d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

MFC: explicitate newpacket size.

Browse Source 
Bug pointed out by: many
Pointy hat to: me :(
This commit is contained in:
piso 2008-03-19 11:50:45 +00:00
parent 8e897decf1
commit fddf8af542
2 changed files with 14 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sys/netinet/libalias/alias_db.c
View File

@ -361,7 +361,7 @@ alias_mod_handler(module_t mod, int type, void *data)
switch (type) {
case MOD_LOAD:
error = 0;
newpacket = malloc(IP_MAXPACKET);
newpacket = malloc(IP_MAXPACKET + 1);
if (!newpacket)
error = EINVAL;
break;

25
sys/netinet/libalias/alias_irc.c
View File

@ -73,10 +73,11 @@ __FBSDID("$FreeBSD$");
#include "alias_local.h"
#endif
#define PKTSIZE (IP_MAXPACKET + 1)
#ifdef _KERNEL
char *newpacket;
#else
char newpacket[IP_MAXPACKET];
char newpacket[PKTSIZE];
#endif
@ -135,7 +136,7 @@ lFOUND_CTCP:
* address */
lCTCP_START:
if (i >= dlen || iCopy >= sizeof(newpacket))
if (i >= dlen || iCopy >= PKTSIZE)
goto lPACKET_DONE;
newpacket[iCopy++] = sptr[i++]; /* Copy the CTCP start
* character */
@ -152,7 +153,7 @@ lCTCP_START:
goto lBAD_CTCP;
/* We have a DCC command - handle it! */
i += 4; /* Skip "DCC " */
if (iCopy + 4 > sizeof(newpacket))
if (iCopy + 4 > PKTSIZE)
goto lPACKET_DONE;
newpacket[iCopy++] = 'D';
newpacket[iCopy++] = 'C';
@ -174,13 +175,13 @@ lCTCP_START:
DBprintf(("Transferring command...\n"));
while (sptr[i] != ' ') {
newpacket[iCopy++] = sptr[i];
if (++i >= dlen || iCopy >= sizeof(newpacket)) {
if (++i >= dlen || iCopy >= PKTSIZE) {
DBprintf(("DCC packet terminated during command\n"));
goto lPACKET_DONE;
}
}
/* Copy _one_ space */
if (i + 1 < dlen && iCopy < sizeof(newpacket))
if (i + 1 < dlen && iCopy < PKTSIZE)
newpacket[iCopy++] = sptr[i++];
DBprintf(("Done command - removing spaces\n"));
@ -198,13 +199,13 @@ lCTCP_START:
DBprintf(("Transferring filename...\n"));
while (sptr[i] != ' ') {
newpacket[iCopy++] = sptr[i];
if (++i >= dlen || iCopy >= sizeof(newpacket)) {
if (++i >= dlen || iCopy >= PKTSIZE) {
DBprintf(("DCC packet terminated during filename\n"));
goto lPACKET_DONE;
}
}
/* Copy _one_ space */
if (i + 1 < dlen && iCopy < sizeof(newpacket))
if (i + 1 < dlen && iCopy < PKTSIZE)
newpacket[iCopy++] = sptr[i++];
DBprintf(("Done filename - removing spaces\n"));
@ -303,20 +304,20 @@ lCTCP_START:
alias_address = GetAliasAddress(lnk);
n = snprintf(&newpacket[iCopy],
sizeof(newpacket) - iCopy,
PKTSIZE - iCopy,
"%lu ", (u_long) htonl(alias_address.s_addr));
if (n < 0) {
DBprintf(("DCC packet construct failure.\n"));
goto lBAD_CTCP;
}
if ((iCopy += n) >= sizeof(newpacket)) { /* Truncated/fit exactly
if ((iCopy += n) >= PKTSIZE) { /* Truncated/fit exactly
* - bad news */
DBprintf(("DCC constructed packet overflow.\n"));
goto lBAD_CTCP;
}
alias_port = GetAliasPort(dcc_lnk);
n = snprintf(&newpacket[iCopy],
sizeof(newpacket) - iCopy,
PKTSIZE - iCopy,
"%u", htons(alias_port));
if (n < 0) {
DBprintf(("DCC packet construct failure.\n"));
@ -336,7 +337,7 @@ lCTCP_START:
* after IP address and port has been handled
*/
lBAD_CTCP:
for (; i < dlen && iCopy < sizeof(newpacket); i++, iCopy++) {
for (; i < dlen && iCopy < PKTSIZE; i++, iCopy++) {
newpacket[iCopy] = sptr[i]; /* Copy CTCP unchanged */
if (sptr[i] == '\001') {
goto lNORMAL_TEXT;
@ -345,7 +346,7 @@ lBAD_CTCP:
goto lPACKET_DONE;
/* Normal text */
lNORMAL_TEXT:
for (; i < dlen && iCopy < sizeof(newpacket); i++, iCopy++) {
for (; i < dlen && iCopy < PKTSIZE; i++, iCopy++) {
newpacket[iCopy] = sptr[i]; /* Copy CTCP unchanged */
if (sptr[i] == '\001') {
goto lCTCP_START;