summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>1997-12-18 11:38:11 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>1997-12-18 11:38:11 +0000
commit0dceac64d9b19e6df87e8863c31be9c59aaf63ba (patch)
tree4feb48647a0a02c9f3ab2cc8542bd9d2803ec5f2
parent552ab2b4d8558772328f85e1f8295fddc79055b9 (diff)
bitch if attacker tries to make PORT values overflow each other (they cannot anyways, but let him know we are onto him)
-rw-r--r--libexec/ftpd/ftpcmd.y24
1 files changed, 16 insertions, 8 deletions
diff --git a/libexec/ftpd/ftpcmd.y b/libexec/ftpd/ftpcmd.y
index 87e286645f0..b41fddfa71a 100644
--- a/libexec/ftpd/ftpcmd.y
+++ b/libexec/ftpd/ftpcmd.y
@@ -130,6 +130,7 @@ char *fromname;
%type <i> check_login octal_number byte_size
%type <i> struct_code mode_code type_code form_code
%type <s> pathstring pathname password username
+%type <i> host_port
%start cmd_list
@@ -160,11 +161,11 @@ cmd
| PORT check_login SP host_port CRLF
{
if ($2) {
- if (portcheck && (ntohs(data_dest.sin_port) <
+ if ($4 || (portcheck && (ntohs(data_dest.sin_port) <
IPPORT_RESERVED ||
memcmp(&data_dest.sin_addr,
&his_addr.sin_addr,
- sizeof data_dest.sin_addr))) {
+ sizeof data_dest.sin_addr)))) {
usedefault = 1;
reply(500, "Illegal PORT rejected.");
} else {
@@ -603,12 +604,19 @@ host_port
{
char *a, *p;
- data_dest.sin_len = sizeof(struct sockaddr_in);
- data_dest.sin_family = AF_INET;
- p = (char *)&data_dest.sin_port;
- p[0] = $9; p[1] = $11;
- a = (char *)&data_dest.sin_addr;
- a[0] = $1; a[1] = $3; a[2] = $5; a[3] = $7;
+ if ($1 < 0 || $1 > 255 || $3 < 0 || $3 > 255 ||
+ $5 < 0 || $5 > 255 || $7 < 0 || $7 > 255 ||
+ $9 < 0 || $9 > 255 || $11 < 0 || $11 > 255) {
+ $$ = 1;
+ } else {
+ data_dest.sin_len = sizeof(struct sockaddr_in);
+ data_dest.sin_family = AF_INET;
+ p = (char *)&data_dest.sin_port;
+ p[0] = $9; p[1] = $11;
+ a = (char *)&data_dest.sin_addr;
+ a[0] = $1; a[1] = $3; a[2] = $5; a[3] = $7;
+ $$ = 0;
+ }
}
;