fixed tftp packet overflow risk

curl · Mar 20, 2006 · 5975229 · 5975229
1 parent 38295e8
commit 5975229
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 8 deletions.
diff --git a/CHANGES b/CHANGES
@@ -6,6 +6,17 @@
 
                                   Changelog
 
+Daniel (16 March 2006)
+- Tor Arntsen provided a RPM spec file for AIX Toolbox, that now is included
+  in the release archive.
+
+Daniel (14 March 2006)
+- David McCreedy fixed:
+
+  a bad SSL error message when OpenSSL certificates are verified fine.
+
+  a missing return code assignment in the FTP code
+
 Daniel (7 March 2006)
 - Markus Koetter filed debian bug report #355715 which identified a problem
   with the multi interface and multi-part formposts. The fix from February

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
@@ -11,25 +11,30 @@ Curl and libcurl 7.15.3
 
 This release includes the following changes:
 
- o 
+ o added docs for --ftp-method and CURLOPT_FTP_FILEMETHOD
 
 This release includes the following bugfixes:
 
+ o TFTP Packet Buffer Overflow Vulnerability:
+   http://curl.haxx.se/docs/adv_20060320.html
+ o properly detecting problems with sending the FTP command USER
+ o wrong error message shown when certificate verification failed
  o multi-part formpost with multi interface crash
  o the CURLFTPSSL_CONTROL setting for CURLOPT_FTP_SSL is acknowledged
- o "SSL: couldn't set callback" is now a less serious problem
+ o "SSL: couldn't set callback" is now treated as a less serious problem
  o Interix build fix
- o fixed "hang" when out of file handles at start
+ o fixed curl "hang" when out of file handles at start
  o prevent FTP uploads to URLs with trailing slash
 
 Other curl-related news since the previous public release:
 
  o pycurl-7.15.2 has been released: http://pycurl.sf.net
+ o http://curl.download.nextag.com/ is a new US curl web mirror!
 
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
  Gisle Vanem, Dan Fandrich, Thomas Klausner, Todd Vierling, Peter Heuchert,
- Markus Koetter
+ Markus Koetter, David McCreedy, Tor Arntsen
 
         Thanks! (and sorry if I forgot to mention someone)
diff --git a/lib/tftp.c b/lib/tftp.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2005, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -271,8 +271,9 @@ static void tftp_send_first(tftp_state_data_t *state, tftp_event_t event)
       /* If we are downloading, send an RRQ */
       state->spacket.event = htons(TFTP_EVENT_RRQ);
     }
-    sprintf((char *)state->spacket.u.request.data, "%s%c%s%c",
-            filename, '\0',  mode, '\0');
+    snprintf((char *)state->spacket.u.request.data,
+             sizeof(state->spacket.u.request.data),
+             "%s%c%s%c", filename, '\0',  mode, '\0');
     sbytes = 4 + (int)strlen(filename) + (int)strlen(mode);
     sbytes = sendto(state->sockfd, (void *)&state->spacket,
                     sbytes, 0,
@@ -533,7 +534,7 @@ CURLcode Curl_tftp_connect(struct connectdata *conn, bool *done)
    * The TFTP code is not portable because it sends C structs directly over
    * the wire.  Since C gives compiler writers a wide latitude in padding and
    * aligning structs, this fails on many architectures (e.g. ARM).
-   * 
+   *
    * The only portable way to fix this is to copy each struct item into a
    * flat buffer and send the flat buffer instead of the struct.  The
    * alternative, trying to get the compiler to eliminate padding bytes