]>
Commit | Line | Data |
---|---|---|
8bbc4a49 PG |
1 | --- lha-114i/src/header.c.orig 2000-10-05 19:36:03.000000000 +0200 |
2 | +++ lha-114i/src/header.c 2004-04-21 14:30:52.000000000 +0200 | |
3 | @@ -538,6 +538,10 @@ | |
4 | /* | |
5 | * filename | |
6 | */ | |
7 | + if (header_size >= 256) { | |
8 | + fprintf(stderr, "Possible buffer overflow hack attack, type #1\n"); | |
9 | + exit(109); | |
10 | + } | |
11 | for (i = 0; i < header_size - 3; i++) | |
12 | hdr->name[i] = (char) get_byte(); | |
13 | hdr->name[header_size - 3] = '\0'; | |
14 | @@ -547,6 +551,10 @@ | |
15 | /* | |
16 | * directory | |
17 | */ | |
18 | + if (header_size >= FILENAME_LENGTH) { | |
19 | + fprintf(stderr, "Possible buffer overflow hack attack, type #2\n"); | |
20 | + exit(110); | |
21 | + } | |
22 | for (i = 0; i < header_size - 3; i++) | |
23 | dirname[i] = (char) get_byte(); | |
24 | dirname[header_size - 3] = '\0'; | |
25 | --- lha-114i/src/lhext.c.orig 2000-10-04 16:57:38.000000000 +0200 | |
26 | +++ lha-114i/src/lhext.c 2004-04-21 14:30:52.000000000 +0200 | |
27 | @@ -190,8 +190,13 @@ | |
28 | q = (char *) rindex(hdr->name, '/') + 1; | |
29 | } | |
30 | else { | |
31 | + if (is_directory_traversal(q)) { | |
32 | + fprintf(stderr, "Possible directory traversal hack attempt in %s\n", q); | |
33 | + exit(111); | |
34 | + } | |
35 | + | |
36 | if (*q == '/') { | |
37 | - q++; | |
38 | + while (*q == '/') { q++; } | |
39 | /* | |
40 | * if OSK then strip device name | |
41 | */ | |
42 | @@ -419,6 +424,33 @@ | |
43 | return; | |
44 | } | |
45 | ||
46 | +int | |
47 | +is_directory_traversal(char *string) | |
48 | +{ | |
49 | + unsigned int type = 0; /* 0 = new, 1 = only dots, 2 = other chars than dots */ | |
50 | + char *temp; | |
51 | + | |
52 | + temp = string; | |
53 | + | |
54 | + while (*temp != 0) { | |
55 | + if (temp[0] == '/') { | |
56 | + if (type == 1) { return 1; } | |
57 | + type = 0; | |
58 | + temp++; | |
59 | + continue; | |
60 | + } | |
61 | + | |
62 | + if ((temp[0] == '.') && (type < 2)) | |
63 | + type = 1; | |
64 | + if (temp[0] != '.') | |
65 | + type = 2; | |
66 | + | |
67 | + temp++; | |
68 | + } /* while */ | |
69 | + | |
70 | + return (type == 1); | |
71 | +} | |
72 | + | |
73 | /* Local Variables: */ | |
74 | /* mode:c */ | |
75 | /* tab-width:4 */ |