Bugzilla – Attachment 47461 Details for
Bug 85842
VUL-0: CVE-2006-5639: AUDIT-0: OpenWBEM
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
[patch]
new patch
openwbem.security.patch (text/plain), 7.57 KB, created by
Bart Whiteley
on 2005-08-24 20:02:51 UTC
(
hide
)
Description:
new patch
Filename:
MIME Type:
Creator:
Bart Whiteley
Created:
2005-08-24 20:02:51 UTC
Size:
7.57 KB
patch
obsolete
>--- ./src/http/client/OW_HTTPClient.cpp.orig 2005-08-23 12:24:23.000000000 -0600 >+++ ./src/http/client/OW_HTTPClient.cpp 2005-08-23 15:00:25.000000000 -0600 >@@ -922,8 +922,8 @@ > } > else if (headerHasKey("Content-Length")) > { >- rval = new HTTPLenLimitIStream(m_istr, >- getHeaderValue("Content-Length").toInt32()); >+ UInt64 clen = getHeaderValue("Content-Length").toUInt64(); >+ rval = new HTTPLenLimitIStream(m_istr,clen); > } > if (getHeaderValue("Content-Encoding").equalsIgnoreCase("deflate")) > { >--- ./src/http/common/OW_HTTPChunkedIStream.cpp.orig 2005-08-23 12:27:32.000000000 -0600 >+++ ./src/http/common/OW_HTTPChunkedIStream.cpp 2005-08-23 15:59:46.000000000 -0600 >@@ -48,7 +48,7 @@ > HTTPChunkedIStreamBuffer::HTTPChunkedIStreamBuffer(istream& istr, > HTTPChunkedIStream* chunker) > : BaseStreamBuffer(HTTP_BUF_SIZE, "in"), m_istr(istr), >- m_inLen(-1), m_inPos(0), m_isEOF(false), m_pChunker(chunker) >+ m_inLen(0), m_inPos(0), m_isEOF(false), m_pChunker(chunker) > { > } > ////////////////////////////////////////////////////////////////////////////// >@@ -59,16 +59,17 @@ > int > HTTPChunkedIStreamBuffer::buffer_from_device(char* c, int n) > { >- if (m_isEOF) >+ if (m_isEOF || n < 0) > { > return -1; > } >- int tmpInLen = 0; >- int offset = 0; >- int lastRead = 0; >- while (offset < n && m_istr.good()) >+ unsigned int un = n; >+ unsigned int tmpInLen = 0; >+ unsigned int offset = 0; >+ unsigned int lastRead = 0; >+ while (offset < un && m_istr.good()) > { >- if (m_inLen == -1) >+ if (m_inLen == 0) > { > m_istr >> std::hex >> m_inLen >> std::dec; > if (m_istr.fail() || m_istr.bad()) >@@ -85,22 +86,22 @@ > m_inPos = 0; > if (m_inLen == 0) > { >- m_inLen = -1; // reset the state >+ // reset the state > m_isEOF = true; > m_pChunker->buildTrailerMap(); // build the trailer map > return offset; > } > } > // min of (n - offset) and (m_inLen - m_inPos) >- tmpInLen = ((n - offset) < (m_inLen - m_inPos)) ? (n - offset) >+ tmpInLen = ((un - offset) < (m_inLen - m_inPos)) ? (un - offset) > : (m_inLen - m_inPos); > m_istr.read(c + offset, tmpInLen); >- lastRead = m_istr.gcount(); >+ lastRead = m_istr.gcount(); > offset += lastRead; > m_inPos += lastRead; > if (m_inPos == m_inLen) > { >- m_inLen = -1; >+ m_inLen = 0; > m_inPos = 0; > // don't need to skip trailing \r\n, because formatted input will > // skip it. >@@ -117,7 +118,7 @@ > HTTPChunkedIStreamBuffer::resetInput() > { > initGetBuffer(); >- m_inLen = -1; >+ m_inLen = 0; > m_inPos = 0; > m_isEOF = false; > } >--- ./src/http/common/OW_HTTPLenLimitIStream.hpp.orig 2005-08-23 12:42:08.000000000 -0600 >+++ ./src/http/common/OW_HTTPLenLimitIStream.hpp 2005-08-23 12:45:11.000000000 -0600 >@@ -47,22 +47,22 @@ > class OW_HTTP_API HTTPLengthLimitStreamBuffer : public BaseStreamBuffer > { > public: >- HTTPLengthLimitStreamBuffer(std::istream& istr, Int64 length); >+ HTTPLengthLimitStreamBuffer(std::istream& istr, UInt64 length); > virtual ~HTTPLengthLimitStreamBuffer(); > /** > * sets the Len to a new value, > * sets m_pos to zero, and m_isEnd to false > */ >- void resetLen(Int64 len); >+ void resetLen(UInt64 len); > protected: > virtual int buffer_from_device(char* c, int n); > private: > std::istream& m_istr; > > // holds the content length. >- Int64 m_length; >+ UInt64 m_length; > // keeps track of how much we've read. >- Int64 m_pos; >+ UInt64 m_pos; > // keeps track if we are at end of length. > bool m_isEnd; > // prohibit copying and assigning >@@ -75,7 +75,7 @@ > class OW_HTTP_API HTTPLenLimitIStreamBase > { > public: >- HTTPLenLimitIStreamBase(std::istream& istr, Int64 length) >+ HTTPLenLimitIStreamBase(std::istream& istr, UInt64 length) > : m_strbuf(istr, length) {} > HTTPLengthLimitStreamBuffer m_strbuf; > }; >@@ -91,12 +91,12 @@ > * @param istr the original istream > * @param len the number of bytes to read before setting EOF. > */ >- HTTPLenLimitIStream(std::istream& istr, Int64 len); >+ HTTPLenLimitIStream(std::istream& istr, UInt64 len); > /** > * Clear the EOF bit, and set the new length to len > * @param len the new length to read before (re)setting EOF > */ >- void resetLen(Int64 len); >+ void resetLen(UInt64 len); > private: > std::istream& m_istr; > >--- ./src/http/common/OW_HTTPChunkedIStream.hpp.orig 2005-08-23 15:34:20.000000000 -0600 >+++ ./src/http/common/OW_HTTPChunkedIStream.hpp 2005-08-23 15:59:58.000000000 -0600 >@@ -56,8 +56,8 @@ > ~HTTPChunkedIStreamBuffer(); > private: > std::istream& m_istr; >- int m_inLen; >- int m_inPos; >+ unsigned int m_inLen; >+ unsigned int m_inPos; > bool m_isEOF; > virtual int buffer_from_device(char* c, int n); > HTTPChunkedIStream* m_pChunker; >--- ./src/http/common/OW_HTTPLenLimitIStream.cpp.orig 2005-08-23 12:26:21.000000000 -0600 >+++ ./src/http/common/OW_HTTPLenLimitIStream.cpp 2005-08-23 14:45:03.000000000 -0600 >@@ -41,7 +41,7 @@ > > using std::istream; > HTTPLengthLimitStreamBuffer::HTTPLengthLimitStreamBuffer( >- istream& istr, Int64 length) >+ istream& istr, UInt64 length) > : BaseStreamBuffer(2048, "in"), m_istr(istr), > m_length(length), m_pos(0), m_isEnd(false) > // 2048 is a nice power of 2 that should be more than enough to hold most >@@ -56,12 +56,13 @@ > int > HTTPLengthLimitStreamBuffer::buffer_from_device(char* c, int n) > { >- if (m_isEnd) >+ if (m_isEnd || n < 0) > { > return -1; > } >+ unsigned int un = n; > // min of n and (length - pos) >- int tmpInLen = (n < (m_length - m_pos)) ? n : (m_length - m_pos); >+ int tmpInLen = (un < (m_length - m_pos)) ? un : (m_length - m_pos); > m_istr.read(c, tmpInLen); > int lastRead = m_istr.gcount(); > m_pos += lastRead; >@@ -73,7 +74,7 @@ > } > ////////////////////////////////////////////////////////////////////////////// > void >-HTTPLengthLimitStreamBuffer::resetLen(Int64 len) >+HTTPLengthLimitStreamBuffer::resetLen(UInt64 len) > { > initGetBuffer(); > m_length = len; >@@ -82,13 +83,13 @@ > } > ////////////////////////////////////////////////////////////////////////////// > void >-HTTPLenLimitIStream::resetLen(Int64 len) >+HTTPLenLimitIStream::resetLen(UInt64 len) > { > clear(); > m_strbuf.resetLen(len); > } > ////////////////////////////////////////////////////////////////////////////// >-HTTPLenLimitIStream::HTTPLenLimitIStream(istream& istr, Int64 len) >+HTTPLenLimitIStream::HTTPLenLimitIStream(istream& istr, UInt64 len) > : HTTPLenLimitIStreamBase(istr, len) > , CIMProtocolIStreamIFC(&m_strbuf) > , m_istr(istr) >--- ./src/services/http/OW_HTTPSvrConnection.cpp.orig 2005-08-23 14:49:42.000000000 -0600 >+++ ./src/services/http/OW_HTTPSvrConnection.cpp 2005-08-23 14:53:34.000000000 -0600 >@@ -767,6 +767,11 @@ > if (!cLen.empty()) > { > m_contentLength = cLen.toInt64(); >+ if (m_contentLength < 0) >+ { >+ m_errDetails = "Bad (negative) Content-Length"; >+ return SC_BAD_REQUEST; >+ } > } > } > // POST or M_POST, no chunking: test for content length >@@ -1228,7 +1233,7 @@ > } > else if (m_contentLength > 0) > { >- rval = new HTTPLenLimitIStream(istr, m_contentLength); >+ rval = new HTTPLenLimitIStream(istr, UInt64(m_contentLength)); > } > else > { >--- ./src/xml/OW_XMLUnescape.cpp.orig 2005-08-23 12:28:46.000000000 -0600 >+++ ./src/xml/OW_XMLUnescape.cpp 2005-08-23 14:46:57.000000000 -0600 >@@ -229,7 +229,7 @@ > #line 80 > { > long lval = strtol( thisTokStart + 2, NULL, 10 ); >- if (lval > CHAR_MAX) >+ if (lval > CHAR_MAX || lval < 0) > { > OW_THROWXML(XMLParseException::MALFORMED_REFERENCE, Format("XML escape code in unsupported range: %1", YYCURSOR - 1).c_str()); > } >@@ -258,7 +258,7 @@ > #line 69 > { > long lval = strtol( thisTokStart + 3, NULL, 16 ); >- if (lval > CHAR_MAX) >+ if (lval > CHAR_MAX || lval < 0) > { > OW_THROWXML(XMLParseException::MALFORMED_REFERENCE, Format("XML escape code in unsupported range: %1", YYCURSOR - 1).c_str()); > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=47461">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 85842
:
38088
|
39970
|
45841
| 47461