(util_finish): Fix potential vulnerability (IDEF0954).

Sergey Poznyakoff
Commit 1917d2ee ... 1917d2ee74d54f841f09daa2171298ed1a716dfe authored 2005-05-13 09:39:22 +0000 by Sergey Poznyakoff
Showing 1 changed file with 24 additions and 9 deletions
imap4d/util.c
--- a/imap4d/util.c
View file @1917d2e
+++ b/imap4d/util.c
View file @1917d2e
@@ -199,13 +199,14 @@ util_msgset (char *s, size_t ** set, int *n, int isuid)
 	  {
 	    errno = 0;
 	    val = strtoul (s, &s, 10);
-	    if (val == ULONG_MAX && errno == ERANGE)
+	    if ((val == ULONG_MAX && errno == ERANGE) || val > max)
 	      {
 		if (*set)
 		  free (*set);
 		*n = 0;
 		return EINVAL;
 	      }
 	    if (low)
 	      {
 		/* Reverse it. */
@@ -400,26 +401,40 @@ util_out (int rc, const char *format, ...)
 int
 util_finish (struct imap4d_command *command, int rc, const char *format, ...)
 {
-  char *tempbuf = NULL;
+  size_t size;
  char *buf = NULL;
+  char *tempbuf = NULL;
  int new_state;
  int status = 0;
  va_list ap;
+  char *sc = sc2string (rc);
-  asprintf (&tempbuf, "%s %s%s %s\r\n", command->tag, sc2string (rc),
-	    command->name, format);
  va_start (ap, format);
-  vasprintf (&buf, tempbuf, ap);
+  vasprintf (&tempbuf, format, ap);
  va_end (ap);
+  if (!tempbuf)
+    imap4d_bye (ERR_NO_MEM);
+  size = strlen (command->tag) + 1 +
+         strlen (sc) + strlen (command->name) + 1 +
+         strlen (tempbuf) + 1;
+  buf = malloc (size);
  if (!buf)
    imap4d_bye (ERR_NO_MEM);
+  strcpy (buf, command->tag);
+  strcat (buf, " ");
+  strcat (buf, sc);
+  strcat (buf, command->name);
+  strcat (buf, " ");
+  strcat (buf, tempbuf);
+  free (tempbuf);
  if (daemon_param.transcript)
-    syslog (LOG_DEBUG, "sent: %s", buf);
+    syslog (LOG_DEBUG, "sent: %s\r\n", buf);
-  status = stream_sequential_write (ostream, buf, strlen (buf));
+  stream_sequential_write (ostream, buf, strlen (buf));
  free (buf);
-  free (tempbuf);
+  stream_sequential_write (ostream, "\r\n", 2);
  /* Reset the state.  */
  if (rc == RESP_OK)