parent
ec21863221
commit
49aeb67ff3
@ -0,0 +1,57 @@
|
|||||||
|
From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael Catanzaro <mcatanzaro@gnome.org>
|
||||||
|
Date: Wed, 9 Sep 2020 11:12:02 -0500
|
||||||
|
Subject: [PATCH] Rewrite url::recvline to be nonrecursive
|
||||||
|
|
||||||
|
This function processes network input. It's semi-trusted, because the
|
||||||
|
PAC ought to be trusted. But we still shouldn't allow it to control how
|
||||||
|
far we recurse. A malicious PAC can cause us to overflow the stack by
|
||||||
|
sending a sufficiently-long line without any '\n' character.
|
||||||
|
|
||||||
|
Also, this function failed to properly handle EINTR, so let's fix that
|
||||||
|
too, for good measure.
|
||||||
|
|
||||||
|
Fixes #134
|
||||||
|
---
|
||||||
|
libproxy/url.cpp | 28 ++++++++++++++++++----------
|
||||||
|
1 file changed, 18 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libproxy/url.cpp b/libproxy/url.cpp
|
||||||
|
index ee776b2..68d69cd 100644
|
||||||
|
--- a/libproxy/url.cpp
|
||||||
|
+++ b/libproxy/url.cpp
|
||||||
|
@@ -388,16 +388,24 @@ string url::to_string() const {
|
||||||
|
return m_orig;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static inline string recvline(int fd) {
|
||||||
|
- // Read a character.
|
||||||
|
- // If we don't get a character, return empty string.
|
||||||
|
- // If we are at the end of the line, return empty string.
|
||||||
|
- char c = '\0';
|
||||||
|
-
|
||||||
|
- if (recv(fd, &c, 1, 0) != 1 || c == '\n')
|
||||||
|
- return "";
|
||||||
|
-
|
||||||
|
- return string(1, c) + recvline(fd);
|
||||||
|
+static string recvline(int fd) {
|
||||||
|
+ string line;
|
||||||
|
+ int ret;
|
||||||
|
+
|
||||||
|
+ // Reserve arbitrary amount of space to avoid small memory reallocations.
|
||||||
|
+ line.reserve(128);
|
||||||
|
+
|
||||||
|
+ do {
|
||||||
|
+ char c;
|
||||||
|
+ ret = recv(fd, &c, 1, 0);
|
||||||
|
+ if (ret == 1) {
|
||||||
|
+ if (c == '\n')
|
||||||
|
+ return line;
|
||||||
|
+ line += c;
|
||||||
|
+ }
|
||||||
|
+ } while (ret == 1 || (ret == -1 && errno == EINTR));
|
||||||
|
+
|
||||||
|
+ return line;
|
||||||
|
}
|
||||||
|
|
||||||
|
char* url::get_pac() {
|
@ -0,0 +1,93 @@
|
|||||||
|
From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Fei Li <lifeibiren@gmail.com>
|
||||||
|
Date: Fri, 17 Jul 2020 02:18:37 +0800
|
||||||
|
Subject: [PATCH] Fix buffer overflow when PAC is enabled
|
||||||
|
|
||||||
|
The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned
|
||||||
|
out to be the large PAC file (more than 102400 bytes) returned by a
|
||||||
|
local proxy program with no content-length present.
|
||||||
|
---
|
||||||
|
libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++-------------
|
||||||
|
1 file changed, 31 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libproxy/url.cpp b/libproxy/url.cpp
|
||||||
|
index ee776b2..8684086 100644
|
||||||
|
--- a/libproxy/url.cpp
|
||||||
|
+++ b/libproxy/url.cpp
|
||||||
|
@@ -54,7 +54,7 @@ using namespace std;
|
||||||
|
#define PAC_MIME_TYPE_FB "text/plain"
|
||||||
|
|
||||||
|
// This is the maximum pac size (to avoid memory attacks)
|
||||||
|
-#define PAC_MAX_SIZE 102400
|
||||||
|
+#define PAC_MAX_SIZE 0x800000
|
||||||
|
// This is the default block size to use when receiving via HTTP
|
||||||
|
#define PAC_HTTP_BLOCK_SIZE 512
|
||||||
|
|
||||||
|
@@ -478,15 +478,13 @@ char* url::get_pac() {
|
||||||
|
}
|
||||||
|
|
||||||
|
// Get content
|
||||||
|
- unsigned int recvd = 0;
|
||||||
|
- buffer = new char[PAC_MAX_SIZE];
|
||||||
|
- memset(buffer, 0, PAC_MAX_SIZE);
|
||||||
|
+ std::vector<char> dynamic_buffer;
|
||||||
|
do {
|
||||||
|
unsigned int chunk_length;
|
||||||
|
|
||||||
|
if (chunked) {
|
||||||
|
// Discard the empty line if we received a previous chunk
|
||||||
|
- if (recvd > 0) recvline(sock);
|
||||||
|
+ if (!dynamic_buffer.empty()) recvline(sock);
|
||||||
|
|
||||||
|
// Get the chunk-length line as an integer
|
||||||
|
if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break;
|
||||||
|
@@ -498,21 +496,41 @@ char* url::get_pac() {
|
||||||
|
|
||||||
|
if (content_length >= PAC_MAX_SIZE) break;
|
||||||
|
|
||||||
|
- while (content_length == 0 || recvd != content_length) {
|
||||||
|
- int r = recv(sock, buffer + recvd,
|
||||||
|
- content_length == 0 ? PAC_HTTP_BLOCK_SIZE
|
||||||
|
- : content_length - recvd, 0);
|
||||||
|
+ while (content_length == 0 || dynamic_buffer.size() != content_length) {
|
||||||
|
+ // Calculate length to recv
|
||||||
|
+ unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE;
|
||||||
|
+ if (content_length > 0)
|
||||||
|
+ length_to_read = content_length - dynamic_buffer.size();
|
||||||
|
+
|
||||||
|
+ // Prepare buffer
|
||||||
|
+ dynamic_buffer.resize(dynamic_buffer.size() + length_to_read);
|
||||||
|
+
|
||||||
|
+ int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0);
|
||||||
|
+
|
||||||
|
+ // Shrink buffer to fit
|
||||||
|
+ if (r >= 0)
|
||||||
|
+ dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r);
|
||||||
|
+
|
||||||
|
+ // PAC size too large, discard
|
||||||
|
+ if (dynamic_buffer.size() >= PAC_MAX_SIZE) {
|
||||||
|
+ chunked = false;
|
||||||
|
+ dynamic_buffer.clear();
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (r <= 0) {
|
||||||
|
chunked = false;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
- recvd += r;
|
||||||
|
}
|
||||||
|
} while (chunked);
|
||||||
|
|
||||||
|
- if (content_length != 0 && string(buffer).size() != content_length) {
|
||||||
|
- delete[] buffer;
|
||||||
|
- buffer = NULL;
|
||||||
|
+ if (content_length == 0 || content_length == dynamic_buffer.size()) {
|
||||||
|
+ buffer = new char[dynamic_buffer.size() + 1];
|
||||||
|
+ if (!dynamic_buffer.empty()) {
|
||||||
|
+ memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size());
|
||||||
|
+ }
|
||||||
|
+ buffer[dynamic_buffer.size()] = '\0';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in new issue