1 diff -ruN Canna35b2.orig/server/convert.c Canna35b2/server/convert.c
2 --- Canna35b2.orig/server/convert.c Mon Dec 2 20:01:34 1996
3 +++ Canna35b2/server/convert.c Mon Nov 11 19:59:52 2002
7 #define CHECK_ACK_BUF_SIZE (ACK_BUFSIZE + (SIZEOFLONG * 2) )
8 +#define IR_INT_MAX 32767
9 +#define IR_INT_INVAL(x) ((unsigned int)x > IR_INT_MAX)
16 req->namelen = (int)L4TOL(buf + SIZE4);
17 + if( IR_INT_INVAL(req->namelen) )
19 ir_debug( Dmsg(10,"req->namelen =%d\n", req->namelen ); )
21 if( (needsize = SIZE8 + req->namelen - size) > 0 )
24 if( req->namelen > 0 ){
25 req->name = buf + SIZE8 ;
26 + if( req->name[req->namelen - 1] != 0 )
29 ir_debug( Dmsg(10,"req->namelen =%d\n", req->namelen ); )
30 ir_debug( Dmsg(10,"req->name =%s\n", req->name ); )
31 diff -ruN Canna35b2.orig/server/util.c Canna35b2/server/util.c
32 --- Canna35b2.orig/server/util.c Wed Nov 6 19:09:47 1996
33 +++ Canna35b2/server/util.c Mon Nov 11 19:59:52 2002
39 +ushortmemchr(ws, ch, len)
44 + const Ushort *p, *end;
45 + for (p = ws, end = ws + len; p < end; ++p)
46 + if (*p == (Ushort)ch)
54 diff -ruN Canna35b2.orig/server/wconvert.c Canna35b2/server/wconvert.c
55 --- Canna35b2.orig/server/wconvert.c Mon Nov 11 19:42:07 2002
56 +++ Canna35b2/server/wconvert.c Mon Nov 11 19:59:52 2002
60 extern void DispDebug() ;
61 +extern const Ushort *ushortmemchr pro((const Ushort *, int, size_t));
62 extern int canna_server_hi ;
63 extern int canna_server_lo ;
65 @@ -1322,7 +1323,10 @@
66 char *dirname, *dirnamelong = (char *)0;
67 int cxnum = Request.type18.context, stat = -1;
68 int requestsize = Request.type18.size, retval;
69 + size_t datasize = Request.type18.datalen - SIZEOFSHORT * 2;
71 + if (datasize == 0 || req->data[datasize - 1] != 0)
73 if (validcontext(cxnum, client, wListDictionary)) {
74 if (requestsize <= sizeof(local_buffer) ||
75 (dicnames = malloc(requestsize))) {
81 retval = SendType6Reply(client, wListDictionary, EXTPROTO, stat,
82 dicnames, namesize(dicnames, stat));
83 if (dicnames != (char *)local_buffer) free(dicnames);
84 @@ -1470,10 +1475,15 @@
85 char *dicname, *dirname, *dirnamelong = (char *)0;
86 int cxnum = Request.type18.context, stat = BADCONT;
87 int dirlen, requestsize = Request.type18.size, retval;
88 + size_t datasize = Request.type18.datalen - SIZEOFSHORT * 2;
90 + if (datasize == 0 || req->data[datasize - 1] != 0)
92 if (validcontext(cxnum, client, wGetWordTextDictionary)) {
94 dirlen = strlen(dirname) + 1 ;
95 + if (dirlen == datasize)
97 dicname = &(req->data[dirlen]) ;
99 if (!dirname || dirname[0] != ':' ||
100 @@ -1515,6 +1525,7 @@
105 retval = SendType7Reply(client, wGetWordTextDictionary, EXTPROTO,
106 stat, stat > 0 ? stat + 1 : 0, infobuf);
107 if (infobuf != (Ushort *)local_buffer) free((char *)infobuf);
108 @@ -2296,6 +2307,9 @@
110 ir_debug( Dmsg(10, "ProcWideReq1 start!!\n") );
112 + if (Request.type1.datalen != 0)
118 @@ -2305,6 +2319,8 @@
120 ir_debug( Dmsg(10, "ProcWideReq2 start!!\n") );
122 + if (Request.type2.datalen != SIZEOFSHORT)
124 buf += HEADER_SIZE; Request.type2.context = S2TOS(buf);
125 ir_debug( Dmsg(10, "req->context =%d\n", Request.type2.context) );
127 @@ -2317,6 +2333,8 @@
129 ir_debug( Dmsg(10, "ProcWideReq3 start!!\n") );
131 + if (Request.type3.datalen != SIZEOFSHORT * 2)
133 buf += HEADER_SIZE; Request.type3.context = S2TOS(buf);
134 buf += SIZEOFSHORT; Request.type3.buflen = S2TOS(buf);
135 ir_debug( Dmsg(10, "req->context =%d\n", Request.type3.context) );
136 @@ -2334,12 +2352,18 @@
138 ir_debug( Dmsg(10, "ProcWideReq4 start!!\n") );
140 + if (Request.type4.datalen < SIZEOFSHORT * 4)
142 buf += HEADER_SIZE; Request.type4.context = S2TOS(buf);
143 buf += SIZEOFSHORT; Request.type4.begin = S2TOS(buf);
144 buf += SIZEOFSHORT; Request.type4.end = S2TOS(buf);
145 buf += SIZEOFSHORT; Request.type4.yomilen = S2TOS(buf);
146 Request.type4.yomi = (Ushort *)(buf += SIZEOFSHORT) ;
147 - len = Request.type4.datalen - SIZEOFSHORT * 4;
148 + len = Request.type4.yomilen + 1;
149 + if (Request.type4.datalen != SIZEOFSHORT * (4 + len)
151 + || Request.type4.yomi[len - 1] != 0)
153 for (data = Request.type4.yomi, i = 0; i < len; i++, data++)
154 *data = ntohs((unsigned short)*data); /* ¤Á¤ç¤Ã¤È¤ä¤À¤Ê¤¢ */
155 ir_debug( Dmsg(10, "req->context =%d\n", Request.type4.context) );
156 @@ -2359,6 +2383,8 @@
158 ir_debug( Dmsg(10, "ProcWideReq5 start!!\n") );
160 + if (Request.type5.datalen != SIZEOFSHORT * 2 + SIZEOFINT)
162 buf += HEADER_SIZE; Request.type5.context = S2TOS(buf);
163 buf += SIZEOFSHORT; Request.type5.size = S2TOS(buf);
164 buf += SIZEOFSHORT; Request.type5.mode = L4TOL(buf);
165 @@ -2375,6 +2401,8 @@
167 ir_debug( Dmsg(10, "ProcWideReq6 start!!\n") );
169 + if (Request.type6.datalen != SIZEOFSHORT * 3)
171 buf += HEADER_SIZE; Request.type6.context = S2TOS(buf);
172 buf += SIZEOFSHORT; Request.type6.number = S2TOS(buf);
173 buf += SIZEOFSHORT; Request.type6.buflen = S2TOS(buf);
174 @@ -2391,6 +2419,8 @@
176 ir_debug( Dmsg(10, "ProcWideReq7 start!!\n") );
178 + if (Request.type7.datalen != SIZEOFSHORT * 3)
180 buf += HEADER_SIZE; Request.type7.context = S2TOS(buf);
181 buf += SIZEOFSHORT; Request.type7.number = S2TOS(buf);
182 buf += SIZEOFSHORT; Request.type7.yomilen = (short)S2TOS(buf);
183 @@ -2407,6 +2437,8 @@
185 ir_debug( Dmsg(10, "ProcWideReq8 start!!\n") );
187 + if (Request.type8.datalen != SIZEOFSHORT * 4)
189 buf += HEADER_SIZE; Request.type8.context = S2TOS(buf);
190 buf += SIZEOFSHORT; Request.type8.curbun = S2TOS(buf);
191 buf += SIZEOFSHORT; Request.type8.curkouho = S2TOS(buf);
192 @@ -2425,6 +2457,8 @@
194 ir_debug( Dmsg(10, "ProcWideReq9 start!!\n") );
196 + if (Request.type9.datalen != SIZEOFSHORT * 4)
198 buf += HEADER_SIZE; Request.type9.context = S2TOS(buf);
199 buf += SIZEOFSHORT; Request.type9.number = S2TOS(buf);
200 buf += SIZEOFSHORT; Request.type9.kouho = S2TOS(buf);
201 @@ -2442,9 +2476,13 @@
207 ir_debug( Dmsg(10, "ProcWideReq10 start!!\n") );
209 + rest = Request.type10.datalen - (SIZEOFSHORT * 2 + SIZEOFINT);
212 buf += HEADER_SIZE; Request.type10.context = S2TOS(buf);
213 buf += SIZEOFSHORT; Request.type10.number = S2TOS(buf);
214 buf += SIZEOFSHORT; Request.type10.mode = L4TOL(buf);
215 @@ -2452,6 +2490,8 @@
216 ir_debug( Dmsg(10, "req->number =%d\n", Request.type10.number) );
217 ir_debug( Dmsg(10, "req->mode =%d\n", Request.type10.mode) );
219 + if (rest != Request.type10.number * SIZEOFSHORT)
221 buf += SIZEOFINT; Request.type10.kouho = (short *)buf; /* short? */
222 for (i = 0; i < Request.type10.number; i++) {
223 Request.type10.kouho[i] = S2TOS(buf); buf += SIZEOFSHORT;
224 @@ -2468,12 +2508,18 @@
225 register Ushort *data;
228 - ir_debug( Dmsg(10, "ProcWideReq10 start!!\n") );
229 + ir_debug( Dmsg(10, "ProcWideReq11 start!!\n") );
231 + if (Request.type11.datalen < SIZEOFSHORT * 2)
233 buf += HEADER_SIZE; Request.type11.context = S2TOS(buf);
234 buf += SIZEOFSHORT; Request.type11.curbun = S2TOS(buf);
235 buf += SIZEOFSHORT; Request.type11.yomi = (Ushort *)buf;
236 + if (Request.type11.datalen % SIZEOFSHORT != 0)
238 len = ((int)Request.type11.datalen - SIZEOFSHORT * 2) / SIZEOFSHORT ;
239 + if (len == 0 || Request.type11.yomi[len - 1] != 0)
241 for (data = Request.type11.yomi, i = 0; i < len; i++, data++)
242 *data = ntohs( *data ); /* ¤Ê¤ó¤«¤ä¤À */
243 ir_debug( Dmsg(10, "req->context =%d\n", Request.type11.context) );
244 @@ -2490,16 +2536,26 @@
247 register Ushort *data;
251 ir_debug( Dmsg(10, "ProcWideReq12 start!!\n") );
253 + rest = Request.type12.datalen - SIZEOFSHORT;
256 buf += HEADER_SIZE; Request.type12.context = S2TOS(buf);
257 buf += SIZEOFSHORT; Request.type12.datainfo = (Ushort *)buf;
258 + if (!ushortmemchr((Ushort *)buf, 0, rest / SIZEOFSHORT))
260 len = ushortstrlen((Ushort *)buf) + 1;
261 + rest -= len * SIZEOFSHORT;
264 for( data = Request.type12.datainfo, i = 0; i < len; i++, data++ )
265 *data = ntohs( *data ); /* ¤Ê¤ó¤«¤ä¤À */
266 buf += len * SIZEOFSHORT;
267 + if (buf[rest - 1] != '\0')
269 Request.type12.dicname = (char *)buf;
270 ir_debug( Dmsg(10, "req->context =%d\n", Request.type12.context) );
271 ir_debug( Dmsg(10, "req->datainfo =%s\n",
272 @@ -2517,24 +2573,37 @@
275 register Ushort *data;
279 ir_debug( Dmsg(10, "ProcWideReq13 start!!\n") );
281 + rest = Request.type13.datalen - SIZEOFSHORT;
284 buf += HEADER_SIZE; Request.type13.context = S2TOS(buf);
287 Request.type13.dicname = (char *)buf;
288 + if (!memchr(buf, 0, rest))
290 len = strlen( (char *)buf ) + 1;
292 + if (rest % SIZEOFSHORT
293 + || rest < SIZEOFSHORT * 3)
296 Request.type13.yomi = (Ushort *)buf;
297 len = ((int)Request.type13.datalen - len - SIZEOFSHORT * 4) / SIZEOFSHORT;
298 + if (ushortmemchr((Ushort *)buf, 0, len) != (Ushort *)buf + len - 1)
300 for( data = Request.type13.yomi, i = 0; i < len; i++, data++)
301 *data = ntohs( *data );
302 - buf += (ushortstrlen((Ushort *)buf) + 1) * SIZEOFSHORT;
303 + buf += len * SIZEOFSHORT;
304 Request.type13.yomilen = S2TOS(buf);
305 buf += SIZEOFSHORT; Request.type13.kouhosize = S2TOS(buf);
306 buf += SIZEOFSHORT; Request.type13.hinshisize = S2TOS(buf);
307 + if (Request.type13.yomilen != len - 1)
309 ir_debug( Dmsg(10, "req->context =%d\n", Request.type13.context) );
310 ir_debug( Dmsg(10, "req->dicname =%s\n", Request.type13.dicname) );
311 ir_debug( Dmsg(10, "req->yomi =%s\n",
312 @@ -2556,11 +2625,16 @@
314 ir_debug( Dmsg(10, "ProcWideReq14 start!!\n") );
316 + if (Request.type14.datalen <= SIZEOFINT + SIZEOFSHORT
317 + || Request.type14.datalen % SIZEOFSHORT)
319 buf += HEADER_SIZE; Request.type14.mode = L4TOL(buf);
320 buf += SIZEOFINT; Request.type14.context = S2TOS(buf);
321 buf += SIZEOFSHORT; Request.type14.yomi = (Ushort *)buf;
322 len = ((int)Request.type14.datalen - SIZEOFSHORT - SIZEOFINT)
324 + if (Request.type14.yomi[len - 1] != 0)
326 for (data = Request.type14.yomi, i = 0; i < len; i++, data++)
327 *data = ntohs( *data ); /* ¤Ê¤ó¤«¤ä¤À */
329 @@ -2577,11 +2651,17 @@
334 ir_debug( Dmsg(10, "ProcWideReq15 start!!\n") );
336 + rest = Request.type15.datalen - (SIZEOFINT + SIZEOFSHORT);
339 buf += HEADER_SIZE; Request.type15.mode = L4TOL(buf);
340 buf += SIZEOFINT; Request.type15.context = S2TOS(buf);
341 buf += SIZEOFSHORT; Request.type15.dicname = (char *)buf;
342 + if (buf[rest - 1] != 0)
344 ir_debug( Dmsg(10, "req->mode =%d\n", Request.type15.mode) );
345 ir_debug( Dmsg(10, "req->context =%d\n", Request.type15.context) );
346 ir_debug( Dmsg(10, "req->dicname =%s\n",
347 @@ -2597,6 +2677,9 @@
348 ir_debug( Dmsg(10, "ProcWideReq17 start!!\n") );
351 + if (Request.type17.datalen < SIZEOFCHAR * 2
352 + || buf[Request.type17.datalen - SIZEOFCHAR * 2] != 0)
354 Request.type17.dicname = (char *)buf;
355 Request.type17.mode = (char)*(buf + Request.type17.datalen - SIZEOFCHAR) ;
356 ir_debug( Dmsg(10, "req->dicname =%s\n",
357 @@ -2613,6 +2696,8 @@
359 ir_debug( Dmsg(10, "ProcWideReq18 start!!\n") );
361 + if (Request.type18.datalen < SIZEOFSHORT * 2)
363 buf += HEADER_SIZE; Request.type18.context = S2TOS(buf);
364 buf += SIZEOFSHORT; Request.type18.data = (char *)buf;
365 buf += Request.type18.datalen - SIZEOFSHORT * 2;
366 @@ -2630,12 +2715,18 @@
371 ir_debug( Dmsg(10, "ProcWideReq19 start!!\n") );
373 + rest = Request.type20.datalen - (SIZEOFSHORT + SIZEOFINT * 2);
376 buf += HEADER_SIZE; Request.type20.context = S2TOS(buf);
377 buf += SIZEOFSHORT; Request.type20.command = L4TOL(buf);
378 buf += SIZEOFINT; Request.type20.bufsize = L4TOL(buf);
379 buf += SIZEOFINT; Request.type20.buf = (char *)buf;
380 + if (Request.type20.bufsize != rest)
382 ir_debug( Dmsg(10, "req->context =%d\n", Request.type20.context) );
383 ir_debug( Dmsg(10, "req->command =%d\n", Request.type20.command) );
384 ir_debug( Dmsg(10, "req->bufsize =%d\n", Request.type20.bufsize) );
385 @@ -2647,15 +2738,25 @@
390 ir_debug( Dmsg(10, "ProcWideReq20 start!!\n") );
392 + if (Request.type21.datalen < SIZEOFINT + SIZEOFSHORT)
394 buf += HEADER_SIZE; Request.type21.mode = L4TOL(buf);
395 + bufend = buf + Request.type21.datalen;
396 buf += SIZEOFINT; Request.type21.context = S2TOS(buf);
397 buf += SIZEOFSHORT; Request.type21.dirname = (char *)buf;
398 + if (!memchr(buf, 0, bufend - buf))
400 buf += strlen((char *)buf) + 1;
401 Request.type21.srcdic = (char *)buf;
402 + if (!memchr(buf, 0, bufend - buf))
404 buf += strlen((char *)buf) + 1;
405 Request.type21.dstdic = (char *)buf;
406 + if (*(bufend - 1) != 0)
409 ir_debug( Dmsg(10, "req->mode =%d\n", Request.type21.mode) );
410 ir_debug( Dmsg(10, "req->context =%d\n", Request.type21.context) );