diff options
-rw-r--r-- | docs/ChangeLog | 14 | ||||
-rw-r--r-- | src/manp.c | 21 |
2 files changed, 31 insertions, 4 deletions
diff --git a/docs/ChangeLog b/docs/ChangeLog index 102b0509..1f87d3f1 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -1,3 +1,17 @@ +Wed Jul 30 22:28:13 BST 2003 Colin Watson <cjwatson@debian.org> + + Fix vulnerability 4 posted by Vade 79 <v9@fakehalo.deadpig.org> on + BugTraq, Message-ID: + <20030729210308.15518.qmail@www.securityfocus.com>. This fix is just + a stopgap measure for now; proper list handling will be added later. + + * src/manp.c (gripe_overlong_list): New function. + (add_dir_to_list): Die gracefully if too many list entries are + added. + (add_dir_to_path_list): Likewise. Take an extra argument for the + head of the list so that we can spot this efficiently. + (create_pathlist): Update calls to add_dir_to_path_list(). + Wed Jul 30 22:15:16 BST 2003 Colin Watson <cjwatson@debian.org> * src/manp.c (gripe_reading_mp_config): This is a fatal error, so @@ -127,7 +127,7 @@ static __inline__ char *has_mandir (const char *p); static __inline__ char *fsstnd (const char *path); static char *def_path (int flag); static void add_dir_to_list (char **lp, const char *dir); -static char **add_dir_to_path_list (char **mp, const char *p); +static char **add_dir_to_path_list (char **mphead, char **mp, const char *p); static void add_to_list (const char *key, const char *cont, int flag) @@ -347,6 +347,10 @@ static __inline__ void gripe_not_directory (const char *dir) error (0, 0, _("warning: %s isn't a directory"), dir); } +static void gripe_overlong_list (void) +{ + error (FAIL, 0, _("manpath list too long")); +} /* accept a manpath list, separated with ':', return the associated catpath list */ @@ -943,8 +947,11 @@ static __inline__ char *get_manpath (char *path) static void add_dir_to_list (char **lp, const char *dir) { int status; + int pos = 0; while (*lp != NULL) { + if (pos > MAXDIRS - 1) + gripe_overlong_list (); if (!strcmp (*lp, dir)) { if (debug) fprintf (stderr, @@ -953,6 +960,7 @@ static void add_dir_to_list (char **lp, const char *dir) return; } lp++; + pos++; } /* Not found -- add it. */ @@ -1002,12 +1010,15 @@ static __inline__ char *has_mandir (const char *path) return NULL; } -static __inline__ char **add_dir_to_path_list (char **mp, const char *p) +static char **add_dir_to_path_list (char **mphead, char **mp, const char *p) { int status; char wd[PATH_MAX]; char *cwd = wd; + if (mp - mphead > MAXDIRS - 1) + gripe_overlong_list (); + status = is_directory (p); if (status < 0) @@ -1037,15 +1048,17 @@ static __inline__ char **add_dir_to_path_list (char **mp, const char *p) void create_pathlist (const char *manp, char **mp) { const char *p, *end; + char **mphead = mp; /* Expand the manpath into a list for easier handling. */ for (p = manp;; p = end + 1) { end = strchr (p, ':'); if (end) - mp = add_dir_to_path_list (mp, xstrndup (p, end - p)); + mp = add_dir_to_path_list (mphead, mp, + xstrndup (p, end - p)); else { - mp = add_dir_to_path_list (mp, p); + mp = add_dir_to_path_list (mphead, mp, p); break; } } |