Buffer overflow and format string fixes.

(Also don't put several patches in a single file.)

Approved by:	sergei
Obtained from:	upstream
Reported by:	Ulf Harnhammar <Ulf.Harnhammar.9485@student.uu.se>

1 files changed, 114 insertions, 0 deletions

diff --git a/mail/anubis/files/patch-src_auth.c b/mail/anubis/files/patch-src_auth.c
new file mode 100644
index 000000000000..f4e4209b1c52
--- /dev/null
+++ b/mail/anubis/files/patch-src_auth.c
@@ -0,0 +1,114 @@
+
+$FreeBSD$
+
+--- src/auth.c.orig	Wed Dec  4 22:43:34 2002
++++ src/auth.c	Sun Mar  7 15:10:48 2004
+@@ -42,6 +42,66 @@
+  IDENT protocol support
+ ************************/
+ 
++#define USERNAME_C "USERID :"
++
++/* If the reply matches sscanf expression
++   
++      "%*[^:]: USERID :%*[^:]:%s"
++
++   and the length of "%s" part does not exceed size-1 bytes,
++   copies this part to USERNAME and returns 0. Otherwise,
++   returns 1 */
++
++static int
++ident_extract_username(char *reply, char *username, size_t size)
++{
++	char *p;
++
++	p = strchr (reply, ':');
++	if (!p)
++		return 1;
++	if (p[1] != ' '
++	    || strncmp (p + 2, USERNAME_C, sizeof (USERNAME_C) - 1))
++		return 1;
++	p += 2 + sizeof (USERNAME_C) - 1;
++	p = strchr (p, ':');
++	if (!p)
++		return 1;
++	p++;
++	if (strlen (p) >= size)
++		return 1;
++	strcpy(username, p);
++	return 0;
++}
++
++/* If the reply matches sscanf expression
++
++      "%*[^ ] %*[^ ] %*[^ ] %*[^ ] %*[^ ] %s"
++
++   and the length of "%s" part does not exceed size-1 bytes,
++   copies this part to USERNAME and returns 0. Otherwise,
++   returns 1 */
++
++static int
++crypt_extract_username(char *reply, char *username, size_t size)
++{
++	int i;
++	char *p = reply;
++#define skip_word(c) while (*c && (*c) != ' ') c++
++
++	/* Skip five words */
++	for (i = 0; i < 5; i++) {
++		skip_word(p);
++		if (!*p++)
++			return 1;
++	}
++	
++	if (strlen (p) >= size)
++		return 1;
++	strcpy(username, p);
++	return 0;
++}
++
+ int
+ auth_ident(struct sockaddr_in *addr, char *user, int size)
+ {
+@@ -51,7 +111,8 @@
+ 	int sd = 0;
+ 
+ 	if ((sd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
+-		anubis_error(SOFT, _("IDENT: socket() failed: %s."), strerror(errno));
++		anubis_error(SOFT, _("IDENT: socket() failed: %s."),
++			     strerror(errno));
+ 		return 0;
+ 	}
+ 	memcpy(&ident, addr, sizeof(ident));
+@@ -69,11 +130,7 @@
+ 	info(VERBOSE, _("IDENT: connected to %s:%u"),
+ 	inet_ntoa(ident.sin_addr), ntohs(ident.sin_port));
+ 
+-	#ifdef HAVE_SNPRINTF
+ 	snprintf(buf, LINEBUFFER,
+-	#else
+-	sprintf(buf,
+-	#endif /* HAVE_SNPRINTF */
+ 		"%u , %u"CRLF, ntohs(addr->sin_port), session.tunnel_port);
+ 
+ 	if (send(sd, buf, strlen(buf), 0) == -1) {
+@@ -89,7 +146,8 @@
+ 	close_socket(sd);
+ 	memset(user, 0, size);
+ 
+-	if (sscanf(buf, "%*[^:]: USERID :%*[^:]:%s", user) != 1) {
++	remcrlf (buf);
++	if (ident_extract_username(buf, user, size)) {
+ 		info(VERBOSE, _("IDENT: incorrect data."));
+ 		return 0;
+ 	}
+@@ -105,7 +163,8 @@
+ 		if (rs == -1)
+ 			return 0;
+ 
+-		if (sscanf(buf, "%*[^ ] %*[^ ] %*[^ ] %*[^ ] %*[^ ] %s", user) != 1) {
++		remcrlf (buf);
++		if (crypt_extract_username(buf, user, size)) {
+ 			info(VERBOSE, _("IDENT: incorrect data (DES deciphered)."));
+ 			return 0;
+ 		}