -L${LOCALBASE}/lib > USE_GMAKE= yes >@@ -21,6 +23,7 @@ > > USE_OPENSSL= yes > >+PATCH_STRIP= -p1 > PLIST_FILES= bin/bip bin/bipmkpw > SUB_FILES= pkg-message > MAN1= bip.1 bipmkpw.1 >Index: files/patch-bip-269 >=================================================================== >RCS file: files/patch-bip-269 >diff -N files/patch-bip-269 >--- /dev/null 1 Jan 1970 00:00:00 -0000 >+++ files/patch-bip-269 2 Feb 2012 20:40:30 -0000 >@@ -0,0 +1,139 @@ >+commit 222a33cb84a2e52ad55a88900b7895bf9dd0262c >+Author: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr> >+Date: Sat Jan 7 11:41:02 2012 +0100 >+ >+ Buffer Overflow: check against the implicit size of select() arrays >+ >+ Reported by Julien Tinnes (Fix #269) >+ exit is called when the listening socket can not be created >+ >+diff --git a/src/bip.c b/src/bip.c >+index d46ee2b..b4ac706 100644 >+--- a/src/bip.c >++++ b/src/bip.c >+@@ -1311,7 +1311,7 @@ int main(int argc, char **argv) >+ close(fd); >+ >+ bip.listener = listen_new(conf_ip, conf_port, conf_css); >+- if (!bip.listener) >++ if (!bip.listener || bip.listener->connected == CONN_ERROR) >+ fatal("Could not create listening socket"); >+ >+ for (;;) { >+commit 222a33cb84a2e52ad55a88900b7895bf9dd0262c >+Author: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr> >+Date: Sat Jan 7 11:41:02 2012 +0100 >+ >+ Buffer Overflow: check against the implicit size of select() arrays >+ >+ Reported by Julien Tinnes (Fix #269) >+ exit is called when the listening socket can not be created >+ >+diff --git a/src/connection.c b/src/connection.c >+index 07ab431..5c4c24a 100644 >+--- a/src/connection.c >++++ b/src/connection.c >+@@ -124,6 +124,18 @@ static void connect_trynext(connection_t *cn) >+ continue; >+ } >+ >++ if (cn->handle >= FD_SETSIZE) { >++ mylog(LOG_WARN, "too many fd used, close socket %d", >++ cn->handle); >++ >++ if (close(cn->handle) == -1) >++ mylog(LOG_WARN, "Error on socket close: %s", >++ strerror(errno)); >++ >++ cn->handle = -1; >++ break; >++ } >++ >+ socket_set_nonblock(cn->handle); >+ >+ if (cn->connecting_data->src) { >+@@ -789,13 +801,8 @@ list_t *wait_event(list_t *cn_list, int *msec, int *nc) >+ /* >+ * This shouldn't happen ! just in case... >+ */ >+- if (cn->handle < 0) { >+- mylog(LOG_WARN, "wait_event invalid socket %d", >+- cn->handle); >+- if (cn_is_connected(cn)) >+- cn->connected = CONN_ERROR; >+- continue; >+- } >++ if (cn->handle < 0 || cn->handle >= FD_SETSIZE) >++ fatal("wait_event invalid socket %d", cn->handle); >+ >+ /* exceptions are OOB and disconnections */ >+ FD_SET(cn->handle, &fds_except); >+@@ -966,6 +973,18 @@ static void create_listening_socket(char *hostname, char *port, >+ continue; >+ } >+ >++ if (cn->handle >= FD_SETSIZE) { >++ mylog(LOG_WARN, "too many fd used, close listening socket %d", >++ cn->handle); >++ >++ if (close(cn->handle) == -1) >++ mylog(LOG_WARN, "Error on socket close: %s", >++ strerror(errno)); >++ >++ cn->handle = -1; >++ break; >++ } >++ >+ if (setsockopt(cn->handle, SOL_SOCKET, SO_REUSEADDR, >+ (char *)&multi_client, >+ sizeof(multi_client)) < 0) { >+@@ -1113,10 +1132,21 @@ connection_t *accept_new(connection_t *cn) >+ >+ mylog(LOG_DEBUG, "Trying to accept new client on %d", cn->handle); >+ err = accept(cn->handle, &sa, &sa_len); >++ >+ if (err < 0) { >+- mylog(LOG_ERROR, "accept failed: %s", strerror(errno)); >++ fatal("accept failed: %s", strerror(errno)); >++ } >++ >++ if (err >= FD_SETSIZE) { >++ mylog(LOG_WARN, "too many client connected, close %d", err); >++ >++ if (close(err) == -1) >++ mylog(LOG_WARN, "Error on socket close: %s", >++ strerror(errno)); >++ >+ return NULL; >+ } >++ >+ socket_set_nonblock(err); >+ >+ conn = connection_init(cn->anti_flood, cn->ssl, cn->timeout, 0); >+commit 222a33cb84a2e52ad55a88900b7895bf9dd0262c >+Author: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr> >+Date: Sat Jan 7 11:41:02 2012 +0100 >+ >+ Buffer Overflow: check against the implicit size of select() arrays >+ >+ Reported by Julien Tinnes (Fix #269) >+ exit is called when the listening socket can not be created >+ >+diff --git a/src/irc.c b/src/irc.c >+index ebc1b34..147a315 100644 >+--- a/src/irc.c >++++ b/src/irc.c >+@@ -2439,9 +2439,10 @@ void bip_on_event(bip_t *bip, connection_t *conn) >+ >+ if (conn == bip->listener) { >+ struct link_client *n = irc_accept_new(conn); >+- assert(n); >+- list_add_last(&bip->conn_list, CONN(n)); >+- list_add_last(&bip->connecting_client_list, n); >++ if (n) { >++ list_add_last(&bip->conn_list, CONN(n)); >++ list_add_last(&bip->connecting_client_list, n); >++ } >+ return; >+ } >+
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=121689">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 164719
: 121689