master

分支 (13)

标签 (11)

管理

管理

master

openEuler-22.03-LTS-Next

openEuler-22.03-LTS

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP2

openEuler-20.03-LTS-SP1

openEuler-21.09

openEuler-20.03-LTS-Next

openEuler-20.03-LTS

openEuler-21.03

openEuler-20.09

openEuler1.0

openEuler1.0-base

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

glib2
/
backport-gsocks5proxy-Fix-buffer-over...

From b32727d43d9d11aa017f1f29648ad5019376537c Mon Sep 17 00:00:00 2001
From: Egor Bychin <e.bychin@drweb.com>
Date: Mon, 11 Oct 2021 14:07:01 +0300
Subject: [PATCH] gsocks5proxy: Fix buffer overflow on a really long domain
 name

Conflict:NA
Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/b32727d43d9d11aa017f1f29648ad5019376537c

---
 gio/gsocks5proxy.c | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/gio/gsocks5proxy.c b/gio/gsocks5proxy.c
index 873db7ea6d..948ac8b8b8 100644
--- a/gio/gsocks5proxy.c
+++ b/gio/gsocks5proxy.c
@@ -328,7 +328,7 @@ set_connect_msg (guint8       *msg,
  *
  * The parser only requires 4 bytes.
  */
-#define SOCKS5_CONN_REP_LEN	  255
+#define SOCKS5_CONN_REP_LEN	  257
 static gboolean
 parse_connect_reply (const guint8 *data, gint *atype, GError **error)
 {
@@ -509,7 +509,7 @@ g_socks5_proxy_connect (GProxy            *proxy,
       guint8 data[SOCKS5_CONN_REP_LEN];
       gint atype;

-      if (!g_input_stream_read_all (in, data, 4, NULL,
+      if (!g_input_stream_read_all (in, data, 4 /* VER, REP, RSV, ATYP */, NULL,
 				    cancellable, error))
 	goto error;

@@ -519,23 +519,26 @@ g_socks5_proxy_connect (GProxy            *proxy,
       switch (atype)
 	{
 	  case SOCKS5_ATYP_IPV4:
-	    if (!g_input_stream_read_all (in, data, 6, NULL,
-					  cancellable, error))
+	    if (!g_input_stream_read_all (in, data,
+					  4 /* IPv4 length */ + 2 /* port */,
+					  NULL, cancellable, error))
 	      goto error;
 	    break;

 	  case SOCKS5_ATYP_IPV6:
-	    if (!g_input_stream_read_all (in, data, 18, NULL,
-					  cancellable, error))
+	    if (!g_input_stream_read_all (in, data,
+					  16 /* IPv6 length */ + 2 /* port */,
+					  NULL, cancellable, error))
 	      goto error;
 	    break;

 	  case SOCKS5_ATYP_DOMAINNAME:
-	    if (!g_input_stream_read_all (in, data, 1, NULL,
-					  cancellable, error))
+	    if (!g_input_stream_read_all (in, data, 1 /* domain name length */,
+					  NULL, cancellable, error))
 	      goto error;
-	    if (!g_input_stream_read_all (in, data, data[0] + 2, NULL,
-					  cancellable, error))
+	    if (!g_input_stream_read_all (in, data,
+					  data[0] /* domain name length */ + 2 /* port */,
+					  NULL, cancellable, error))
 	      goto error;
 	    break;
 	}
--
GitLab