aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorflz <flz@FreeBSD.org>2009-10-29 22:20:17 +0800
committerflz <flz@FreeBSD.org>2009-10-29 22:20:17 +0800
commit3d50470398e0c65defaff3eb8b9ae277ee40dcdf (patch)
treec372b92f370dda5d38915881837d0ff434206607
parente8f9a7a4cce95e6577cc386381510cb8f2d5b7d7 (diff)
downloadfreebsd-ports-gnome-3d50470398e0c65defaff3eb8b9ae277ee40dcdf.tar.gz
freebsd-ports-gnome-3d50470398e0c65defaff3eb8b9ae277ee40dcdf.tar.zst
freebsd-ports-gnome-3d50470398e0c65defaff3eb8b9ae277ee40dcdf.zip
Fix stack-based buffer overflow (CVE-2009-1759).
PR: ports/139635 Submitted by: Eygene Ryabinkin Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1759
-rw-r--r--net-p2p/ctorrent/Makefile2
-rw-r--r--net-p2p/ctorrent/files/patch-cve-2009-175986
2 files changed, 87 insertions, 1 deletions
diff --git a/net-p2p/ctorrent/Makefile b/net-p2p/ctorrent/Makefile
index 57b8d84aa404..fc36f106a4fc 100644
--- a/net-p2p/ctorrent/Makefile
+++ b/net-p2p/ctorrent/Makefile
@@ -7,7 +7,7 @@
PORTNAME= ctorrent
PORTVERSION= 3.3.2
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= net-p2p
MASTER_SITES= http://www.rahul.net/dholmes/ctorrent/
DISTNAME= ${PORTNAME}-dnh${PORTVERSION}
diff --git a/net-p2p/ctorrent/files/patch-cve-2009-1759 b/net-p2p/ctorrent/files/patch-cve-2009-1759
new file mode 100644
index 000000000000..155fe9d6eb99
--- /dev/null
+++ b/net-p2p/ctorrent/files/patch-cve-2009-1759
@@ -0,0 +1,86 @@
+Obtained-From: http://sourceforge.net/tracker/download.php?group_id=202532&atid=981959&file_id=325065&aid=2782875
+
+Index: bencode.h
+===================================================================
+--- bencode.h (revision 301)
++++ bencode.h (revision 302)
+@@ -25,7 +25,7 @@
+ size_t decode_list(const char *b,size_t len,const char *keylist);
+ size_t decode_rev(const char *b,size_t len,const char *keylist);
+ size_t decode_query(const char *b,size_t len,const char *keylist,const char **ps,size_t *pi,int64_t *pl,int method);
+-size_t decode_list2path(const char *b, size_t n, char *pathname);
++size_t decode_list2path(const char *b, size_t n, char *pathname, size_t maxlen);
+ size_t bencode_buf(const char *str,size_t len,FILE *fp);
+ size_t bencode_str(const char *str, FILE *fp);
+ size_t bencode_int(const uint64_t integer, FILE *fp);
+Index: bencode.cpp
+===================================================================
+--- bencode.cpp (revision 301)
++++ bencode.cpp (revision 302)
+@@ -233,22 +233,28 @@
+ return bencode_end_dict_list(fp);
+ }
+
+-size_t decode_list2path(const char *b, size_t n, char *pathname)
++size_t decode_list2path(const char *b, size_t n, char *pathname, size_t maxlen)
+ {
+ const char *pb = b;
+ const char *s = (char *) 0;
++ const char *endmax = pathname + maxlen - 1;
+ size_t r,q;
+
+ if( 'l' != *pb ) return 0;
+ pb++;
+ n--;
+ if( !n ) return 0;
+- for(; n;){
++ while( n && pathname < endmax ){
+ if(!(r = buf_str(pb, n, &s, &q)) ) return 0;
++ if( q >= maxlen ) return 0;
+ memcpy(pathname, s, q);
+ pathname += q;
+- pb += r; n -= r;
+- if( 'e' != *pb ){*pathname = PATH_SP, pathname++;} else break;
++ maxlen -= q;
++ pb += r;
++ n -= r;
++ if( 'e' == *pb ) break;
++ if( pathname >= endmax ) return 0;
++ *pathname++ = PATH_SP;
+ }
+ *pathname = '\0';
+ return (pb - b + 1);
+Index: btfiles.cpp
+===================================================================
+--- btfiles.cpp (revision 301)
++++ btfiles.cpp (revision 302)
+@@ -471,6 +471,8 @@
+ BTFILE *pbf_last = (BTFILE*) 0;
+ BTFILE *pbf = (BTFILE*) 0;
+ size_t dl;
++ unsigned long nfiles = 0;
++
+ if( decode_query(metabuf,metabuf_len,"info|length",
+ (const char**) 0,(size_t*) 0,(int64_t*) 0,QUERY_LONG) )
+ return -1;
+@@ -524,12 +526,18 @@
+ #ifndef WINDOWS
+ if( !pbf ) return -1;
+ #endif
++ nfiles++;
+ pbf->bf_length = t;
+ m_total_files_length += t;
+ r = decode_query(p, dl, "path", (const char **)0, &n, (int64_t*)0,
+ QUERY_POS);
+- if( !r ) return -1;
+- if(!decode_list2path(p + r, n, path)) return -1;
++ if( !r || !decode_list2path(p + r, n, path, sizeof(path)) ){
++ CONSOLE.Warning(1,
++ "error, invalid path in torrent data for file %lu at offset %llu",
++ nfiles, m_total_files_length - t);
++ delete pbf;
++ return -1;
++ }
+
+ int f_conv;
+ char *tmpfn = new char[strlen(path)*2+5];