fixed tftp packet overflow risk

2024-11-21 01:16:58 +08:00 · 2006-03-20 07:32:50 +00:00 · 2006-03-20 07:32:50 +00:00 · 5975229919
commit 5975229919
parent 38295e8a75
3 changed files with 25 additions and 8 deletions
--- a/11
+++ b/11
@ -6,6 +6,17 @@

                                  Changelog

+Daniel (16 March 2006)
+- Tor Arntsen provided a RPM spec file for AIX Toolbox, that now is included
+  in the release archive.
+
+Daniel (14 March 2006)
+- David McCreedy fixed:
+
+  a bad SSL error message when OpenSSL certificates are verified fine.
+
+  a missing return code assignment in the FTP code
+
 Daniel (7 March 2006)
 - Markus Koetter filed debian bug report #355715 which identified a problem
  with the multi interface and multi-part formposts. The fix from February
--- a/13
+++ b/13
@ -11,25 +11,30 @@ Curl and libcurl 7.15.3

 This release includes the following changes:

- o 
+ o added docs for --ftp-method and CURLOPT_FTP_FILEMETHOD

 This release includes the following bugfixes:

+ o TFTP Packet Buffer Overflow Vulnerability:
+   http://curl.haxx.se/docs/adv_20060320.html
+ o properly detecting problems with sending the FTP command USER
+ o wrong error message shown when certificate verification failed
 o multi-part formpost with multi interface crash
 o the CURLFTPSSL_CONTROL setting for CURLOPT_FTP_SSL is acknowledged
- o "SSL: couldn't set callback" is now a less serious problem
+ o "SSL: couldn't set callback" is now treated as a less serious problem
 o Interix build fix
- o fixed "hang" when out of file handles at start
+ o fixed curl "hang" when out of file handles at start
 o prevent FTP uploads to URLs with trailing slash

 Other curl-related news since the previous public release:

 o pycurl-7.15.2 has been released: http://pycurl.sf.net
+ o http://curl.download.nextag.com/ is a new US curl web mirror!

 This release would not have looked like this without help, code, reports and
 advice from friends like these:

 Gisle Vanem, Dan Fandrich, Thomas Klausner, Todd Vierling, Peter Heuchert,
- Markus Koetter
+ Markus Koetter, David McCreedy, Tor Arntsen

        Thanks! (and sorry if I forgot to mention someone)
--- a/lib/tftp.c
+++ b/lib/tftp.c
@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2005, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@ -271,8 +271,9 @@ static void tftp_send_first(tftp_state_data_t *state, tftp_event_t event)
      /* If we are downloading, send an RRQ */
      state->spacket.event = htons(TFTP_EVENT_RRQ);
    }
-    sprintf((char *)state->spacket.u.request.data, "%s%c%s%c",
-            filename, '\0',  mode, '\0');
+    snprintf((char *)state->spacket.u.request.data,
+             sizeof(state->spacket.u.request.data),
+             "%s%c%s%c", filename, '\0',  mode, '\0');
    sbytes = 4 + (int)strlen(filename) + (int)strlen(mode);
    sbytes = sendto(state->sockfd, (void *)&state->spacket,
                    sbytes, 0,
@ -533,7 +534,7 @@ CURLcode Curl_tftp_connect(struct connectdata *conn, bool *done)
   * The TFTP code is not portable because it sends C structs directly over
   * the wire.  Since C gives compiler writers a wide latitude in padding and
   * aligning structs, this fails on many architectures (e.g. ARM).
-   * 
+   *
   * The only portable way to fix this is to copy each struct item into a
   * flat buffer and send the flat buffer instead of the struct.  The
   * alternative, trying to get the compiler to eliminate padding bytes