- markus@cvs.openbsd.org 2002/04/20 09:17:19

[radix.c] rewrite using the buffer_* API, fixes overflow; ok deraadt@
author: Damien Miller <djm@mindrot.org> 2002-04-23 20:46:56 +1000
committer: Damien Miller <djm@mindrot.org> 2002-04-23 20:46:56 +1000
commit: bad0e0162fb3e943498d66406784baee9de0ebcc (patch)
tree: 7c20db6d06b59bc147b1aedc9eccd709e8bc9216 /radix.c
parent: 3b23566a5b266f4915697616b5a4e2ecc23b930a (diff)
1 files changed, 96 insertions, 154 deletions
diff --git a/radix.c b/radix.c
index e60435736..94e3dc70e 100644
--- a/radix.c
+++ b/radix.c
@@ -1,5 +1,6 @@
 /*
 * Copyright (c) 1999 Dug Song.  All rights reserved.
+ * Copyright (c) 2002 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -25,190 +26,131 @@
 #include "includes.h"
 #include "uuencode.h"
-RCSID("$OpenBSD: radix.c,v 1.17 2001/11/19 19:02:16 mpech Exp $");
+RCSID("$OpenBSD: radix.c,v 1.18 2002/04/20 09:17:19 markus Exp $");
 #ifdef AFS
 #include <krb.h>
 #include <radix.h>
+#include "bufaux.h"
-typedef u_char my_u_char;
+int
-typedef u_int my_u_int32_t;
+creds_to_radix(CREDENTIALS *creds, u_char *buf, size_t buflen)
-typedef u_short my_u_short;
+{
+        Buffer b;
-/* Nasty macros from BIND-4.9.2 */
+        int ret;
-#define GETSHORT(s, cp) { \
-        my_u_char *t_cp = (my_u_char *)(cp); \
-        (s) = (((my_u_short)t_cp[0]) << 8) \
-            | (((my_u_short)t_cp[1])) \
-            ; \
-        (cp) += 2; \
-}
-#define GETLONG(l, cp) { \
-        my_u_char *t_cp = (my_u_char *)(cp); \
-        (l) = (((my_u_int32_t)t_cp[0]) << 24) \
-            | (((my_u_int32_t)t_cp[1]) << 16) \
-            | (((my_u_int32_t)t_cp[2]) << 8) \
-            | (((my_u_int32_t)t_cp[3])) \
-            ; \
-        (cp) += 4; \
-}
-#define PUTSHORT(s, cp) { \
-        my_u_short t_s = (my_u_short)(s); \
-        my_u_char *t_cp = (my_u_char *)(cp); \
-        *t_cp++ = t_s >> 8; \
-        *t_cp   = t_s; \
-        (cp) += 2; \
-}
-#define PUTLONG(l, cp) { \
+        buffer_init(&b);
-        my_u_int32_t t_l = (my_u_int32_t)(l); \
-        my_u_char *t_cp = (my_u_char *)(cp); \
-        *t_cp++ = t_l >> 24; \
-        *t_cp++ = t_l >> 16; \
-        *t_cp++ = t_l >> 8; \
-        *t_cp   = t_l; \
-        (cp) += 4; \
-}
-#define GETSTRING(s, p, p_l) {                  \
+        buffer_put_char(&b, 1); /* version */
-    char *p_targ = (p) + p_l;           \
-    char *s_c = (s);                    \
-    char *p_c = (p);                    \
-    while (*p_c && (p_c < p_targ)) {            \
-        *s_c++ = *p_c++;                        \
-    }                                           \
-    if (p_c == p_targ) {                        \
-        return 1;                               \
-    }                                           \
-    *s_c = *p_c++;                              \
-    (p_l) = (p_l) - (p_c - (p));                \
-    (p) = p_c;                                  \
-}
+        buffer_append(&b, creds->service, strlen(creds->service));
+        buffer_put_char(&b, '\0');
+        buffer_append(&b, creds->instance, strlen(creds->instance));
+        buffer_put_char(&b, '\0');
+        buffer_append(&b, creds->realm, strlen(creds->realm));
+        buffer_put_char(&b, '\0');
+        buffer_append(&b, creds->pname, strlen(creds->pname));
+        buffer_put_char(&b, '\0');
+        buffer_append(&b, creds->pinst, strlen(creds->pinst));
+        buffer_put_char(&b, '\0');
-int
-creds_to_radix(CREDENTIALS *creds, u_char *buf, size_t buflen)
-{
-        char *p, *s;
-        int len;
-        char temp[2048];
-        p = temp;
-        *p++ = 1;               /* version */
-        s = creds->service;
-        while (*s)
-                *p++ = *s++;
-        *p++ = *s;
-        s = creds->instance;
-        while (*s)
-                *p++ = *s++;
-        *p++ = *s;
-        s = creds->realm;
-        while (*s)
-                *p++ = *s++;
-        *p++ = *s;
-        s = creds->pname;
-        while (*s)
-                *p++ = *s++;
-        *p++ = *s;
-        s = creds->pinst;
-        while (*s)
-                *p++ = *s++;
-        *p++ = *s;
        /* Null string to repeat the realm. */
-        *p++ = '\0';
+        buffer_put_char(&b, '\0');
-        PUTLONG(creds->issue_date, p);
-        {
-                u_int endTime;
-                endTime = (u_int) krb_life_to_time(creds->issue_date,
-                                                          creds->lifetime);
-                PUTLONG(endTime, p);
-        }
-        memcpy(p, &creds->session, sizeof(creds->session));
+        buffer_put_int(&b, creds->issue_date);
-        p += sizeof(creds->session);
+        buffer_put_int(&b, krb_life_to_time(creds->issue_date,
+            creds->lifetime));
+        buffer_append(&b, creds->session, sizeof(creds->session));
+        buffer_put_short(&b, creds->kvno);
-        PUTSHORT(creds->kvno, p);
+        /* 32 bit size + data */
-        PUTLONG(creds->ticket_st.length, p);
+        buffer_put_string(&b, creds->ticket_st.dat,
+            sizeof(creds->ticket_st.length));
-        memcpy(p, creds->ticket_st.dat, creds->ticket_st.length);
+        ret = uuencode(buffer_ptr(&b), buffer_len(&b), (char *)buf, buflen);
-        p += creds->ticket_st.length;
-        len = p - temp;
-        return (uuencode((u_char *)temp, len, (char *)buf, buflen));
+        buffer_free(&b);
+        return ret;
 }
+#define GETSTRING(b, t, tlen) \
+        do { \
+                int i; \
+                for (i = 0; i < tlen; i++) { \
+                        if (buffer_len(b) == 0) \
+                                goto done; \
+                        t[i] = buffer_get_char(b); \
+                        if (t[i] == '\0') \
+                                break; \
+                } \
+                if (t[i] != '\0') \
+                        goto done; \
+        } while(0)
 int
 radix_to_creds(const char *buf, CREDENTIALS *creds)
 {
+        Buffer b;
+        char c, version, *space, *p;
+        u_int endTime;
+        int len, blen, ret;
-        char *p;
+        ret = 0;
-        int len, tl;
+        blen = strlen(buf);
-        char version;
-        char temp[2048];
-        len = uudecode(buf, (u_char *)temp, sizeof(temp));
+        /* sanity check for size */
-        if (len < 0)
+        if (blen > 8192)
                return 0;
-        p = temp;
+        buffer_init(&b);
+        space = buffer_append_space(&b, blen);
        /* check version and length! */
+        len = uudecode(buf, space, blen);
        if (len < 1)
-                return 0;
+                goto done;
-        version = *p;
-        p++;
-        len--;
-        GETSTRING(creds->service, p, len);
-        GETSTRING(creds->instance, p, len);
-        GETSTRING(creds->realm, p, len);
-        GETSTRING(creds->pname, p, len);
+        version = buffer_get_char(&b);
-        GETSTRING(creds->pinst, p, len);
-        /* Ignore possibly different realm. */
-        while (*p && len)
-                p++, len--;
-        if (len == 0)
-                return 0;
-        p++, len--;
-        /* Enough space for remaining fixed-length parts? */
-        if (len < (4 + 4 + sizeof(creds->session) + 2 + 4))
-                return 0;
-        GETLONG(creds->issue_date, p);
+        GETSTRING(&b, creds->service, sizeof creds->service);
-        len -= 4;
+        GETSTRING(&b, creds->instance, sizeof creds->instance);
-        {
+        GETSTRING(&b, creds->realm, sizeof creds->realm);
-                u_int endTime;
+        GETSTRING(&b, creds->pname, sizeof creds->pname);
-                GETLONG(endTime, p);
+        GETSTRING(&b, creds->pinst, sizeof creds->pinst);
-                len -= 4;
-                creds->lifetime = krb_time_to_life(creds->issue_date, endTime);
-        }
-        memcpy(&creds->session, p, sizeof(creds->session));
-        p += sizeof(creds->session);
-        len -= sizeof(creds->session);
-        GETSHORT(creds->kvno, p);
-        len -= 2;
-        GETLONG(creds->ticket_st.length, p);
-        len -= 4;
-        tl = creds->ticket_st.length;
-        if (tl < 0 || tl > len || tl > sizeof(creds->ticket_st.dat))
-                return 0;
-        memcpy(creds->ticket_st.dat, p, tl);
+        if (buffer_len(&b) == 0)
-        p += tl;
+                goto done;
-        len -= tl;
-        return 1;
+        /* Ignore possibly different realm. */
+        while (buffer_len(&b) > 0 && (c = buffer_get_char(&b)) != '\0')
+                ;
+        if (buffer_len(&b) == 0)
+                goto done;
+        creds->issue_date = buffer_get_int(&b);
+        endTime = buffer_get_int(&b);
+        creds->lifetime = krb_time_to_life(creds->issue_date, endTime);
+        len = buffer_len(&b);
+        if (len < sizeof(creds->session))
+                goto done;
+        memcpy(&creds->session, buffer_ptr(&b), sizeof(creds->session));
+        buffer_consume(&b, sizeof(creds->session));
+        creds->kvno = buffer_get_short(&b);
+        p = buffer_get_string(&b, &len);
+        if (len < 0 || len > sizeof(creds->ticket_st.dat))
+                goto done;
+        memcpy(&creds->ticket_st.dat, p, len);
+        creds->ticket_st.length = len;
+        
+        ret = 1;
+done:
+        buffer_free(&b);
+        return ret;
 }
 #endif /* AFS */
author	Damien Miller <djm@mindrot.org>	2002-04-23 20:46:56 +1000
committer	Damien Miller <djm@mindrot.org>	2002-04-23 20:46:56 +1000
commit	bad0e0162fb3e943498d66406784baee9de0ebcc (patch)
tree	7c20db6d06b59bc147b1aedc9eccd709e8bc9216 /radix.c
parent	3b23566a5b266f4915697616b5a4e2ecc23b930a (diff)

diff --git a/radix.c b/radix.c index e60435736..94e3dc70e 100644 --- a/radix.c +++ b/radix.c
@@ -1,5 +1,6 @@
1	/*	1	/*
2	* Copyright (c) 1999 Dug Song. All rights reserved.	2	* Copyright (c) 1999 Dug Song. All rights reserved.
		3	* Copyright (c) 2002 Markus Friedl. All rights reserved.
3	*	4	*
4	* Redistribution and use in source and binary forms, with or without	5	* Redistribution and use in source and binary forms, with or without
5	* modification, are permitted provided that the following conditions	6	* modification, are permitted provided that the following conditions
@@ -25,190 +26,131 @@
25	#include "includes.h"	26	#include "includes.h"
26	#include "uuencode.h"	27	#include "uuencode.h"
27		28
28	RCSID("$OpenBSD: radix.c,v 1.17 2001/11/19 19:02:16 mpech Exp $");	29	RCSID("$OpenBSD: radix.c,v 1.18 2002/04/20 09:17:19 markus Exp $");
29		30
30	#ifdef AFS	31	#ifdef AFS
31	#include <krb.h>	32	#include <krb.h>
32		33
33	#include <radix.h>	34	#include <radix.h>
		35	#include "bufaux.h"
34		36
35	typedef u_char my_u_char;	37	int
36	typedef u_int my_u_int32_t;	38	creds_to_radix(CREDENTIALS creds, u_char buf, size_t buflen)
37	typedef u_short my_u_short;	39	{
38		40	Buffer b;
39	/* Nasty macros from BIND-4.9.2 */	41	int ret;
40
41	#define GETSHORT(s, cp) { \
42	my_u_char t_cp = (my_u_char )(cp); \
43	(s) = (((my_u_short)t_cp[0]) << 8) \
44	\| (((my_u_short)t_cp[1])) \
45	; \
46	(cp) += 2; \
47	}
48
49	#define GETLONG(l, cp) { \
50	my_u_char t_cp = (my_u_char )(cp); \
51	(l) = (((my_u_int32_t)t_cp[0]) << 24) \
52	\| (((my_u_int32_t)t_cp[1]) << 16) \
53	\| (((my_u_int32_t)t_cp[2]) << 8) \
54	\| (((my_u_int32_t)t_cp[3])) \
55	; \
56	(cp) += 4; \
57	}
58
59	#define PUTSHORT(s, cp) { \
60	my_u_short t_s = (my_u_short)(s); \
61	my_u_char t_cp = (my_u_char )(cp); \
62	*t_cp++ = t_s >> 8; \
63	*t_cp = t_s; \
64	(cp) += 2; \
65	}
66		42
67	#define PUTLONG(l, cp) { \	43	buffer_init(&b);
68	my_u_int32_t t_l = (my_u_int32_t)(l); \
69	my_u_char t_cp = (my_u_char )(cp); \
70	*t_cp++ = t_l >> 24; \
71	*t_cp++ = t_l >> 16; \
72	*t_cp++ = t_l >> 8; \
73	*t_cp = t_l; \
74	(cp) += 4; \
75	}
76		44
77	#define GETSTRING(s, p, p_l) { \	45	buffer_put_char(&b, 1); /* version */
78	char *p_targ = (p) + p_l; \
79	char *s_c = (s); \
80	char *p_c = (p); \
81	while (*p_c && (p_c < p_targ)) { \
82	s_c++ = p_c++; \
83	} \
84	if (p_c == p_targ) { \
85	return 1; \
86	} \
87	s_c = p_c++; \
88	(p_l) = (p_l) - (p_c - (p)); \
89	(p) = p_c; \
90	}
91		46
		47	buffer_append(&b, creds->service, strlen(creds->service));
		48	buffer_put_char(&b, '\0');
		49	buffer_append(&b, creds->instance, strlen(creds->instance));
		50	buffer_put_char(&b, '\0');
		51	buffer_append(&b, creds->realm, strlen(creds->realm));
		52	buffer_put_char(&b, '\0');
		53	buffer_append(&b, creds->pname, strlen(creds->pname));
		54	buffer_put_char(&b, '\0');
		55	buffer_append(&b, creds->pinst, strlen(creds->pinst));
		56	buffer_put_char(&b, '\0');
92		57
93	int
94	creds_to_radix(CREDENTIALS creds, u_char buf, size_t buflen)
95	{
96	char p, s;
97	int len;
98	char temp[2048];
99
100	p = temp;
101	p++ = 1; / version */
102	s = creds->service;
103	while (*s)
104	p++ = s++;
105	p++ = s;
106	s = creds->instance;
107	while (*s)
108	p++ = s++;
109	p++ = s;
110	s = creds->realm;
111	while (*s)
112	p++ = s++;
113	p++ = s;
114
115	s = creds->pname;
116	while (*s)
117	p++ = s++;
118	p++ = s;
119	s = creds->pinst;
120	while (*s)
121	p++ = s++;
122	p++ = s;
123	/* Null string to repeat the realm. */	58	/* Null string to repeat the realm. */
124	*p++ = '\0';	59	buffer_put_char(&b, '\0');
125
126	PUTLONG(creds->issue_date, p);
127	{
128	u_int endTime;
129	endTime = (u_int) krb_life_to_time(creds->issue_date,
130	creds->lifetime);
131	PUTLONG(endTime, p);
132	}
133		60
134	memcpy(p, &creds->session, sizeof(creds->session));	61	buffer_put_int(&b, creds->issue_date);
135	p += sizeof(creds->session);	62	buffer_put_int(&b, krb_life_to_time(creds->issue_date,
		63	creds->lifetime));
		64	buffer_append(&b, creds->session, sizeof(creds->session));
		65	buffer_put_short(&b, creds->kvno);
136		66
137	PUTSHORT(creds->kvno, p);	67	/* 32 bit size + data */
138	PUTLONG(creds->ticket_st.length, p);	68	buffer_put_string(&b, creds->ticket_st.dat,
		69	sizeof(creds->ticket_st.length));
139		70
140	memcpy(p, creds->ticket_st.dat, creds->ticket_st.length);	71	ret = uuencode(buffer_ptr(&b), buffer_len(&b), (char *)buf, buflen);
141	p += creds->ticket_st.length;
142	len = p - temp;
143		72
144	return (uuencode((u_char )temp, len, (char )buf, buflen));	73	buffer_free(&b);
		74	return ret;
145	}	75	}
146		76
		77	#define GETSTRING(b, t, tlen) \
		78	do { \
		79	int i; \
		80	for (i = 0; i < tlen; i++) { \
		81	if (buffer_len(b) == 0) \
		82	goto done; \
		83	t[i] = buffer_get_char(b); \
		84	if (t[i] == '\0') \
		85	break; \
		86	} \
		87	if (t[i] != '\0') \
		88	goto done; \
		89	} while(0)
		90
147	int	91	int
148	radix_to_creds(const char buf, CREDENTIALS creds)	92	radix_to_creds(const char buf, CREDENTIALS creds)
149	{	93	{
		94	Buffer b;
		95	char c, version, space, p;
		96	u_int endTime;
		97	int len, blen, ret;
150		98
151	char *p;	99	ret = 0;
152	int len, tl;	100	blen = strlen(buf);
153	char version;
154	char temp[2048];
155		101
156	len = uudecode(buf, (u_char *)temp, sizeof(temp));	102	/* sanity check for size */
157	if (len < 0)	103	if (blen > 8192)
158	return 0;	104	return 0;
159		105
160	p = temp;	106	buffer_init(&b);
		107	space = buffer_append_space(&b, blen);
161		108
162	/* check version and length! */	109	/* check version and length! */
		110	len = uudecode(buf, space, blen);
163	if (len < 1)	111	if (len < 1)
164	return 0;	112	goto done;
165	version = *p;
166	p++;
167	len--;
168
169	GETSTRING(creds->service, p, len);
170	GETSTRING(creds->instance, p, len);
171	GETSTRING(creds->realm, p, len);
172		113
173	GETSTRING(creds->pname, p, len);	114	version = buffer_get_char(&b);
174	GETSTRING(creds->pinst, p, len);
175	/* Ignore possibly different realm. */
176	while (*p && len)
177	p++, len--;
178	if (len == 0)
179	return 0;
180	p++, len--;
181
182	/* Enough space for remaining fixed-length parts? */
183	if (len < (4 + 4 + sizeof(creds->session) + 2 + 4))
184	return 0;
185		115
186	GETLONG(creds->issue_date, p);	116	GETSTRING(&b, creds->service, sizeof creds->service);
187	len -= 4;	117	GETSTRING(&b, creds->instance, sizeof creds->instance);
188	{	118	GETSTRING(&b, creds->realm, sizeof creds->realm);
189	u_int endTime;	119	GETSTRING(&b, creds->pname, sizeof creds->pname);
190	GETLONG(endTime, p);	120	GETSTRING(&b, creds->pinst, sizeof creds->pinst);
191	len -= 4;
192	creds->lifetime = krb_time_to_life(creds->issue_date, endTime);
193	}
194
195	memcpy(&creds->session, p, sizeof(creds->session));
196	p += sizeof(creds->session);
197	len -= sizeof(creds->session);
198
199	GETSHORT(creds->kvno, p);
200	len -= 2;
201	GETLONG(creds->ticket_st.length, p);
202	len -= 4;
203
204	tl = creds->ticket_st.length;
205	if (tl < 0 \|\| tl > len \|\| tl > sizeof(creds->ticket_st.dat))
206	return 0;
207		121
208	memcpy(creds->ticket_st.dat, p, tl);	122	if (buffer_len(&b) == 0)
209	p += tl;	123	goto done;
210	len -= tl;
211		124
212	return 1;	125	/* Ignore possibly different realm. */
		126	while (buffer_len(&b) > 0 && (c = buffer_get_char(&b)) != '\0')
		127	;
		128
		129	if (buffer_len(&b) == 0)
		130	goto done;
		131
		132	creds->issue_date = buffer_get_int(&b);
		133
		134	endTime = buffer_get_int(&b);
		135	creds->lifetime = krb_time_to_life(creds->issue_date, endTime);
		136
		137	len = buffer_len(&b);
		138	if (len < sizeof(creds->session))
		139	goto done;
		140	memcpy(&creds->session, buffer_ptr(&b), sizeof(creds->session));
		141	buffer_consume(&b, sizeof(creds->session));
		142
		143	creds->kvno = buffer_get_short(&b);
		144
		145	p = buffer_get_string(&b, &len);
		146	if (len < 0 \|\| len > sizeof(creds->ticket_st.dat))
		147	goto done;
		148	memcpy(&creds->ticket_st.dat, p, len);
		149	creds->ticket_st.length = len;
		150
		151	ret = 1;
		152	done:
		153	buffer_free(&b);
		154	return ret;
213	}	155	}
214	#endif /* AFS */	156	#endif /* AFS */