diff options
| author | Todd C. Miller <millert@cvs.openbsd.org> | 2004-05-19 15:28:33 +0000 |
|---|---|---|
| committer | Todd C. Miller <millert@cvs.openbsd.org> | 2004-05-19 15:28:33 +0000 |
| commit | 068fe7ce0d8439051c1dfbce4623a186e382dc24 (patch) | |
| tree | 17daa67d51e79eed880eeb63adaceb8b2eb12e76 /gnu/usr.bin | |
| parent | a217dfe274f686a70a37a38ea0c35d72c7219f7b (diff) | |
Fix buffer overflow find by Stefan Esser, patch by Derek Robert Price.
Diffstat (limited to 'gnu/usr.bin')
| -rw-r--r-- | gnu/usr.bin/cvs/src/server.c | 46 |
1 files changed, 42 insertions, 4 deletions
diff --git a/gnu/usr.bin/cvs/src/server.c b/gnu/usr.bin/cvs/src/server.c index 3ebdc9968f8..6b9e1f1678c 100644 --- a/gnu/usr.bin/cvs/src/server.c +++ b/gnu/usr.bin/cvs/src/server.c @@ -1651,8 +1651,18 @@ serve_unchanged (arg) && strncmp (arg, name, cp - name) == 0) { timefield = strchr (cp + 1, '/') + 1; - if (*timefield != '=') + /* If the time field is not currently empty, then one of + * serve_modified, serve_is_modified, & serve_unchanged were + * already called for this file. We would like to ignore the + * reinvocation silently or, better yet, exit with an error + * message, but we just avoid the copy-forward and overwrite the + * value from the last invocation instead. See the comment below + * for more. + */ + if (*timefield == '/') { + /* Copy forward one character. Space was allocated for this + * already in serve_entry(). */ cp = timefield + strlen (timefield); cp[1] = '\0'; while (cp > timefield) @@ -1660,8 +1670,17 @@ serve_unchanged (arg) *cp = cp[-1]; --cp; } - *timefield = '='; } + /* If *TIMEFIELD wasn't "/", we assume that it was because of + * multiple calls to Is-Modified & Unchanged by the client and + * just overwrite the value from the last call. Technically, we + * should probably either ignore calls after the first or send the + * client an error, since the client/server protocol specification + * specifies that only one call to either Is-Modified or Unchanged + * is allowed, but broken versions of WinCVS & TortoiseCVS rely on + * this behavior. + */ + *timefield = '='; break; } } @@ -1695,8 +1714,18 @@ serve_is_modified (arg) && strncmp (arg, name, cp - name) == 0) { timefield = strchr (cp + 1, '/') + 1; - if (!(timefield[0] == 'M' && timefield[1] == '/')) + /* If the time field is not currently empty, then one of + * serve_modified, serve_is_modified, & serve_unchanged were + * already called for this file. We would like to ignore the + * reinvocation silently or, better yet, exit with an error + * message, but we just avoid the copy-forward and overwrite the + * value from the last invocation instead. See the comment below + * for more. + */ + if (*timefield == '/') { + /* Copy forward one character. Space was allocated for this + * already in serve_entry(). */ cp = timefield + strlen (timefield); cp[1] = '\0'; while (cp > timefield) @@ -1704,8 +1733,17 @@ serve_is_modified (arg) *cp = cp[-1]; --cp; } - *timefield = 'M'; } + /* If *TIMEFIELD wasn't "/", we assume that it was because of + * multiple calls to Is-Modified & Unchanged by the client and + * just overwrite the value from the last call. Technically, we + * should probably either ignore calls after the first or send the + * client an error, since the client/server protocol specification + * specifies that only one call to either Is-Modified or Unchanged + * is allowed, but broken versions of WinCVS & TortoiseCVS rely on + * this behavior. + */ + *timefield = 'M'; if (kopt != NULL) { if (alloc_pending (strlen (name) + 80)) |