File openslp.parseoob.diff of Package openslp

--- ./common/slp_v1message.c.orig	2018-06-29 08:44:14.547016045 +0000
+++ ./common/slp_v1message.c	2018-06-29 08:58:56.816762442 +0000
@@ -145,7 +145,7 @@ static int v1ParseSrvRqst(const SLPBuffe
    /* Parse the PRList. */
    srvrqst->prlistlen = GetUINT16(&buffer->curpos);
    srvrqst->prlist = GetStrPtr(&buffer->curpos, srvrqst->prlistlen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
    if ((result = SLPv1AsUTF8(encoding, (char *) srvrqst->prlist,
          &srvrqst->prlistlen)) != 0)
@@ -258,6 +258,8 @@ static int v1ParseSrvReg(const SLPBuffer
    if (!tmp)
       return SLP_ERROR_PARSE_ERROR;
    srvreg->srvtypelen = tmp - srvreg->srvtype;
+   if (buffer->curpos + 2 > buffer->end)
+      return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <attr-list>, and convert to UTF-8. */
    srvreg->attrlistlen = GetUINT16(&buffer->curpos);
@@ -339,7 +341,7 @@ static int v1ParseSrvDeReg(const SLPBuff
    srvdereg->urlentry.urllen = GetUINT16(&buffer->curpos);
    srvdereg->urlentry.url = GetStrPtr(&buffer->curpos,
          srvdereg->urlentry.urllen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
    if ((result = SLPv1AsUTF8(encoding, (char *)srvdereg->urlentry.url,
          &srvdereg->urlentry.urllen)) != 0)
@@ -423,7 +425,7 @@ static int v1ParseAttrRqst(const SLPBuff
    attrrqst->prlistlen = GetUINT16(&buffer->curpos);
    attrrqst->prlist = GetStrPtr(&buffer->curpos,
          attrrqst->prlistlen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
    if ((result = SLPv1AsUTF8(encoding, (char *)attrrqst->prlist,
          &attrrqst->prlistlen)) != 0)
@@ -432,7 +434,7 @@ static int v1ParseAttrRqst(const SLPBuff
    /* Parse the URL, and convert to UTF-8. */
    attrrqst->urllen = GetUINT16(&buffer->curpos);
    attrrqst->url = GetStrPtr(&buffer->curpos, attrrqst->urllen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
    if ((result = SLPv1AsUTF8(encoding, (char *)attrrqst->url,
          &attrrqst->urllen)) != 0)
@@ -455,6 +457,8 @@ static int v1ParseAttrRqst(const SLPBuff
       attrrqst->scopelist = "DEFAULT";
       attrrqst->scopelistlen = 7;
    }
+   if (buffer->curpos + 2 > buffer->end)
+      return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <select-list>, and convert to UTF-8. */
    attrrqst->taglistlen = GetUINT16(&buffer->curpos);
@@ -574,7 +578,7 @@ static int v1ParseSrvTypeRqst(const SLPB
    /* Parse the <Previous Responders Addr Spec>, and convert to UTF-8. */
    srvtyperqst->prlistlen = GetUINT16(&buffer->curpos);
    srvtyperqst->prlist = GetStrPtr(&buffer->curpos, srvtyperqst->prlistlen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
    if ((result = SLPv1AsUTF8(encoding, (char *)srvtyperqst->prlist,
          &srvtyperqst->prlistlen)) != 0)
@@ -594,6 +598,8 @@ static int v1ParseSrvTypeRqst(const SLPB
             &srvtyperqst->namingauthlen)) != 0)
          return result;
    }
+   if (buffer->curpos + 2 > buffer->end)
+      return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <Scope String>, and convert to UTF-8. */
    srvtyperqst->scopelistlen = GetUINT16(&buffer->curpos);
--- ./common/slp_v2message.c.orig	2018-06-29 08:44:19.295003972 +0000
+++ ./common/slp_v2message.c	2018-06-29 08:53:23.189616206 +0000
@@ -127,7 +127,7 @@ static int v2ParseUrlEntry(SLPBuffer buf
    urlentry->lifetime = GetUINT16(&buffer->curpos);
    urlentry->urllen = GetUINT16(&buffer->curpos);
    urlentry->url = GetStrPtr(&buffer->curpos, urlentry->urllen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 1 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse authentication block. */
@@ -186,26 +186,26 @@ static int v2ParseSrvRqst(SLPBuffer buff
    /* Parse the <PRList> string. */
    srvrqst->prlistlen = GetUINT16(&buffer->curpos);
    srvrqst->prlist = GetStrPtr(&buffer->curpos, srvrqst->prlistlen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <service-type> string. */
    srvrqst->srvtypelen = GetUINT16(&buffer->curpos);
    srvrqst->srvtype = GetStrPtr(&buffer->curpos, srvrqst->srvtypelen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <scope-list> string. */
    srvrqst->scopelistlen = GetUINT16(&buffer->curpos);
    srvrqst->scopelist = GetStrPtr(&buffer->curpos, srvrqst->scopelistlen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <predicate> string. */
    srvrqst->predicatever = 2;  /* SLPv2 predicate (LDAPv3) */
    srvrqst->predicatelen = GetUINT16(&buffer->curpos);
    srvrqst->predicate = GetStrPtr(&buffer->curpos, srvrqst->predicatelen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <SLP SPI> string. */
@@ -303,23 +303,25 @@ static int v2ParseSrvReg(SLPBuffer buffe
    result = v2ParseUrlEntry(buffer, &srvreg->urlentry);
    if (result != 0)
       return result;
+   if (buffer->curpos + 2 > buffer->end)
+      return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <service-type> string. */
    srvreg->srvtypelen = GetUINT16(&buffer->curpos);
    srvreg->srvtype = GetStrPtr(&buffer->curpos, srvreg->srvtypelen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <scope-list> string. */
    srvreg->scopelistlen = GetUINT16(&buffer->curpos);
    srvreg->scopelist = GetStrPtr(&buffer->curpos, srvreg->scopelistlen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <attr-list> string. */
    srvreg->attrlistlen = GetUINT16(&buffer->curpos);
    srvreg->attrlist = GetStrPtr(&buffer->curpos, srvreg->attrlistlen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 1 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse AttrAuth block list (if present). */
@@ -379,6 +381,8 @@ static int v2ParseSrvDeReg(SLPBuffer buf
    result = v2ParseUrlEntry(buffer, &srvdereg->urlentry);
    if (result)
       return result;
+   if (buffer->curpos + 2 > buffer->end)
+      return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <tag-list>. */
    srvdereg->taglistlen = GetUINT16(&buffer->curpos);
@@ -395,7 +399,7 @@ static int v2ParseSrvDeReg(SLPBuffer buf
  * @param[out] srvack - The server ACK object into which 
  *    @p buffer should be parsed.
  *
- * @return Zero (success) always.
+ * @return Zero on success, or a non-zero error code.
  *
  * @internal
  */
@@ -407,6 +411,8 @@ static int v2ParseSrvAck(SLPBuffer buffe
    |          Error Code           |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */
 
+   if (buffer->curpos + 2 > buffer->end)
+      return SLP_ERROR_PARSE_ERROR;
    /* Parse the Error Code. */
    srvack->errorcode = GetUINT16(&buffer->curpos);
 
@@ -446,25 +452,25 @@ static int v2ParseAttrRqst(SLPBuffer buf
    /* Parse the <PRList> string. */
    attrrqst->prlistlen = GetUINT16(&buffer->curpos);
    attrrqst->prlist = GetStrPtr(&buffer->curpos, attrrqst->prlistlen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the URL. */
    attrrqst->urllen = GetUINT16(&buffer->curpos);
    attrrqst->url = GetStrPtr(&buffer->curpos, attrrqst->urllen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <scope-list> string. */
    attrrqst->scopelistlen = GetUINT16(&buffer->curpos);
    attrrqst->scopelist = GetStrPtr(&buffer->curpos, attrrqst->scopelistlen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <tag-list> string. */
    attrrqst->taglistlen = GetUINT16(&buffer->curpos);
    attrrqst->taglist = GetStrPtr(&buffer->curpos, attrrqst->taglistlen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <SLP SPI> string. */
@@ -516,7 +522,7 @@ static int v2ParseAttrRply(SLPBuffer buf
    /* Parse the <attr-list>. */
    attrrply->attrlistlen = GetUINT16(&buffer->curpos);
    attrrply->attrlist = GetStrPtr(&buffer->curpos, attrrply->attrlistlen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 1 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the Attribute Authentication Block list (if present). */
@@ -590,25 +596,25 @@ static int v2ParseDAAdvert(SLPBuffer buf
    /* Parse out the URL. */
    daadvert->urllen = GetUINT16(&buffer->curpos);
    daadvert->url = GetStrPtr(&buffer->curpos, daadvert->urllen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <scope-list>. */
    daadvert->scopelistlen = GetUINT16(&buffer->curpos);
    daadvert->scopelist = GetStrPtr(&buffer->curpos, daadvert->scopelistlen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <attr-list>. */
    daadvert->attrlistlen = GetUINT16(&buffer->curpos);
    daadvert->attrlist = GetStrPtr(&buffer->curpos, daadvert->attrlistlen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <SLP SPI List> String. */
    daadvert->spilistlen = GetUINT16(&buffer->curpos);
    daadvert->spilist = GetStrPtr(&buffer->curpos, daadvert->spilistlen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 1 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the authentication block list (if any). */
@@ -663,7 +669,7 @@ static int v2ParseSrvTypeRqst(SLPBuffer
    /* Parse the PRList. */
    srvtyperqst->prlistlen = GetUINT16(&buffer->curpos);
    srvtyperqst->prlist = GetStrPtr(&buffer->curpos, srvtyperqst->prlistlen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the Naming Authority. */
@@ -674,7 +680,7 @@ static int v2ParseSrvTypeRqst(SLPBuffer
    else
       srvtyperqst->namingauth = GetStrPtr(&buffer->curpos, 
             srvtyperqst->namingauthlen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <scope-list>. */
@@ -763,19 +769,19 @@ static int v2ParseSAAdvert(SLPBuffer buf
    /* Parse out the URL. */
    saadvert->urllen = GetUINT16(&buffer->curpos);
    saadvert->url = GetStrPtr(&buffer->curpos, saadvert->urllen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <scope-list>. */
    saadvert->scopelistlen = GetUINT16(&buffer->curpos);
    saadvert->scopelist = GetStrPtr(&buffer->curpos, saadvert->scopelistlen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 2 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the <attr-list>. */
    saadvert->attrlistlen = GetUINT16(&buffer->curpos);
    saadvert->attrlist = GetStrPtr(&buffer->curpos, saadvert->attrlistlen);
-   if (buffer->curpos > buffer->end)
+   if (buffer->curpos + 1 > buffer->end)
       return SLP_ERROR_PARSE_ERROR;
 
    /* Parse the authentication block list (if any). */