+++ /dev/null
-diff -ruN Canna35b2.orig/server/convert.c Canna35b2/server/convert.c
---- Canna35b2.orig/server/convert.c Mon Dec 2 20:01:34 1996
-+++ Canna35b2/server/convert.c Mon Nov 11 19:59:52 2002
-@@ -53,6 +53,8 @@
- #define ACK2 2
- #define ACK3 3
- #define CHECK_ACK_BUF_SIZE (ACK_BUFSIZE + (SIZEOFLONG * 2) )
-+#define IR_INT_MAX 32767
-+#define IR_INT_INVAL(x) ((unsigned int)x > IR_INT_MAX)
-
- extern int errno;
-
-@@ -1778,6 +1780,8 @@
- return( needsize ) ;
-
- req->namelen = (int)L4TOL(buf + SIZE4);
-+ if( IR_INT_INVAL(req->namelen) )
-+ return( -1 );
- ir_debug( Dmsg(10,"req->namelen =%d\n", req->namelen ); )
-
- if( (needsize = SIZE8 + req->namelen - size) > 0 )
-@@ -1785,6 +1789,8 @@
-
- if( req->namelen > 0 ){
- req->name = buf + SIZE8 ;
-+ if( req->name[req->namelen - 1] != 0 )
-+ return( -1 );
- }
- ir_debug( Dmsg(10,"req->namelen =%d\n", req->namelen ); )
- ir_debug( Dmsg(10,"req->name =%s\n", req->name ); )
-diff -ruN Canna35b2.orig/server/util.c Canna35b2/server/util.c
---- Canna35b2.orig/server/util.c Wed Nov 6 19:09:47 1996
-+++ Canna35b2/server/util.c Mon Nov 11 19:59:52 2002
-@@ -217,6 +217,19 @@
- return res;
- }
-
-+const Ushort *
-+ushortmemchr(ws, ch, len)
-+const Ushort *ws;
-+int ch;
-+size_t len;
-+{
-+ const Ushort *p, *end;
-+ for (p = ws, end = ws + len; p < end; ++p)
-+ if (*p == (Ushort)ch)
-+ return p;
-+ return NULL;
-+}
-+
- int
- ushortstrcpy(wd, ws)
- Ushort *wd, *ws;
-diff -ruN Canna35b2.orig/server/wconvert.c Canna35b2/server/wconvert.c
---- Canna35b2.orig/server/wconvert.c Mon Nov 11 19:42:07 2002
-+++ Canna35b2/server/wconvert.c Mon Nov 11 19:59:52 2002
-@@ -100,6 +100,7 @@
- #endif
-
- extern void DispDebug() ;
-+extern const Ushort *ushortmemchr pro((const Ushort *, int, size_t));
- extern int canna_server_hi ;
- extern int canna_server_lo ;
- #ifdef DEBUG
-@@ -1322,7 +1323,10 @@
- char *dirname, *dirnamelong = (char *)0;
- int cxnum = Request.type18.context, stat = -1;
- int requestsize = Request.type18.size, retval;
-+ size_t datasize = Request.type18.datalen - SIZEOFSHORT * 2;
-
-+ if (datasize == 0 || req->data[datasize - 1] != 0)
-+ goto protoerr;
- if (validcontext(cxnum, client, wListDictionary)) {
- if (requestsize <= sizeof(local_buffer) ||
- (dicnames = malloc(requestsize))) {
-@@ -1359,6 +1363,7 @@
- }
- }
-
-+protoerr:
- retval = SendType6Reply(client, wListDictionary, EXTPROTO, stat,
- dicnames, namesize(dicnames, stat));
- if (dicnames != (char *)local_buffer) free(dicnames);
-@@ -1470,10 +1475,15 @@
- char *dicname, *dirname, *dirnamelong = (char *)0;
- int cxnum = Request.type18.context, stat = BADCONT;
- int dirlen, requestsize = Request.type18.size, retval;
-+ size_t datasize = Request.type18.datalen - SIZEOFSHORT * 2;
-
-+ if (datasize == 0 || req->data[datasize - 1] != 0)
-+ goto protoerr;
- if (validcontext(cxnum, client, wGetWordTextDictionary)) {
- dirname = req->data ;
- dirlen = strlen(dirname) + 1 ;
-+ if (dirlen == datasize)
-+ goto protoerr;
- dicname = &(req->data[dirlen]) ;
- if (dirlen > 1) {
- if (!dirname || dirname[0] != ':' ||
-@@ -1515,6 +1525,7 @@
- free(dirnamelong);
- }
- }
-+protoerr:
- retval = SendType7Reply(client, wGetWordTextDictionary, EXTPROTO,
- stat, stat > 0 ? stat + 1 : 0, infobuf);
- if (infobuf != (Ushort *)local_buffer) free((char *)infobuf);
-@@ -2296,6 +2307,9 @@
- {
- ir_debug( Dmsg(10, "ProcWideReq1 start!!\n") );
-
-+ if (Request.type1.datalen != 0)
-+ return( -1 );
-+
- return( 0 ) ;
- }
-
-@@ -2305,6 +2319,8 @@
- {
- ir_debug( Dmsg(10, "ProcWideReq2 start!!\n") );
-
-+ if (Request.type2.datalen != SIZEOFSHORT)
-+ return( -1 );
- buf += HEADER_SIZE; Request.type2.context = S2TOS(buf);
- ir_debug( Dmsg(10, "req->context =%d\n", Request.type2.context) );
-
-@@ -2317,6 +2333,8 @@
- {
- ir_debug( Dmsg(10, "ProcWideReq3 start!!\n") );
-
-+ if (Request.type3.datalen != SIZEOFSHORT * 2)
-+ return( -1 );
- buf += HEADER_SIZE; Request.type3.context = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type3.buflen = S2TOS(buf);
- ir_debug( Dmsg(10, "req->context =%d\n", Request.type3.context) );
-@@ -2334,12 +2352,18 @@
-
- ir_debug( Dmsg(10, "ProcWideReq4 start!!\n") );
-
-+ if (Request.type4.datalen < SIZEOFSHORT * 4)
-+ return( -1 );
- buf += HEADER_SIZE; Request.type4.context = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type4.begin = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type4.end = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type4.yomilen = S2TOS(buf);
- Request.type4.yomi = (Ushort *)(buf += SIZEOFSHORT) ;
-- len = Request.type4.datalen - SIZEOFSHORT * 4;
-+ len = Request.type4.yomilen + 1;
-+ if (Request.type4.datalen != SIZEOFSHORT * (4 + len)
-+ || len == 0
-+ || Request.type4.yomi[len - 1] != 0)
-+ return( -1 );
- for (data = Request.type4.yomi, i = 0; i < len; i++, data++)
- *data = ntohs((unsigned short)*data); /* ¤Á¤ç¤Ã¤È¤ä¤À¤Ê¤¢ */
- ir_debug( Dmsg(10, "req->context =%d\n", Request.type4.context) );
-@@ -2359,6 +2383,8 @@
- {
- ir_debug( Dmsg(10, "ProcWideReq5 start!!\n") );
-
-+ if (Request.type5.datalen != SIZEOFSHORT * 2 + SIZEOFINT)
-+ return( -1 );
- buf += HEADER_SIZE; Request.type5.context = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type5.size = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type5.mode = L4TOL(buf);
-@@ -2375,6 +2401,8 @@
- {
- ir_debug( Dmsg(10, "ProcWideReq6 start!!\n") );
-
-+ if (Request.type6.datalen != SIZEOFSHORT * 3)
-+ return( -1 );
- buf += HEADER_SIZE; Request.type6.context = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type6.number = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type6.buflen = S2TOS(buf);
-@@ -2391,6 +2419,8 @@
- {
- ir_debug( Dmsg(10, "ProcWideReq7 start!!\n") );
-
-+ if (Request.type7.datalen != SIZEOFSHORT * 3)
-+ return( -1 );
- buf += HEADER_SIZE; Request.type7.context = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type7.number = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type7.yomilen = (short)S2TOS(buf);
-@@ -2407,6 +2437,8 @@
- {
- ir_debug( Dmsg(10, "ProcWideReq8 start!!\n") );
-
-+ if (Request.type8.datalen != SIZEOFSHORT * 4)
-+ return( -1 );
- buf += HEADER_SIZE; Request.type8.context = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type8.curbun = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type8.curkouho = S2TOS(buf);
-@@ -2425,6 +2457,8 @@
- {
- ir_debug( Dmsg(10, "ProcWideReq9 start!!\n") );
-
-+ if (Request.type9.datalen != SIZEOFSHORT * 4)
-+ return( -1 );
- buf += HEADER_SIZE; Request.type9.context = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type9.number = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type9.kouho = S2TOS(buf);
-@@ -2442,9 +2476,13 @@
- BYTE *buf ;
- {
- register int i ;
-+ int rest;
-
- ir_debug( Dmsg(10, "ProcWideReq10 start!!\n") );
-
-+ rest = Request.type10.datalen - (SIZEOFSHORT * 2 + SIZEOFINT);
-+ if (rest < 0)
-+ return( -1 );
- buf += HEADER_SIZE; Request.type10.context = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type10.number = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type10.mode = L4TOL(buf);
-@@ -2452,6 +2490,8 @@
- ir_debug( Dmsg(10, "req->number =%d\n", Request.type10.number) );
- ir_debug( Dmsg(10, "req->mode =%d\n", Request.type10.mode) );
-
-+ if (rest != Request.type10.number * SIZEOFSHORT)
-+ return( -1 );
- buf += SIZEOFINT; Request.type10.kouho = (short *)buf; /* short? */
- for (i = 0; i < Request.type10.number; i++) {
- Request.type10.kouho[i] = S2TOS(buf); buf += SIZEOFSHORT;
-@@ -2468,12 +2508,18 @@
- register Ushort *data;
- int i, len ;
-
-- ir_debug( Dmsg(10, "ProcWideReq10 start!!\n") );
-+ ir_debug( Dmsg(10, "ProcWideReq11 start!!\n") );
-
-+ if (Request.type11.datalen < SIZEOFSHORT * 2)
-+ return( -1 );
- buf += HEADER_SIZE; Request.type11.context = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type11.curbun = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type11.yomi = (Ushort *)buf;
-+ if (Request.type11.datalen % SIZEOFSHORT != 0)
-+ return( -1 );
- len = ((int)Request.type11.datalen - SIZEOFSHORT * 2) / SIZEOFSHORT ;
-+ if (len == 0 || Request.type11.yomi[len - 1] != 0)
-+ return( -1 );
- for (data = Request.type11.yomi, i = 0; i < len; i++, data++)
- *data = ntohs( *data ); /* ¤Ê¤ó¤«¤ä¤À */
- ir_debug( Dmsg(10, "req->context =%d\n", Request.type11.context) );
-@@ -2490,16 +2536,26 @@
- BYTE *buf ;
- {
- register Ushort *data;
-- int i, len ;
-+ int i, len, rest;
-
- ir_debug( Dmsg(10, "ProcWideReq12 start!!\n") );
-
-+ rest = Request.type12.datalen - SIZEOFSHORT;
-+ if (rest < 0)
-+ return( -1 );
- buf += HEADER_SIZE; Request.type12.context = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type12.datainfo = (Ushort *)buf;
-+ if (!ushortmemchr((Ushort *)buf, 0, rest / SIZEOFSHORT))
-+ return( -1 );
- len = ushortstrlen((Ushort *)buf) + 1;
-+ rest -= len * SIZEOFSHORT;
-+ if (rest <= 0)
-+ return( -1 );
- for( data = Request.type12.datainfo, i = 0; i < len; i++, data++ )
- *data = ntohs( *data ); /* ¤Ê¤ó¤«¤ä¤À */
- buf += len * SIZEOFSHORT;
-+ if (buf[rest - 1] != '\0')
-+ return( -1 );
- Request.type12.dicname = (char *)buf;
- ir_debug( Dmsg(10, "req->context =%d\n", Request.type12.context) );
- ir_debug( Dmsg(10, "req->datainfo =%s\n",
-@@ -2517,24 +2573,37 @@
- BYTE *buf ;
- {
- register Ushort *data;
-- int i ,len ;
-+ int i ,len, rest;
-
- ir_debug( Dmsg(10, "ProcWideReq13 start!!\n") );
-
-+ rest = Request.type13.datalen - SIZEOFSHORT;
-+ if (rest < 0)
-+ return( -1 );
- buf += HEADER_SIZE; Request.type13.context = S2TOS(buf);
- len = SIZEOFSHORT ;
- buf += len;
- Request.type13.dicname = (char *)buf;
-+ if (!memchr(buf, 0, rest))
-+ return( -1 );
- len = strlen( (char *)buf ) + 1;
-+ rest -= len;
-+ if (rest % SIZEOFSHORT
-+ || rest < SIZEOFSHORT * 3)
-+ return( -1 );
- buf += len;
- Request.type13.yomi = (Ushort *)buf;
- len = ((int)Request.type13.datalen - len - SIZEOFSHORT * 4) / SIZEOFSHORT;
-+ if (ushortmemchr((Ushort *)buf, 0, len) != (Ushort *)buf + len - 1)
-+ return( -1 );
- for( data = Request.type13.yomi, i = 0; i < len; i++, data++)
- *data = ntohs( *data );
-- buf += (ushortstrlen((Ushort *)buf) + 1) * SIZEOFSHORT;
-+ buf += len * SIZEOFSHORT;
- Request.type13.yomilen = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type13.kouhosize = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type13.hinshisize = S2TOS(buf);
-+ if (Request.type13.yomilen != len - 1)
-+ return( -1 );
- ir_debug( Dmsg(10, "req->context =%d\n", Request.type13.context) );
- ir_debug( Dmsg(10, "req->dicname =%s\n", Request.type13.dicname) );
- ir_debug( Dmsg(10, "req->yomi =%s\n",
-@@ -2556,11 +2625,16 @@
-
- ir_debug( Dmsg(10, "ProcWideReq14 start!!\n") );
-
-+ if (Request.type14.datalen <= SIZEOFINT + SIZEOFSHORT
-+ || Request.type14.datalen % SIZEOFSHORT)
-+ return( -1 );
- buf += HEADER_SIZE; Request.type14.mode = L4TOL(buf);
- buf += SIZEOFINT; Request.type14.context = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type14.yomi = (Ushort *)buf;
- len = ((int)Request.type14.datalen - SIZEOFSHORT - SIZEOFINT)
- / SIZEOFSHORT;
-+ if (Request.type14.yomi[len - 1] != 0)
-+ return( -1 );
- for (data = Request.type14.yomi, i = 0; i < len; i++, data++)
- *data = ntohs( *data ); /* ¤Ê¤ó¤«¤ä¤À */
-
-@@ -2577,11 +2651,17 @@
- ProcWideReq15(buf)
- BYTE *buf ;
- {
-+ int rest;
- ir_debug( Dmsg(10, "ProcWideReq15 start!!\n") );
-
-+ rest = Request.type15.datalen - (SIZEOFINT + SIZEOFSHORT);
-+ if (rest <= 0)
-+ return( -1 );
- buf += HEADER_SIZE; Request.type15.mode = L4TOL(buf);
- buf += SIZEOFINT; Request.type15.context = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type15.dicname = (char *)buf;
-+ if (buf[rest - 1] != 0)
-+ return( -1 );
- ir_debug( Dmsg(10, "req->mode =%d\n", Request.type15.mode) );
- ir_debug( Dmsg(10, "req->context =%d\n", Request.type15.context) );
- ir_debug( Dmsg(10, "req->dicname =%s\n",
-@@ -2597,6 +2677,9 @@
- ir_debug( Dmsg(10, "ProcWideReq17 start!!\n") );
-
- buf += HEADER_SIZE;
-+ if (Request.type17.datalen < SIZEOFCHAR * 2
-+ || buf[Request.type17.datalen - SIZEOFCHAR * 2] != 0)
-+ return( -1 );
- Request.type17.dicname = (char *)buf;
- Request.type17.mode = (char)*(buf + Request.type17.datalen - SIZEOFCHAR) ;
- ir_debug( Dmsg(10, "req->dicname =%s\n",
-@@ -2613,6 +2696,8 @@
- {
- ir_debug( Dmsg(10, "ProcWideReq18 start!!\n") );
-
-+ if (Request.type18.datalen < SIZEOFSHORT * 2)
-+ return( -1 );
- buf += HEADER_SIZE; Request.type18.context = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type18.data = (char *)buf;
- buf += Request.type18.datalen - SIZEOFSHORT * 2;
-@@ -2630,12 +2715,18 @@
- ProcWideReq19(buf)
- BYTE *buf ;
- {
-+ int rest;
- ir_debug( Dmsg(10, "ProcWideReq19 start!!\n") );
-
-+ rest = Request.type20.datalen - (SIZEOFSHORT + SIZEOFINT * 2);
-+ if (rest < 0)
-+ return( -1 );
- buf += HEADER_SIZE; Request.type20.context = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type20.command = L4TOL(buf);
- buf += SIZEOFINT; Request.type20.bufsize = L4TOL(buf);
- buf += SIZEOFINT; Request.type20.buf = (char *)buf;
-+ if (Request.type20.bufsize != rest)
-+ return( -1 );
- ir_debug( Dmsg(10, "req->context =%d\n", Request.type20.context) );
- ir_debug( Dmsg(10, "req->command =%d\n", Request.type20.command) );
- ir_debug( Dmsg(10, "req->bufsize =%d\n", Request.type20.bufsize) );
-@@ -2647,15 +2738,25 @@
- ProcWideReq20(buf)
- BYTE *buf ;
- {
-+ BYTE *bufend;
- ir_debug( Dmsg(10, "ProcWideReq20 start!!\n") );
-
-+ if (Request.type21.datalen < SIZEOFINT + SIZEOFSHORT)
-+ return( -1 );
- buf += HEADER_SIZE; Request.type21.mode = L4TOL(buf);
-+ bufend = buf + Request.type21.datalen;
- buf += SIZEOFINT; Request.type21.context = S2TOS(buf);
- buf += SIZEOFSHORT; Request.type21.dirname = (char *)buf;
-+ if (!memchr(buf, 0, bufend - buf))
-+ return( -1 );
- buf += strlen((char *)buf) + 1;
- Request.type21.srcdic = (char *)buf;
-+ if (!memchr(buf, 0, bufend - buf))
-+ return( -1 );
- buf += strlen((char *)buf) + 1;
- Request.type21.dstdic = (char *)buf;
-+ if (*(bufend - 1) != 0)
-+ return( -1 );
-
- ir_debug( Dmsg(10, "req->mode =%d\n", Request.type21.mode) );
- ir_debug( Dmsg(10, "req->context =%d\n", Request.type21.context) );