1078a47634
fixes CVE-2017-8366 and CVE-2017-6430. Patches from upstream, git revisions 1083d604930ebb9f350126b83802ecd2cbc17f90 and 7f50c57b2101fe75592c8dc9960883bbd1878bce
201 lines
9 KiB
Diff
201 lines
9 KiB
Diff
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
|
index 90050590..8f7c7c36 100644
|
|
--- CMakeLists.txt
|
|
+++ CMakeLists.txt
|
|
@@ -126,7 +126,27 @@ if(NOT DISABLE_RPATH)
|
|
set(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE)
|
|
set(CMAKE_MACOSX_RPATH 1)
|
|
endif(NOT DISABLE_RPATH)
|
|
+
|
|
+# set general build flags for debug build-type
|
|
set(CMAKE_C_FLAGS_DEBUG "-O0 -ggdb3 -DDEBUG -Wall -Wno-pointer-sign -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security -Wextra -Wredundant-decls" CACHE STRING "" FORCE)
|
|
+# append ASAN build flags if compiler version has support
|
|
+if ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU")
|
|
+ if (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8)
|
|
+ set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -fsanitize=address -fno-omit-frame-pointer" CACHE STRING "" FORCE)
|
|
+ message("Building with ASAN support (GNU compiler)")
|
|
+ else (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8)
|
|
+ message("Building without ASAN support (GNU compiler)")
|
|
+ endif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8)
|
|
+elseif ("${CMAKE_C_COMPILER_ID}" STREQUAL "Clang")
|
|
+ if (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1)
|
|
+ set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -fsanitize=address -fno-omit-frame-pointer" CACHE STRING "" FORCE)
|
|
+ message("Building with ASAN support (Clang compiler)")
|
|
+ elseif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1)
|
|
+ message("Building without ASAN support (Clang compiler)")
|
|
+ endif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1)
|
|
+endif ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU")
|
|
+
|
|
+# set build flags for release build-type
|
|
set(CMAKE_C_FLAGS_RELEASE "-O2 -w -D_FORTIFY_SOURCE=2" CACHE STRING "" FORCE)
|
|
|
|
if(OS_DARWIN)
|
|
diff --git a/include/ec_strings.h b/include/ec_strings.h
|
|
index f791739d..9ad245ef 100644
|
|
--- include/ec_strings.h
|
|
+++ include/ec_strings.h
|
|
@@ -43,7 +43,7 @@
|
|
|
|
EC_API_EXTERN int match_pattern(const char *s, const char *pattern);
|
|
EC_API_EXTERN int base64_decode(char *bufplain, const char *bufcoded);
|
|
-EC_API_EXTERN int strescape(char *dst, char *src);
|
|
+EC_API_EXTERN int strescape(char *dst, char *src, size_t len);
|
|
EC_API_EXTERN int str_replace(char **text, const char *s, const char *d);
|
|
EC_API_EXTERN size_t strlen_utf8(const char *s);
|
|
EC_API_EXTERN char * ec_strtok(char *s, const char *delim, char **ptrptr);
|
|
diff --git a/src/ec_encryption.c b/src/ec_encryption.c
|
|
index 6c02529c..3d505603 100644
|
|
--- src/ec_encryption.c
|
|
+++ src/ec_encryption.c
|
|
@@ -218,7 +218,7 @@ int set_wep_key(char *string)
|
|
|
|
if (type == 's') {
|
|
/* escape the string and check its length */
|
|
- if (strescape((char *)tmp_wkey, p) != (int)tmp_wkey_len)
|
|
+ if (strescape((char *)tmp_wkey, p, strlen(tmp_wkey)+1) != (int)tmp_wkey_len)
|
|
SEMIFATAL_ERROR("Specified WEP key length does not match the given string");
|
|
} else if (type == 'p') {
|
|
/* create the key from the passphrase */
|
|
diff --git a/src/ec_strings.c b/src/ec_strings.c
|
|
index 53583851..21b71926 100644
|
|
--- src/ec_strings.c
|
|
+++ src/ec_strings.c
|
|
@@ -167,13 +167,14 @@ static int hextoint(int c)
|
|
/*
|
|
* convert the escaped string into a binary one
|
|
*/
|
|
-int strescape(char *dst, char *src)
|
|
+int strescape(char *dst, char *src, size_t len)
|
|
{
|
|
char *olddst = dst;
|
|
+ char *oldsrc = src;
|
|
int c;
|
|
int val;
|
|
|
|
- while ((c = *src++) != '\0') {
|
|
+ while ((c = *src++) != '\0' && (size_t)(src - oldsrc) <= len) {
|
|
if (c == '\\') {
|
|
switch ((c = *src++)) {
|
|
case '\0':
|
|
@@ -218,9 +219,11 @@ int strescape(char *dst, char *src)
|
|
if (c >= '0' && c <= '7')
|
|
val = (val << 3) | (c - '0');
|
|
else
|
|
- --src;
|
|
+ if (src > oldsrc) /* protect against buffer underflow */
|
|
+ --src;
|
|
} else
|
|
- --src;
|
|
+ if (src > oldsrc) /* protect against buffer underflow */
|
|
+ --src;
|
|
*dst++ = (char) val;
|
|
break;
|
|
|
|
@@ -232,15 +235,17 @@ int strescape(char *dst, char *src)
|
|
c = hextoint(*src++);
|
|
if (c >= 0)
|
|
val = (val << 4) + c;
|
|
- else
|
|
- --src;
|
|
- } else
|
|
- --src;
|
|
+ else if (src > oldsrc) /* protect against buffer underflow */
|
|
+ --src;
|
|
+ } else if (src > oldsrc) /* protect against buffer underflow */
|
|
+ --src;
|
|
*dst++ = (char) val;
|
|
break;
|
|
}
|
|
- } else if (c == 8 || c == 263) /* the backspace */
|
|
- dst--;
|
|
+ } else if (c == 8 || c == 263) { /* the backspace */
|
|
+ if (dst > oldsrc) /* protect against buffer underflow */
|
|
+ dst--;
|
|
+ }
|
|
else
|
|
*dst++ = (char) c;
|
|
}
|
|
diff --git a/src/interfaces/curses/ec_curses_view_connections.c b/src/interfaces/curses/ec_curses_view_connections.c
|
|
index fb52331c..011c0edf 100644
|
|
--- src/interfaces/curses/ec_curses_view_connections.c
|
|
+++ src/interfaces/curses/ec_curses_view_connections.c
|
|
@@ -614,7 +614,7 @@ static void inject_user(void)
|
|
size_t len;
|
|
|
|
/* escape the sequnces in the buffer */
|
|
- len = strescape((char*)injectbuf, (char*)injectbuf);
|
|
+ len = strescape((char*)injectbuf, (char*)injectbuf, strlen(injectbuf)+1);
|
|
|
|
/* check where to inject */
|
|
if (wdg_c1->flags & WDG_OBJ_FOCUSED) {
|
|
diff --git a/src/interfaces/gtk/ec_gtk_view_connections.c b/src/interfaces/gtk/ec_gtk_view_connections.c
|
|
index fa7dfdc5..b55e1755 100644
|
|
--- src/interfaces/gtk/ec_gtk_view_connections.c
|
|
+++ src/interfaces/gtk/ec_gtk_view_connections.c
|
|
@@ -1627,7 +1627,7 @@ static void gtkui_inject_user(int side)
|
|
size_t len;
|
|
|
|
/* escape the sequnces in the buffer */
|
|
- len = strescape(injectbuf, injectbuf);
|
|
+ len = strescape(injectbuf, injectbuf, strlen(injectbuf)+1);
|
|
|
|
/* check where to inject */
|
|
if (side == 1 || side == 2) {
|
|
diff --git a/utils/etterfilter/ef_encode.c b/utils/etterfilter/ef_encode.c
|
|
index d4b9110c..7e359e06 100644
|
|
--- utils/etterfilter/ef_encode.c
|
|
+++ utils/etterfilter/ef_encode.c
|
|
@@ -136,7 +136,8 @@ int encode_const(char *string, struct filter_op *fop)
|
|
fop->op.test.string = (u_char*)strdup(string + 1);
|
|
|
|
/* escape it in the structure */
|
|
- fop->op.test.slen = strescape((char*)fop->op.test.string, (char*)fop->op.test.string);
|
|
+ fop->op.test.slen = strescape((char*)fop->op.test.string,
|
|
+ (char*)fop->op.test.string, strlen(fop->op.test.string)+1);
|
|
|
|
return E_SUCCESS;
|
|
|
|
@@ -184,7 +185,8 @@ int encode_function(char *string, struct filter_op *fop)
|
|
fop->opcode = FOP_FUNC;
|
|
fop->op.func.op = FFUNC_SEARCH;
|
|
fop->op.func.string = (u_char*)strdup(dec_args[1]);
|
|
- fop->op.func.slen = strescape((char*)fop->op.func.string, (char*)fop->op.func.string);
|
|
+ fop->op.func.slen = strescape((char*)fop->op.func.string,
|
|
+ (char*)fop->op.func.string, strlen(fop->op.func.string)+1);
|
|
ret = E_SUCCESS;
|
|
} else
|
|
SCRIPT_ERROR("Unknown offset %s ", dec_args[0]);
|
|
@@ -202,7 +204,8 @@ int encode_function(char *string, struct filter_op *fop)
|
|
fop->opcode = FOP_FUNC;
|
|
fop->op.func.op = FFUNC_REGEX;
|
|
fop->op.func.string = (u_char*)strdup(dec_args[1]);
|
|
- fop->op.func.slen = strescape((char*)fop->op.func.string, (char*)fop->op.func.string);
|
|
+ fop->op.func.slen = strescape((char*)fop->op.func.string,
|
|
+ (char*)fop->op.func.string, strlen(fop->op.func.string)+1);
|
|
ret = E_SUCCESS;
|
|
} else
|
|
SCRIPT_ERROR("Unknown offset %s ", dec_args[0]);
|
|
@@ -272,9 +275,11 @@ int encode_function(char *string, struct filter_op *fop)
|
|
/* replace always operate at DATA level */
|
|
fop->op.func.level = 5;
|
|
fop->op.func.string = (u_char*)strdup(dec_args[0]);
|
|
- fop->op.func.slen = strescape((char*)fop->op.func.string, (char*)fop->op.func.string);
|
|
+ fop->op.func.slen = strescape((char*)fop->op.func.string,
|
|
+ (char*)fop->op.func.string, strlen(fop->op.func.string)+1);
|
|
fop->op.func.replace = (u_char*)strdup(dec_args[1]);
|
|
- fop->op.func.rlen = strescape((char*)fop->op.func.replace, (char*)fop->op.func.replace);
|
|
+ fop->op.func.rlen = strescape((char*)fop->op.func.replace,
|
|
+ (char*)fop->op.func.replace, strlen(fop->op.func.replace)+1);
|
|
ret = E_SUCCESS;
|
|
} else
|
|
SCRIPT_ERROR("Wrong number of arguments for function \"%s\" ", name);
|
|
@@ -328,7 +333,8 @@ int encode_function(char *string, struct filter_op *fop)
|
|
if (nargs == 1) {
|
|
fop->op.func.op = FFUNC_MSG;
|
|
fop->op.func.string = (u_char*)strdup(dec_args[0]);
|
|
- fop->op.func.slen = strescape((char*)fop->op.func.string, (char*)fop->op.func.string);
|
|
+ fop->op.func.slen = strescape((char*)fop->op.func.string,
|
|
+ (char*)fop->op.func.string, strlen(fop->op.func.string)+1);
|
|
ret = E_SUCCESS;
|
|
} else
|
|
SCRIPT_ERROR("Wrong number of arguments for function \"%s\" ", name);
|