File 0002-classic-ui-fix-CVE-2014-2386.patch of Package icinga.2654
From: Ricardo Bartels <ricardo@bitchbrothers.com>
Date: Tue, 18 Feb 2014 22:06:49 +0000 (+0100)
Subject: classic-ui: fix small buffer overflows when checking strlen against MAX_INPUT_BUFFER...
X-Git-Tag: v1.11.0~9^2~2
X-Git-Url: https://git.icinga.org/?p=icinga-core.git;a=commitdiff_plain;h=73285093b71a5551abdaab0a042d3d6bae093b0d
classic-ui: fix small buffer overflows when checking strlen against MAX_INPUT_BUFFER #5663
Wrong strlen check against MAX_INPUT_BUFFER without
taking '\0' into account fixed.
Refs: #5663
whatthecommit: just shoot me
---
diff --git a/cgi/cgiutils.c b/cgi/cgiutils.c
index 010ff32..0bbb00a 100644
--- a/cgi/cgiutils.c
+++ b/cgi/cgiutils.c
@@ -2222,7 +2222,7 @@ void display_nav_table(time_t ts_start, time_t ts_end) {
/* get url options but filter out "ts_end", "ts_start" and "start" */
if (getenv("QUERY_STRING") != NULL && strcmp(getenv("QUERY_STRING"), "")) {
- if(strlen(getenv("QUERY_STRING")) > MAX_INPUT_BUFFER) {
+ if(strlen(getenv("QUERY_STRING")) > MAX_INPUT_BUFFER - 1) {
write_to_cgi_log("display_nav_table(): Query string exceeds max length. Returning without displaying nav table.\n");
return;
}
@@ -2230,7 +2230,7 @@ void display_nav_table(time_t ts_start, time_t ts_end) {
strip_html_brackets(stripped_query_string);
/* check if concatenated strings exceed MAX_INPUT_BUFFER */
- if (strlen(url) + strlen(stripped_query_string) + 1 > MAX_INPUT_BUFFER) {
+ if (strlen(url) + strlen(stripped_query_string) + 1 > MAX_INPUT_BUFFER - 1) {
write_to_cgi_log("display_nav_table(): Full query string exceeds max length. Returning without displaying nav table.\n");
return;
}
@@ -2848,7 +2848,7 @@ void print_export_link(int content_type, char *cgi, char *add_to_url) {
/* just do stuff if some options are requested */
if (getenv("QUERY_STRING") != NULL && strcmp(getenv("QUERY_STRING"), "")) {
- if(strlen(getenv("QUERY_STRING")) > MAX_INPUT_BUFFER) {
+ if(strlen(getenv("QUERY_STRING")) > MAX_INPUT_BUFFER - 1) {
write_to_cgi_log("print_export_link(): Query string exceeds max length. Returning without displaying export link.\n");
return;
}
@@ -2856,7 +2856,7 @@ void print_export_link(int content_type, char *cgi, char *add_to_url) {
strip_html_brackets(stripped_query_string);
/* check if concatenated strings exceed MAX_INPUT_BUFFER */
- if (strlen(link) + strlen(stripped_query_string) + 2 > MAX_INPUT_BUFFER) {
+ if (strlen(link) + strlen(stripped_query_string) + 1 > MAX_INPUT_BUFFER - 1) {
write_to_cgi_log("print_export_link(): Full query string exceeds max length. Returning without displaying export link.\n");
return;
}
@@ -2866,7 +2866,7 @@ void print_export_link(int content_type, char *cgi, char *add_to_url) {
}
/* add string to url */
- if (add_to_url != NULL && strlen(add_to_url) != 0 && strlen(link) + strlen(stripped_query_string) + strlen(add_to_url) + 2 <= MAX_INPUT_BUFFER) {
+ if (add_to_url != NULL && strlen(add_to_url) != 0 && strlen(link) + strlen(stripped_query_string) + strlen(add_to_url) + 2 <= MAX_INPUT_BUFFER - 1) {
if (strlen(stripped_query_string) != 0)
strcat(link, "&");
else
@@ -3674,7 +3674,7 @@ void page_num_selector(int result_start, int total_entries, int displayed_entrie
/* get url options but filter out "limit" and "status" */
if (getenv("QUERY_STRING") != NULL && strcmp(getenv("QUERY_STRING"), "")) {
- if(strlen(getenv("QUERY_STRING")) > MAX_INPUT_BUFFER) {
+ if(strlen(getenv("QUERY_STRING")) > MAX_INPUT_BUFFER - 1) {
write_to_cgi_log("page_num_selector(): Query string exceeds max length. Returning without displaying num selector.\n");
return;
}
@@ -3682,7 +3682,7 @@ void page_num_selector(int result_start, int total_entries, int displayed_entrie
strip_html_brackets(stripped_query_string);
/* check if concatenated strings exceed MAX_INPUT_BUFFER */
- if (strlen(link) + strlen(stripped_query_string) + 1 > MAX_INPUT_BUFFER) {
+ if (strlen(link) + strlen(stripped_query_string) + 1 > MAX_INPUT_BUFFER - 1) {
write_to_cgi_log("page_num_selector(): Full query string exceeds max length. Returning without displaying num selector.\n");
return;
}
@@ -3797,7 +3797,7 @@ void page_limit_selector(int result_start) {
/* get url options but filter out "limit" and "status" */
if (getenv("QUERY_STRING") != NULL && strcmp(getenv("QUERY_STRING"), "")) {
- if(strlen(getenv("QUERY_STRING")) > MAX_INPUT_BUFFER) {
+ if(strlen(getenv("QUERY_STRING")) > MAX_INPUT_BUFFER - 1) {
write_to_cgi_log("page_limit_selector(): Query string exceeds max length. Returning without displaying page limit selector.\n");
return;
}
@@ -3805,7 +3805,7 @@ void page_limit_selector(int result_start) {
strip_html_brackets(stripped_query_string);
/* check if concatenated strings exceed MAX_INPUT_BUFFER */
- if (strlen(link) + strlen(stripped_query_string) + 1 > MAX_INPUT_BUFFER) {
+ if (strlen(link) + strlen(stripped_query_string) + 1 > MAX_INPUT_BUFFER - 1) {
write_to_cgi_log("page_limit_selector(): Full query string exceeds max length. Returning without displaying page limit selector.\n");
return;
}
diff --git a/cgi/status.c b/cgi/status.c
index fb5b67a..05b7acc 100644
--- a/cgi/status.c
+++ b/cgi/status.c
@@ -7161,7 +7161,7 @@ void status_page_num_selector(int local_result_start, int status_type) {
/* get url options but filter out "limit" and "status" */
if (getenv("QUERY_STRING") != NULL && strcmp(getenv("QUERY_STRING"), "")) {
- if(strlen(getenv("QUERY_STRING")) > MAX_INPUT_BUFFER) {
+ if(strlen(getenv("QUERY_STRING")) > MAX_INPUT_BUFFER - 1) {
write_to_cgi_log("status_page_num_selector(): Query string exceeds max length. Returning without displaying page num selector.\n");
return;
}
@@ -7169,7 +7169,7 @@ void status_page_num_selector(int local_result_start, int status_type) {
strip_html_brackets(stripped_query_string);
/* check if concatenated strings exceed MAX_INPUT_BUFFER */
- if (strlen(link) + strlen(stripped_query_string) + 1 > MAX_INPUT_BUFFER) {
+ if (strlen(link) + strlen(stripped_query_string) + 1 > MAX_INPUT_BUFFER - 1) {
write_to_cgi_log("status_page_num_selector(): Full query string exceeds max length. Returning without displaying page num selector.\n");
return;
}
