File openslp.parseoob.diff of Package openslp.31103
--- ./common/slp_v1message.c.orig 2018-06-29 08:44:14.547016045 +0000
+++ ./common/slp_v1message.c 2018-06-29 08:58:56.816762442 +0000
@@ -145,7 +145,7 @@ static int v1ParseSrvRqst(const SLPBuffe
/* Parse the PRList. */
srvrqst->prlistlen = GetUINT16(&buffer->curpos);
srvrqst->prlist = GetStrPtr(&buffer->curpos, srvrqst->prlistlen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
if ((result = SLPv1AsUTF8(encoding, (char *) srvrqst->prlist,
&srvrqst->prlistlen)) != 0)
@@ -258,6 +258,8 @@ static int v1ParseSrvReg(const SLPBuffer
if (!tmp)
return SLP_ERROR_PARSE_ERROR;
srvreg->srvtypelen = tmp - srvreg->srvtype;
+ if (buffer->curpos + 2 > buffer->end)
+ return SLP_ERROR_PARSE_ERROR;
/* Parse the <attr-list>, and convert to UTF-8. */
srvreg->attrlistlen = GetUINT16(&buffer->curpos);
@@ -339,7 +341,7 @@ static int v1ParseSrvDeReg(const SLPBuff
srvdereg->urlentry.urllen = GetUINT16(&buffer->curpos);
srvdereg->urlentry.url = GetStrPtr(&buffer->curpos,
srvdereg->urlentry.urllen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
if ((result = SLPv1AsUTF8(encoding, (char *)srvdereg->urlentry.url,
&srvdereg->urlentry.urllen)) != 0)
@@ -423,7 +425,7 @@ static int v1ParseAttrRqst(const SLPBuff
attrrqst->prlistlen = GetUINT16(&buffer->curpos);
attrrqst->prlist = GetStrPtr(&buffer->curpos,
attrrqst->prlistlen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
if ((result = SLPv1AsUTF8(encoding, (char *)attrrqst->prlist,
&attrrqst->prlistlen)) != 0)
@@ -432,7 +434,7 @@ static int v1ParseAttrRqst(const SLPBuff
/* Parse the URL, and convert to UTF-8. */
attrrqst->urllen = GetUINT16(&buffer->curpos);
attrrqst->url = GetStrPtr(&buffer->curpos, attrrqst->urllen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
if ((result = SLPv1AsUTF8(encoding, (char *)attrrqst->url,
&attrrqst->urllen)) != 0)
@@ -455,6 +457,8 @@ static int v1ParseAttrRqst(const SLPBuff
attrrqst->scopelist = "DEFAULT";
attrrqst->scopelistlen = 7;
}
+ if (buffer->curpos + 2 > buffer->end)
+ return SLP_ERROR_PARSE_ERROR;
/* Parse the <select-list>, and convert to UTF-8. */
attrrqst->taglistlen = GetUINT16(&buffer->curpos);
@@ -574,7 +578,7 @@ static int v1ParseSrvTypeRqst(const SLPB
/* Parse the <Previous Responders Addr Spec>, and convert to UTF-8. */
srvtyperqst->prlistlen = GetUINT16(&buffer->curpos);
srvtyperqst->prlist = GetStrPtr(&buffer->curpos, srvtyperqst->prlistlen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
if ((result = SLPv1AsUTF8(encoding, (char *)srvtyperqst->prlist,
&srvtyperqst->prlistlen)) != 0)
@@ -594,6 +598,8 @@ static int v1ParseSrvTypeRqst(const SLPB
&srvtyperqst->namingauthlen)) != 0)
return result;
}
+ if (buffer->curpos + 2 > buffer->end)
+ return SLP_ERROR_PARSE_ERROR;
/* Parse the <Scope String>, and convert to UTF-8. */
srvtyperqst->scopelistlen = GetUINT16(&buffer->curpos);
--- ./common/slp_v2message.c.orig 2018-06-29 08:44:19.295003972 +0000
+++ ./common/slp_v2message.c 2018-06-29 08:53:23.189616206 +0000
@@ -127,7 +127,7 @@ static int v2ParseUrlEntry(SLPBuffer buf
urlentry->lifetime = GetUINT16(&buffer->curpos);
urlentry->urllen = GetUINT16(&buffer->curpos);
urlentry->url = GetStrPtr(&buffer->curpos, urlentry->urllen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 1 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse authentication block. */
@@ -186,26 +186,26 @@ static int v2ParseSrvRqst(SLPBuffer buff
/* Parse the <PRList> string. */
srvrqst->prlistlen = GetUINT16(&buffer->curpos);
srvrqst->prlist = GetStrPtr(&buffer->curpos, srvrqst->prlistlen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the <service-type> string. */
srvrqst->srvtypelen = GetUINT16(&buffer->curpos);
srvrqst->srvtype = GetStrPtr(&buffer->curpos, srvrqst->srvtypelen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the <scope-list> string. */
srvrqst->scopelistlen = GetUINT16(&buffer->curpos);
srvrqst->scopelist = GetStrPtr(&buffer->curpos, srvrqst->scopelistlen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the <predicate> string. */
srvrqst->predicatever = 2; /* SLPv2 predicate (LDAPv3) */
srvrqst->predicatelen = GetUINT16(&buffer->curpos);
srvrqst->predicate = GetStrPtr(&buffer->curpos, srvrqst->predicatelen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the <SLP SPI> string. */
@@ -303,23 +303,25 @@ static int v2ParseSrvReg(SLPBuffer buffe
result = v2ParseUrlEntry(buffer, &srvreg->urlentry);
if (result != 0)
return result;
+ if (buffer->curpos + 2 > buffer->end)
+ return SLP_ERROR_PARSE_ERROR;
/* Parse the <service-type> string. */
srvreg->srvtypelen = GetUINT16(&buffer->curpos);
srvreg->srvtype = GetStrPtr(&buffer->curpos, srvreg->srvtypelen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the <scope-list> string. */
srvreg->scopelistlen = GetUINT16(&buffer->curpos);
srvreg->scopelist = GetStrPtr(&buffer->curpos, srvreg->scopelistlen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the <attr-list> string. */
srvreg->attrlistlen = GetUINT16(&buffer->curpos);
srvreg->attrlist = GetStrPtr(&buffer->curpos, srvreg->attrlistlen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 1 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse AttrAuth block list (if present). */
@@ -379,6 +381,8 @@ static int v2ParseSrvDeReg(SLPBuffer buf
result = v2ParseUrlEntry(buffer, &srvdereg->urlentry);
if (result)
return result;
+ if (buffer->curpos + 2 > buffer->end)
+ return SLP_ERROR_PARSE_ERROR;
/* Parse the <tag-list>. */
srvdereg->taglistlen = GetUINT16(&buffer->curpos);
@@ -395,7 +399,7 @@ static int v2ParseSrvDeReg(SLPBuffer buf
* @param[out] srvack - The server ACK object into which
* @p buffer should be parsed.
*
- * @return Zero (success) always.
+ * @return Zero on success, or a non-zero error code.
*
* @internal
*/
@@ -407,6 +411,8 @@ static int v2ParseSrvAck(SLPBuffer buffe
| Error Code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */
+ if (buffer->curpos + 2 > buffer->end)
+ return SLP_ERROR_PARSE_ERROR;
/* Parse the Error Code. */
srvack->errorcode = GetUINT16(&buffer->curpos);
@@ -446,25 +452,25 @@ static int v2ParseAttrRqst(SLPBuffer buf
/* Parse the <PRList> string. */
attrrqst->prlistlen = GetUINT16(&buffer->curpos);
attrrqst->prlist = GetStrPtr(&buffer->curpos, attrrqst->prlistlen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the URL. */
attrrqst->urllen = GetUINT16(&buffer->curpos);
attrrqst->url = GetStrPtr(&buffer->curpos, attrrqst->urllen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the <scope-list> string. */
attrrqst->scopelistlen = GetUINT16(&buffer->curpos);
attrrqst->scopelist = GetStrPtr(&buffer->curpos, attrrqst->scopelistlen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the <tag-list> string. */
attrrqst->taglistlen = GetUINT16(&buffer->curpos);
attrrqst->taglist = GetStrPtr(&buffer->curpos, attrrqst->taglistlen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the <SLP SPI> string. */
@@ -516,7 +522,7 @@ static int v2ParseAttrRply(SLPBuffer buf
/* Parse the <attr-list>. */
attrrply->attrlistlen = GetUINT16(&buffer->curpos);
attrrply->attrlist = GetStrPtr(&buffer->curpos, attrrply->attrlistlen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 1 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the Attribute Authentication Block list (if present). */
@@ -590,25 +596,25 @@ static int v2ParseDAAdvert(SLPBuffer buf
/* Parse out the URL. */
daadvert->urllen = GetUINT16(&buffer->curpos);
daadvert->url = GetStrPtr(&buffer->curpos, daadvert->urllen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the <scope-list>. */
daadvert->scopelistlen = GetUINT16(&buffer->curpos);
daadvert->scopelist = GetStrPtr(&buffer->curpos, daadvert->scopelistlen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the <attr-list>. */
daadvert->attrlistlen = GetUINT16(&buffer->curpos);
daadvert->attrlist = GetStrPtr(&buffer->curpos, daadvert->attrlistlen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the <SLP SPI List> String. */
daadvert->spilistlen = GetUINT16(&buffer->curpos);
daadvert->spilist = GetStrPtr(&buffer->curpos, daadvert->spilistlen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 1 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the authentication block list (if any). */
@@ -663,7 +669,7 @@ static int v2ParseSrvTypeRqst(SLPBuffer
/* Parse the PRList. */
srvtyperqst->prlistlen = GetUINT16(&buffer->curpos);
srvtyperqst->prlist = GetStrPtr(&buffer->curpos, srvtyperqst->prlistlen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the Naming Authority. */
@@ -674,7 +680,7 @@ static int v2ParseSrvTypeRqst(SLPBuffer
else
srvtyperqst->namingauth = GetStrPtr(&buffer->curpos,
srvtyperqst->namingauthlen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the <scope-list>. */
@@ -763,19 +769,19 @@ static int v2ParseSAAdvert(SLPBuffer buf
/* Parse out the URL. */
saadvert->urllen = GetUINT16(&buffer->curpos);
saadvert->url = GetStrPtr(&buffer->curpos, saadvert->urllen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the <scope-list>. */
saadvert->scopelistlen = GetUINT16(&buffer->curpos);
saadvert->scopelist = GetStrPtr(&buffer->curpos, saadvert->scopelistlen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 2 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the <attr-list>. */
saadvert->attrlistlen = GetUINT16(&buffer->curpos);
saadvert->attrlist = GetStrPtr(&buffer->curpos, saadvert->attrlistlen);
- if (buffer->curpos > buffer->end)
+ if (buffer->curpos + 1 > buffer->end)
return SLP_ERROR_PARSE_ERROR;
/* Parse the authentication block list (if any). */
