Fix potential remote-triggered stack overflow (backported from 0.9.7).

Submitted by: Alexandre Snarskii
author: sobomax <sobomax@FreeBSD.org> 2008-10-20 16:09:37 +0800
committer: sobomax <sobomax@FreeBSD.org> 2008-10-20 16:09:37 +0800
commit: 937de43541cf6d7e49f75e97db43ba4007a51098 (patch)
tree: bdc16e135f97895ce56e21143efc3b5c425c4b45 /net
parent: d1d70626a2f17e9138373111cb047b91d8fea90d (diff)
download: freebsd-ports-gnome-937de43541cf6d7e49f75e97db43ba4007a51098.tar.gz
freebsd-ports-gnome-937de43541cf6d7e49f75e97db43ba4007a51098.tar.zst
freebsd-ports-gnome-937de43541cf6d7e49f75e97db43ba4007a51098.zip
3 files changed, 129 insertions, 8 deletions
diff --git a/net/ser/Makefile b/net/ser/Makefile
index dd5512241ee0..24b2cffe05ac 100644
--- a/net/ser/Makefile
+++ b/net/ser/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	ser
 PORTVERSION=	0.9.6
-PORTREVISION=	7
+PORTREVISION=	8
 CATEGORIES=	net
 MASTER_SITES=	http://download.berlios.de/ser/ \
 		http://download2.berlios.de/ser/
diff --git a/net/ser/files/patch-modules::postgres::db_val.c b/net/ser/files/patch-modules::postgres::db_val.c
index b2d168147f52..5cbb27866ac7 100644
--- a/net/ser/files/patch-modules::postgres::db_val.c
+++ b/net/ser/files/patch-modules::postgres::db_val.c
@@ -1,13 +1,77 @@
-
-$FreeBSD$
-
---- modules/postgres/db_val.c
-+++ modules/postgres/db_val.c
-@@ -185,6 +185,7 @@
+diff -ruN modules/postgres/db_val.c /home/snar/ser-0.9.7/modules/postgres/db_val.c
+--- modules/postgres/db_val.c	2005-07-20 21:11:52.000000000 +0400
++++ modules/postgres/db_val.c	2006-10-25 23:32:10.000000000 +0400
+@@ -166,12 +166,14 @@
+ 	return 0;
+ }
+ 
++
+ /*
+  * Does not copy strings
+  */
+ int str2valp(db_type_t _t, db_val_t* _v, const char* _s, int _l, void *_p)
+ {
+-	char dbuf[256];
++#define DBUF_SIZE 256
++	char dbuf[DBUF_SIZE];
+ #ifdef PARANOID
+ 	if (!_v) {
+ 		LOG(L_ERR, "str2valp(): Invalid parameter value\n");
+@@ -185,11 +187,12 @@
  		VAL_NULL(_v) = 1;
  		return 0;
  	}
+-
 +	VAL_NULL(_v) = 0;
- 
++	
  	switch(_t) {
  	case DB_INT:
+ 	case DB_BITMAP:
+-		sprintf(dbuf, "got int %s", _s);
++		snprintf(dbuf, DBUF_SIZE, "got int %s", _s);
+ 		DLOG("str2valp", dbuf);
+ 		if (str2int(_s, &VAL_INT(_v)) < 0) {
+ 			LOG(L_ERR, "str2valp(): Error while converting integer value from string\n");
+@@ -201,7 +204,7 @@
+ 		break;
+ 	
+ 	case DB_DOUBLE:
+-		sprintf(dbuf, "got double %s", _s);
++		snprintf(dbuf, DBUF_SIZE, "got double %s", _s);
+ 		DLOG("str2valp", dbuf);
+ 		if (str2double(_s, &VAL_DOUBLE(_v)) < 0) {
+ 			LOG(L_ERR, "str2valp(): Error while converting double value from string\n");
+@@ -213,7 +216,7 @@
+ 		break;
+ 
+ 	case DB_STRING:
+-		sprintf(dbuf, "got string %s", _s);
++		snprintf(dbuf, DBUF_SIZE, "got string %s", _s);
+ 		DLOG("str2valp", dbuf);
+ 
+ 		VAL_STRING(_v) = aug_strdup(_s, _p);
+@@ -228,13 +231,13 @@
+ 		VAL_STR(_v).len = _l;
+ 		VAL_TYPE(_v) = DB_STR;
+ 
+-		sprintf(dbuf, "got len string %d %s", _l, _s);
++		snprintf(dbuf, DBUF_SIZE, "got len string %d %s", _l, _s);
+ 		DLOG("str2valp", dbuf);
+ 
+ 		return 0;
+ 
+ 	case DB_DATETIME:
+-		sprintf(dbuf, "got time %s", _s);
++		snprintf(dbuf, DBUF_SIZE, "got time %s", _s);
+ 		DLOG("str2valp", dbuf);
+ 		if (str2time(_s, &VAL_TIME(_v)) < 0) {
+ 			PLOG("str2valp", "error converting datetime");
+@@ -253,7 +256,7 @@
+ 		VAL_STR(_v).len = _l;
+ 		VAL_TYPE(_v) = DB_BLOB;
+ 
+-		sprintf(dbuf, "got blob %d", _l);
++		snprintf(dbuf, DBUF_SIZE, "got blob %d", _l);
+ 		DLOG("str2valp", dbuf);
+ 
+ 		return 0;
diff --git a/net/ser/files/patch-modules::postgres::dbase.c b/net/ser/files/patch-modules::postgres::dbase.c
new file mode 100644
index 000000000000..dfdc17ff258e
--- /dev/null
+++ b/net/ser/files/patch-modules::postgres::dbase.c
@@ -0,0 +1,57 @@
+diff -ruN modules/postgres/dbase.c /home/snar/ser-0.9.7/modules/postgres/dbase.c
+--- modules/postgres/dbase.c	2005-07-20 21:11:52.000000000 +0400
++++ modules/postgres/dbase.c	2006-10-25 23:32:10.000000000 +0400
+@@ -49,6 +49,9 @@
+ #include "con_postgres.h"
+ #include "aug_std.h"
+ 
++#define ERR_BUF_SIZE 256 /* tmp. buf for building the error message */
++
++
+ long getpid();
+ 
+ static char sql_buf[SQL_BUF_LEN];
+@@ -124,8 +127,8 @@
+ 	if(parse_sql_url(CON_SQLURL(_h),
+ 		&user,&password,&host,&port,&database) < 0)
+ 	{
+-		char buf[256];
+-		sprintf(buf, "Error while parsing %s", _db_url);
++		char buf[ERR_BUF_SIZE];
++		snprintf(buf, ERR_BUF_SIZE, "Error while parsing %s", _db_url);
+ 		PLOG("connect_db", buf);
+ 
+ 		aug_free(CON_SQLURL(_h));
+@@ -358,8 +361,8 @@
+ 		/*
+ 		** log the error
+ 		*/
+-		char buf[256];
+-		sprintf(buf, "query '%s', result '%s'\n",
++		char buf[ERR_BUF_SIZE];
++		snprintf(buf, ERR_BUF_SIZE, "query '%s', result '%s'\n",
+ 			_s, PQerrorMessage(CON_CONNECTION(_h)));
+ 		PLOG("submit_query", buf);
+ 	}
+@@ -487,8 +490,8 @@
+ 			/*
+ 			** our attempt to fix the connection failed
+ 			*/
+-			char buf[256];
+-			sprintf(buf, "no connection, FATAL %d!", rv);
++			char buf[ERR_BUF_SIZE];
++			snprintf(buf, ERR_BUF_SIZE, "no connection, FATAL %d!", rv);
+ 			PLOG("begin_transaction",buf);
+ 			return(rv);
+ 		}
+@@ -507,8 +510,8 @@
+ 	mr = PQexec(CON_CONNECTION(_h), "BEGIN");
+ 	if(!mr || PQresultStatus(mr) != PGRES_COMMAND_OK)
+ 	{
+-		char buf[256];
+-		sprintf("FATAL %s, '%s'!\n",
++		char buf[ERR_BUF_SIZE];
++		snprintf(buf, ERR_BUF_SIZE, "FATAL %s, '%s'!\n",
+ 			PQerrorMessage(CON_CONNECTION(_h)), _s);
+ 		PLOG("begin_transaction", buf);
+ 		return(-1);
author	sobomax <sobomax@FreeBSD.org>	2008-10-20 16:09:37 +0800
committer	sobomax <sobomax@FreeBSD.org>	2008-10-20 16:09:37 +0800
commit	937de43541cf6d7e49f75e97db43ba4007a51098 (patch)
tree	bdc16e135f97895ce56e21143efc3b5c425c4b45 /net
parent	d1d70626a2f17e9138373111cb047b91d8fea90d (diff)
download	freebsd-ports-gnome-937de43541cf6d7e49f75e97db43ba4007a51098.tar.gz freebsd-ports-gnome-937de43541cf6d7e49f75e97db43ba4007a51098.tar.zst freebsd-ports-gnome-937de43541cf6d7e49f75e97db43ba4007a51098.zip