代码拉取完成,页面将自动刷新
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135
idiff -up openslp-2.0.0/common/slp_buffer.c.orig openslp-2.0.0/common/slp_buffer.c
--- openslp-2.0.0/common/slp_buffer.c.orig 2012-12-11 00:31:53.000000000 +0100
+++ openslp-2.0.0/common/slp_buffer.c 2019-12-09 10:39:16.422058793 +0100
@@ -153,4 +160,20 @@ void SLPBufferFree(SLPBuffer buf)
xfree(buf);
}
+/** Report remaining free buffer size in bytes.
+ *
+ * Check if buffer is allocated and if so return bytes left in a
+ * @c SLPBuffer object.
+ *
+ * @param[in] buf The SLPBuffer to be freed.
+ */
+size_t
+RemainingBufferSpace(SLPBuffer buf)
+{
+ if (buf->allocated == 0) {
+ return 0;
+ }
+ return buf->end - buf->curpos;
+}
+
/*=========================================================================*/
diff -up openslp-2.0.0/common/slp_buffer.h.orig openslp-2.0.0/common/slp_buffer.h
--- openslp-2.0.0/common/slp_buffer.h.orig 2012-11-28 18:07:04.000000000 +0100
+++ openslp-2.0.0/common/slp_buffer.h 2019-12-09 10:39:16.422058793 +0100
@@ -78,6 +85,8 @@ SLPBuffer SLPBufferListRemove(SLPBuffer
SLPBuffer SLPBufferListAdd(SLPBuffer * list, SLPBuffer buf);
+size_t RemainingBufferSpace(SLPBuffer buf);
+
/*! @} */
#endif /* SLP_BUFFER_H_INCLUDED */
diff -up openslp-2.0.0/slpd/slpd_process.c.orig openslp-2.0.0/slpd/slpd_process.c
--- openslp-2.0.0/slpd/slpd_process.c.orig 2019-12-09 10:39:16.420058789 +0100
+++ openslp-2.0.0/slpd/slpd_process.c 2019-12-09 10:39:16.422058793 +0100
@@ -523,13 +530,27 @@ RESPOND:
{
for (i = 0; i < db->urlcount; i++)
{
- /* urlentry is the url from the db result */
urlentry = db->urlarray[i];
+ if (urlentry->opaque != NULL) {
+ const int64_t newsize = size + urlentry->opaquelen;
+ if (urlentry->opaquelen <= 0 || newsize > INT_MAX)
+ {
+ SLPDLog("Invalid opaquelen %d or sizeo of opaque url is too big, size=%d\n",
+ urlentry->opaquelen, size);
+ errorcode = SLP_ERROR_PARSE_ERROR;
+ goto FINISHED;
+ }
+ size += urlentry->opaquelen;
+ }
+ else
+ {
+ /* urlentry is the url from the db result */
+ size += urlentry->urllen + 6; /* 1 byte for reserved */
+ /* 2 bytes for lifetime */
+ /* 2 bytes for urllen */
+ /* 1 byte for authcount */
+ }
- size += urlentry->urllen + 6; /* 1 byte for reserved */
- /* 2 bytes for lifetime */
- /* 2 bytes for urllen */
- /* 1 byte for authcount */
#ifdef ENABLE_SLPv2_SECURITY
/* make room to include the authblock that was asked for */
if (G_SlpdProperty.securityEnabled
@@ -603,7 +624,7 @@ RESPOND:
urlentry = db->urlarray[i];
#ifdef ENABLE_SLPv1
- if (urlentry->opaque == 0)
+ if (urlentry->opaque == NULL)
{
/* url-entry reserved */
*result->curpos++ = 0;
@@ -615,8 +636,18 @@ RESPOND:
PutUINT16(&result->curpos, urlentry->urllen);
/* url-entry url */
- memcpy(result->curpos, urlentry->url, urlentry->urllen);
- result->curpos += urlentry->urllen;
+ if (RemainingBufferSpace(result) >= urlentry->urllen)
+ {
+ memcpy(result->curpos, urlentry->url, urlentry->urllen);
+ result->curpos = result->curpos + urlentry->urllen;
+ }
+ else
+ {
+ SLPDLog("Url too big (ask: %d have %" PRId64 "), failing request\n",
+ urlentry->opaquelen, (int64_t) RemainingBufferSpace(result));
+ errorcode = SLP_ERROR_PARSE_ERROR;
+ goto FINISHED;
+ }
/* url-entry auths */
*result->curpos++ = 0;
@@ -628,14 +659,24 @@ RESPOND:
/* TRICKY: Fix up the lifetime. */
TO_UINT16(urlentry->opaque + 1, urlentry->lifetime);
- memcpy(result->curpos, urlentry->opaque, urlentry->opaquelen);
-
- /* TRICKY: Fix up the result authblock count. */
- if (urlentry->authcount)
- result->curpos[1 + 2 + 2 + urlentry->urllen] = (uint8_t)urlentry->authcount;
- /* 1 reserved + 2 lifetime + 2 url length */
-
- result->curpos += urlentry->opaquelen;
+ if (RemainingBufferSpace(result) >= urlentry->opaquelen)
+ {
+ memcpy(result->curpos, urlentry->opaque, urlentry->opaquelen);
+
+ /* TRICKY: Fix up the result authblock count. */
+ if (urlentry->authcount)
+ result->curpos[1 + 2 + 2 + urlentry->urllen] = (uint8_t)urlentry->authcount;
+ /* 1 reserved + 2 lifetime + 2 url length */
+
+ result->curpos = result->curpos + urlentry->opaquelen;
+ }
+ else
+ {
+ SLPDLog("Opaque Url too big (ask: %d have %" PRId64 "), failing request\n",
+ urlentry->opaquelen, (int64_t) RemainingBufferSpace(result));
+ errorcode = SLP_ERROR_PARSE_ERROR;
+ goto FINISHED;
+ }
}
}
}
举报
请认真填写举报原因,尽可能描述详细。
请选择举报类型
误判申诉
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化