diff -Xcvsignore -ur kdenetwork-3.0.4/lanbrowsing/kio_lan/kio_lan.cpp kdenetwork-3.0.5/lanbrowsing/kio_lan/kio_lan.cpp
--- kdenetwork-3.0.4/lanbrowsing/kio_lan/kio_lan.cpp    2002-01-03 21:34:12.000000000 +0100
+++ kdenetwork-3.0.5/lanbrowsing/kio_lan/kio_lan.cpp    2002-11-07 11:24:19.000000000 +0100
@@ -176,13 +176,14 @@

   char *currentBuf=receiveBuffer;
   int bytesLeft=receivedBytes;
-   int tmpIP;
   //this should be large enough for a name
-   char tmpName[1024];
+   char tmpName[4*1024];
   //this should be large enough for the hostname
-   char tmpHostname[512];
+   char tmpHostname[4*1024];
   while (bytesLeft>0)
   {
+      int tmpIP=2;
+      tmpName[0]='\0';
      if ((memchr(currentBuf,0,bytesLeft)==0) || (memchr(currentBuf,int('\n'),bytesLeft)==0))
      {
         delete [] receiveBuffer;
@@ -190,17 +191,19 @@
         return 0;
      };
      kdDebug(7101)<<"LANProtocol::lanReadDataFromServer: processing "<<currentBuf;
-      sscanf(currentBuf,"%u %s\n",&tmpIP,tmpName);
      //since we check for 0 and \n with memchr() we can be sure
      //at this point that tmpBuf is correctly terminated
      int length=strlen(currentBuf)+1;
+      if (length<(4*1024))
+         sscanf(currentBuf,"%u %s\n",&tmpIP,tmpName);
+
      bytesLeft-=length;
      currentBuf+=length;
-      if ((bytesLeft==0) && (strstr(tmpName,"succeeded")!=0) && ((tmpIP==0) ||(tmpIP==1)))
+      if ((bytesLeft==0) && ((tmpIP==0) ||(tmpIP==1)) && (strstr(tmpName,"succeeded")!=0))
      {
         kdDebug(7101)<<"LANProtocol::lanReadDataFromServer: succeeded"<<endl;
      }
-      else
+      else if (tmpIP!=2)
      {
         kdDebug(7101)<<"LANProtocol::lanReadDataFromServer: listing host: "<<tmpName<<" with ip: "<<tmpIP<<endl;
         UDSAtom atom;
@@ -344,13 +347,14 @@

   char *currentBuf=receiveBuffer;
   int bytesLeft=receivedBytes;
-   int tmpIP;
   //this should be large enough for a name
-   char tmpName[1024];
+   char tmpName[4*1024];
   //this should be large enough for the hostname
-   char tmpHostname[512];
+   char tmpHostname[4*1024];
   while (bytesLeft>0)
   {
+      int tmpIP=2;
+      tmpName[0]='\0';
      if ((memchr(currentBuf,0,bytesLeft)==0) || (memchr(currentBuf,int('\n'),bytesLeft)==0))
      {
         delete [] receiveBuffer;
@@ -358,17 +362,19 @@
         return 0;
      };
      kdDebug(7101)<<"RLANProtocol::readDataFromServer: processing "<<currentBuf;
-      sscanf(currentBuf,"%u %s\n",&tmpIP,tmpName);
      //since we check for 0 and \n with memchr() we can be sure
      //at this point that tmpBuf is correctly terminated
      int length=strlen(currentBuf)+1;
+      if (length<(4*1024))
+         sscanf(currentBuf,"%u %s\n",&tmpIP,tmpName);
+
      bytesLeft-=length;
      currentBuf+=length;
-      if ((bytesLeft==0) && (strstr(tmpName,"succeeded")!=0) && ((tmpIP==0) ||(tmpIP==1)))
+      if ((bytesLeft==0) && ((tmpIP==0) ||(tmpIP==1)) && (strstr(tmpName,"succeeded")!=0) )
      {
         kdDebug(7101)<<"RLANProtocol::readDataFromServer: succeeded"<<endl;
      }
-      else
+      else if (tmpIP!=2)
      {
         kdDebug(7101)<<"RLANProtocol::readDataFromServer: listing host: "<<tmpName<<" with ip: "<<tmpIP<<endl;
         UDSAtom atom;
@@ -436,7 +442,7 @@
         delete hostInfo;
         return 0;
      }
-      memcpy(&ip, hp->h_addr, hp->h_length);
+      memcpy(&ip, hp->h_addr, sizeof(ip));

      for (int i=0; i<KIOLAN_MAX; i++)
      {
diff -Xcvsignore -ur kdenetwork-3.0.4/lanbrowsing/lisa/ChangeLog kdenetwork-3.0.5/lanbrowsing/lisa/ChangeLog
--- kdenetwork-3.0.4/lanbrowsing/lisa/ChangeLog 2001-01-03 21:38:01.000000000 +0100
+++ kdenetwork-3.0.5/lanbrowsing/lisa/ChangeLog 2002-11-07 11:24:19.000000000 +0100
@@ -1,2 +1,5 @@
+0.1.3
+-security fixes: fixed LOGNAME vulnerabilty and another possible buffer overflow
+
Version 0.1
-initial version
diff -Xcvsignore -ur kdenetwork-3.0.4/lanbrowsing/lisa/lisadefines.h kdenetwork-3.0.5/lanbrowsing/lisa/lisadefines.h
--- kdenetwork-3.0.4/lanbrowsing/lisa/lisadefines.h     2001-10-26 14:05:47.000000000 +0200
+++ kdenetwork-3.0.5/lanbrowsing/lisa/lisadefines.h     2002-11-12 00:27:38.000000000 +0100
@@ -2,7 +2,7 @@
#define LISADEFINES_H


-#define MYVERSION "0.1.1"
+#define MYVERSION "0.2.2"
#define MY_ID 7741
#define MYPORT 7741
#define MAX_SPECS 32
diff -Xcvsignore -ur kdenetwork-3.0.4/lanbrowsing/lisa/netmanager.cpp kdenetwork-3.0.5/lanbrowsing/lisa/netmanager.cpp
--- kdenetwork-3.0.4/lanbrowsing/lisa/netmanager.cpp    2002-02-02 23:27:59.000000000 +0100
+++ kdenetwork-3.0.5/lanbrowsing/lisa/netmanager.cpp    2002-11-12 00:27:38.000000000 +0100
@@ -27,6 +27,7 @@
#include <strings.h>
#include <errno.h>
#include <string.h>
+#include <pwd.h>

#ifndef AF_LOCAL
#define AF_LOCAL AF_UNIX
@@ -70,7 +71,7 @@

NetManager::~NetManager()
{
-   mgetDebug()<<"netknife destructor ..."<<std::endl;
+   mgetDebug()<<"NetManager destructor ..."<<std::endl;
   if (m_receiveBuffer!=0) delete [] m_receiveBuffer;
   ::close(m_listenFD);
   ::close(m_bcFD);
@@ -131,14 +132,28 @@
      m_listenFD=::socket(AF_LOCAL, SOCK_STREAM, 0);
      //m_listenFD=::socket(AF_LOCAL, SOCK_STREAM, IPPROTO_TCP);
      MyString socketName("/tmp/resLisa-");
-      socketName+=getenv("LOGNAME");
+      struct passwd *user = getpwuid( getuid() );
+      if ( user )
+         socketName+=user->pw_name;
+      else
+         //should never happen
+         socketName+="???";
      ::unlink(socketName.data());
      sockaddr_un serverAddr;
-//      bzero((char*)&serverAddr, sizeof(serverAddr));
+      if (socketName.length() >= sizeof(serverAddr.sun_path))
+      {
+         std::cout<<"NetManager::prepare: your user name  \""<<user->pw_name<<"\" is too long, exiting."<<std::endl;
+         return 0;
+      }
      memset((void*)&serverAddr, 0, sizeof(serverAddr));
-      serverAddr.sun_family      = AF_LOCAL;
-      strcpy(serverAddr.sun_path,socketName.data());
-      ::bind(m_listenFD,(sockaddr*) &serverAddr,sizeof(serverAddr));
+      serverAddr.sun_family=AF_LOCAL;
+      strncpy(serverAddr.sun_path,socketName.data(),sizeof(serverAddr.sun_path));
+      result=::bind(m_listenFD,(sockaddr*) &serverAddr,sizeof(serverAddr));
+      if (result!=0)
+      {
+         std::cout<<"NetManager::prepare: bind (UNIX socket) failed, errno: "<<errno<<std::endl;
+         return 0;
+      }
   }
   else
   {
@@ -148,7 +163,7 @@
      {
         std::cout<<"NetManager::prepare: socket(TCP) failed, errno: "<<errno<<std::endl;
         return 0;
-      };
+      }

      sockaddr_in serverAddress;
//      bzero((char*)&serverAddress, sizeof(serverAddress));
@@ -654,6 +669,10 @@
   m_receivedBytes+=result;
   if (m_receiveBuffer!=0) delete [] m_receiveBuffer;
   m_receiveBuffer=newBuf;
+   // too much data - abort at 2MB to avoid memory exhaustion
+   if (m_receivedBytes>2*1024*1024)
+     return 0;
+
   return 1;
};

@@ -665,14 +684,15 @@

   char *tmpBuf=m_receiveBuffer;
   int bytesLeft=m_receivedBytes;
-   int tmpIP;
   mgetDebug()<<"m_receivedBytes: "<<m_receivedBytes<<" bytesLeft: "<<bytesLeft<<std::endl;
   //this should be large enough for a name
   //and the stuff which is inserted into the buffer
-   //comes only from ourselves
+   //comes only from ourselves ... or attackers :-(
   char tmpName[1024*4];
   while (bytesLeft>0)
   {
+      int tmpIP=2;  // well, some impossible IP address, 0 and 1 are already used for the last line of output
+      tmpName[0]='\0';
      if ((memchr(tmpBuf,0,bytesLeft)==0) || (memchr(tmpBuf,int('\n'),bytesLeft)==0))
      {
         delete newNodes;
@@ -687,14 +707,16 @@
         return 0;
      };
      //mgetDebug()<<"NetManager::processScanResults: processing -"<<tmpBuf;
-      sscanf(tmpBuf,"%u %s\n",&tmpIP,tmpName);
      //since we check for 0 and \n with memchr() we can be sure
      //at this point that tmpBuf is correctly terminated
      int length=strlen(tmpBuf)+1;
+      if (length<(4*1024))
+         sscanf(tmpBuf,"%u %s\n",&tmpIP,tmpName);
+
      bytesLeft-=length;
      tmpBuf+=length;
      mgetDebug()<<"length: "<<length<<" bytesLeft: "<<bytesLeft<<std::endl;
-      if ((bytesLeft==0) && (strstr(tmpName,"succeeded")!=0) && ((tmpIP==0) ||(tmpIP==1)))
+      if ((bytesLeft==0) && ((tmpIP==0) ||(tmpIP==1)) && (strstr(tmpName,"succeeded")!=0))
      {
         mgetDebug()<<"NetManager::processScanResults: succeeded :-)"<<std::endl;
         delete hostList;
@@ -712,7 +734,7 @@

         return 1;
      }
-      else
+      else if (tmpIP!=2)
      {
         //mgetDebug()<<"NetManager::processScanResults: adding host: "<<tmpName<<" with ip: "<<tmpIP<<std::endl;
         newNodes->append(Node(tmpName,tmpIP));
diff -Xcvsignore -ur kdenetwork-3.0.4/lanbrowsing/lisa/netscanner.cpp kdenetwork-3.0.5/lanbrowsing/lisa/netscanner.cpp
--- kdenetwork-3.0.4/lanbrowsing/lisa/netscanner.cpp    2002-02-02 23:27:59.000000000 +0100
+++ kdenetwork-3.0.5/lanbrowsing/lisa/netscanner.cpp    2002-11-07 11:24:19.000000000 +0100
@@ -36,6 +36,10 @@
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>

+#ifndef INADDR_NONE
+#define INADDR_NONE -1
+#endif
+
#define mgetDebug() getDebug()<<procId

struct ICMPEchoRequest
@@ -133,7 +137,7 @@
      {
         if ((m_strictMode) && (hostsAdded>=STRICTMODEMAXHOSTS))
            break;
-         memcpy(&server_addr, hp->h_addr, hp->h_length);
+         memcpy(&server_addr, hp->h_addr, sizeof(server_addr));
         char *ip=inet_ntoa(server_addr);
         mgetDebug()<<"NetScanner::configure(): looking up "<<nextName<<" gives -"<<ip<<"-"<<std::endl;
         ipRangeStr=ipRangeStr+ip+';';
@@ -377,6 +381,9 @@
         };
      };
   } while (!done);
+
+   // Warning: The return value of plcose may be incorrect due to the
+   // SIGCHLD handler that is installed. Ignore it!
   pclose(nmblookupFile);

   delete [] tmpBuf;

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.