fix: prevent segfault if malicious server sends 1 GB of data through ftpNLST.

fix: rpmal could segfault under obscure conditions. Use array, not individual structures, for rpmsw{Enter,Exit} timestamps. CVS patchset: 6735 CVS date: 2003/04/08 21:42:55
author: jbj <devnull@localhost> 2003-04-08 21:42:55 +0000
committer: jbj <devnull@localhost> 2003-04-08 21:42:55 +0000
commit: 783219a8325bca538d21c367f9c523a79dbcb011 (patch)
tree: 4ae43dc0fa37c05931ff370a09f05fcfb14a1e21 /rpmio
parent: f60ec855de0d6bfd29325fcb73b2901780e72e3d (diff)
download: librpm-tizen-783219a8325bca538d21c367f9c523a79dbcb011.tar.gz
librpm-tizen-783219a8325bca538d21c367f9c523a79dbcb011.tar.bz2
librpm-tizen-783219a8325bca538d21c367f9c523a79dbcb011.zip
4 files changed, 46 insertions, 20 deletions
diff --git a/rpmio/rpmio_internal.h b/rpmio/rpmio_internal.h
index 2be3ceb8b..505c6da69 100644
--- a/rpmio/rpmio_internal.h
+++ b/rpmio/rpmio_internal.h
@@ -104,14 +104,14 @@ typedef struct _FDSTACK_s {
 /** \ingroup rpmio
  * Identify per-desciptor I/O operation statistics.
  */
-enum FDSTAT_e {
+typedef enum fdOpX_e {
     FDSTAT_READ		= 0,	/*!< Read statistics index. */
     FDSTAT_WRITE	= 1,	/*!< Write statistics index. */
     FDSTAT_SEEK		= 2,	/*!< Seek statistics index. */
     FDSTAT_CLOSE	= 3,	/*!< Close statistics index */
     FDSTAT_DIGEST	= 4,	/*!< Digest statistics index. */
     FDSTAT_MAX		= 5
-};
+} fdOpX;
 
 /** \ingroup rpmio
  * Cumulative statistics for a descriptor.
@@ -346,7 +346,8 @@ void fdPush(FD_t fd, FDIO_t io, void * fp, int fdno)
 
 /** \ingroup rpmio
  */
-/*@unused@*/ static inline void fdPop(FD_t fd)
+/*@unused@*/ static inline
+void fdPop(FD_t fd)
 	/*@modifies fd @*/
 {
     FDSANE(fd);
@@ -359,16 +360,29 @@ void fdPush(FD_t fd, FDIO_t io, void * fp, int fdno)
 
 /** \ingroup rpmio
  */
+/*@unused@*/ static inline /*@null@*/
+rpmop fdstat_op(/*@null@*/ FD_t fd, fdOpX opx)
+	/*@*/
+{
+    rpmop op = NULL;
+
+/*@-boundsread@*/
+    if (fd != NULL && fd->stats != NULL && opx >= 0 && opx < FDSTAT_MAX)
+        op = fd->stats->ops + opx;
+/*@=boundsread@*/
+    return op;
+}
+
+/** \ingroup rpmio
+ */
 /*@unused@*/ static inline
 void fdstat_enter(/*@null@*/ FD_t fd, int opx)
 	/*@globals internalState @*/
-	/*@modifies fd, internalState @*/
+	/*@modifies internalState @*/
 {
     if (fd == NULL) return;
-/*@-boundswrite@*/
     if (fd->stats != NULL)
-	(void) rpmswEnter(&fd->stats->ops[opx], 0);
-/*@=boundswrite@*/
+	(void) rpmswEnter(fdstat_op(fd, opx), 0);
 }
 
 /** \ingroup rpmio
@@ -383,10 +397,8 @@ void fdstat_exit(/*@null@*/ FD_t fd, int opx, ssize_t rc)
 	fd->syserrno = errno;
     else if (rc > 0 && fd->bytesRemain > 0)
 	fd->bytesRemain -= rc;
-/*@-boundswrite@*/
     if (fd->stats != NULL)
-	(void) rpmswExit(&fd->stats->ops[opx], rc);
-/*@=boundswrite@*/
+	(void) rpmswExit(fdstat_op(fd, opx), rc);
 }
 
 /** \ingroup rpmio
@@ -487,7 +499,8 @@ FD_t c2f(/*@null@*/ void * cookie)
  */
 /*@unused@*/ static inline
 void fdInitDigest(FD_t fd, pgpHashAlgo hashalgo, int flags)
-	/*@modifies fd @*/
+	/*@globals internalState @*/
+	/*@modifies fd, internalState @*/
 {
     FDDIGEST_t fddig = fd->digests + fd->ndigests;
     if (fddig != (fd->digests + FDDIGEST_MAX)) {
@@ -504,7 +517,8 @@ void fdInitDigest(FD_t fd, pgpHashAlgo hashalgo, int flags)
  */
 /*@unused@*/ static inline
 void fdUpdateDigests(FD_t fd, const unsigned char * buf, ssize_t buflen)
-	/*@modifies fd @*/
+	/*@globals internalState @*/
+	/*@modifies fd, internalState @*/
 {
     int i;
 
@@ -526,7 +540,8 @@ void fdFiniDigest(FD_t fd, pgpHashAlgo hashalgo,
 		/*@null@*/ /*@out@*/ void ** datap,
 		/*@null@*/ /*@out@*/ size_t * lenp,
 		int asAscii)
-	/*@modifies fd, *datap, *lenp @*/
+	/*@globals internalState @*/
+	/*@modifies fd, *datap, *lenp, internalState @*/
 {
     int imax = -1;
     int i;
diff --git a/rpmio/rpmrpc.c b/rpmio/rpmrpc.c
index de21d8876..9f3be35d7 100644
--- a/rpmio/rpmrpc.c
+++ b/rpmio/rpmrpc.c
@@ -903,6 +903,7 @@ static int ftpNLST(const char * url, ftpSysCall_t ftpSysCall,
 	/* XXX FIXME: realloc ftpBuf if < ~128 chars remain */
 	if ((ftpBufAlloced - bufLength) < (1024+80)) {
 	    ftpBufAlloced <<= 2;
+	    assert(ftpBufAlloced < (8*1024*1024));
 	    ftpBuf = xrealloc(ftpBuf, ftpBufAlloced);
 	}
 	s = se = ftpBuf + bufLength;
diff --git a/rpmio/rpmsw.c b/rpmio/rpmsw.c
index b51a3dc1a..f8b2fc9dc 100644
--- a/rpmio/rpmsw.c
+++ b/rpmio/rpmsw.c
@@ -179,7 +179,6 @@ static rpmtime_t rpmswCalibrate(void)
 /*@=type@*/
 #endif
 
-/*@-incondefs@*/
 rpmtime_t rpmswInit(void)
 	/*@globals rpmsw_cycles, rpmsw_initialized, rpmsw_overhead,
 		rpmsw_type @*/
@@ -228,6 +227,8 @@ rpmtime_t rpmswInit(void)
 
 	/* Compute cycles/usec */
 	rpmsw_cycles = sum_cycles/sum_usecs;
+#else
+	rpmsw_type = 0;
 #endif
 
 	/* Calculate timing overhead in usecs. */
@@ -242,11 +243,13 @@ rpmtime_t rpmswInit(void)
 
     return rpmsw_overhead;
 }
-/*@=incondefs@*/
 
 /*@-mods@*/
 int rpmswEnter(rpmop op, ssize_t rc)
 {
+    if (op == NULL)
+	return 0;
+
     op->count++;
     if (rc < 0) {
 	op->bytes = 0;
@@ -262,6 +265,9 @@ rpmtime_t rpmswExit(rpmop op, ssize_t rc)
 {
     struct rpmsw_s end;
 
+    if (op == NULL)
+	return 0;
+
 /*@-uniondef@*/
     op->usecs += rpmswDiff(rpmswNow(&end), &op->begin);
 /*@=uniondef@*/
@@ -273,22 +279,26 @@ rpmtime_t rpmswExit(rpmop op, ssize_t rc)
 
 rpmtime_t rpmswAdd(rpmop to, rpmop from)
 {
+    rpmtime_t usecs = 0;
     if (to != NULL && from != NULL) {
 	to->count += from->count;
 	to->bytes += from->bytes;
 	to->usecs += from->usecs;
+	usecs = to->usecs;
     }
-    return to->usecs;
+    return usecs;
 }
 
 rpmtime_t rpmswSub(rpmop to, rpmop from)
 {
+    rpmtime_t usecs = 0;
     if (to != NULL && from != NULL) {
 	to->count -= from->count;
 	to->bytes -= from->bytes;
 	to->usecs -= from->usecs;
+	usecs = to->usecs;
     }
-    return to->usecs;
+    return usecs;
 }
 
 /*@=mods@*/
diff --git a/rpmio/rpmsw.h b/rpmio/rpmsw.h
index 8bcedf274..3cae71198 100644
--- a/rpmio/rpmsw.h
+++ b/rpmio/rpmsw.h
@@ -77,7 +77,7 @@ rpmtime_t rpmswInit(void)
  * @param rc			-1 clears usec counter
  * @return			0 always
  */
-int rpmswEnter(rpmop op, ssize_t rc)
+int rpmswEnter(/*@null@*/ rpmop op, ssize_t rc)
 	/*@globals internalState @*/
 	/*@modifies *op, internalState @*/;
 
@@ -87,7 +87,7 @@ int rpmswEnter(rpmop op, ssize_t rc)
  * @param rc			per-operation data (e.g. bytes transferred)
  * @return			cumulative usecs for operation
  */
-rpmtime_t rpmswExit(rpmop op, ssize_t rc)
+rpmtime_t rpmswExit(/*@null@*/ rpmop op, ssize_t rc)
 	/*@globals internalState @*/
 	/*@modifies op, internalState @*/;
 
@@ -97,7 +97,7 @@ rpmtime_t rpmswExit(rpmop op, ssize_t rc)
  * @param from			operation statistics
  * @return			cumulative usecs for operation
  */
-rpmtime_t rpmswAdd(rpmop to, rpmop from)
+rpmtime_t rpmswAdd(/*@null@*/ rpmop to, /*@null@*/ rpmop from)
 	/*@modifies to @*/;
 
 /** \ingroup rpmio
author	jbj <devnull@localhost>	2003-04-08 21:42:55 +0000
committer	jbj <devnull@localhost>	2003-04-08 21:42:55 +0000
commit	783219a8325bca538d21c367f9c523a79dbcb011 (patch)
tree	4ae43dc0fa37c05931ff370a09f05fcfb14a1e21 /rpmio
parent	f60ec855de0d6bfd29325fcb73b2901780e72e3d (diff)
download	librpm-tizen-783219a8325bca538d21c367f9c523a79dbcb011.tar.gz librpm-tizen-783219a8325bca538d21c367f9c523a79dbcb011.tar.bz2 librpm-tizen-783219a8325bca538d21c367f9c523a79dbcb011.zip