diff options
author | Colin Watson <cjwatson@debian.org> | 2003-07-30 21:29:19 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2003-07-30 21:29:19 +0000 |
commit | 605f3f035d09d2d44189ab811127e2aa431d0786 (patch) | |
tree | 65146f2f5cd7eb8dd422cc2f9bbd9a77d6d49043 /src/manp.c | |
parent | 70fd88f32a15e8d66542aa3119921f1727df828d (diff) |
Fix vulnerability 4 posted by Vade 79 <v9@fakehalo.deadpig.org> on
BugTraq, Message-ID:
<20030729210308.15518.qmail@www.securityfocus.com>. This fix is just
a stopgap measure for now; proper list handling will be added later.
* src/manp.c (gripe_overlong_list): New function.
(add_dir_to_list): Die gracefully if too many list entries are
added.
(add_dir_to_path_list): Likewise. Take an extra argument for the
head of the list so that we can spot this efficiently.
(create_pathlist): Update calls to add_dir_to_path_list().
Diffstat (limited to 'src/manp.c')
-rw-r--r-- | src/manp.c | 21 |
1 files changed, 17 insertions, 4 deletions
@@ -127,7 +127,7 @@ static __inline__ char *has_mandir (const char *p); static __inline__ char *fsstnd (const char *path); static char *def_path (int flag); static void add_dir_to_list (char **lp, const char *dir); -static char **add_dir_to_path_list (char **mp, const char *p); +static char **add_dir_to_path_list (char **mphead, char **mp, const char *p); static void add_to_list (const char *key, const char *cont, int flag) @@ -347,6 +347,10 @@ static __inline__ void gripe_not_directory (const char *dir) error (0, 0, _("warning: %s isn't a directory"), dir); } +static void gripe_overlong_list (void) +{ + error (FAIL, 0, _("manpath list too long")); +} /* accept a manpath list, separated with ':', return the associated catpath list */ @@ -943,8 +947,11 @@ static __inline__ char *get_manpath (char *path) static void add_dir_to_list (char **lp, const char *dir) { int status; + int pos = 0; while (*lp != NULL) { + if (pos > MAXDIRS - 1) + gripe_overlong_list (); if (!strcmp (*lp, dir)) { if (debug) fprintf (stderr, @@ -953,6 +960,7 @@ static void add_dir_to_list (char **lp, const char *dir) return; } lp++; + pos++; } /* Not found -- add it. */ @@ -1002,12 +1010,15 @@ static __inline__ char *has_mandir (const char *path) return NULL; } -static __inline__ char **add_dir_to_path_list (char **mp, const char *p) +static char **add_dir_to_path_list (char **mphead, char **mp, const char *p) { int status; char wd[PATH_MAX]; char *cwd = wd; + if (mp - mphead > MAXDIRS - 1) + gripe_overlong_list (); + status = is_directory (p); if (status < 0) @@ -1037,15 +1048,17 @@ static __inline__ char **add_dir_to_path_list (char **mp, const char *p) void create_pathlist (const char *manp, char **mp) { const char *p, *end; + char **mphead = mp; /* Expand the manpath into a list for easier handling. */ for (p = manp;; p = end + 1) { end = strchr (p, ':'); if (end) - mp = add_dir_to_path_list (mp, xstrndup (p, end - p)); + mp = add_dir_to_path_list (mphead, mp, + xstrndup (p, end - p)); else { - mp = add_dir_to_path_list (mp, p); + mp = add_dir_to_path_list (mphead, mp, p); break; } } |