Fix multiple connection handling Denial of Service vulnerability in licq

(CVE-2008-1996). Before this, the application would crash if too many TCP connections are opened.
author: tonnerre <tonnerre@pkgsrc.org> 2008-05-11 04:12:34 +0000
committer: tonnerre <tonnerre@pkgsrc.org> 2008-05-11 04:12:34 +0000
commit: 2b32a72a590ed2ec80dab7c3e28c5889250303d3 (patch)
tree: 16a46a339aab78892ae13709f9c4c8ce4d52bec7 /chat/licq-core
parent: 78764441f34d091b20a712610c93aac5238e717e (diff)
download: pkgsrc-2b32a72a590ed2ec80dab7c3e28c5889250303d3.tar.gz
6 files changed, 126 insertions, 5 deletions
diff --git a/chat/licq-core/Makefile b/chat/licq-core/Makefile
index 944e7930605..7527b5e4765 100644
--- a/chat/licq-core/Makefile
+++ b/chat/licq-core/Makefile
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.10 2007/12/22 22:34:22 jdolecek Exp $
+# $NetBSD: Makefile,v 1.11 2008/05/11 04:12:34 tonnerre Exp $
 #
 
 DISTNAME=	licq-1.3.5
 PKGNAME=	${DISTNAME:C/-/-core-/}
+PKGREVISION=	1
 CATEGORIES=	chat
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=licq/}
 EXTRACT_SUFX=	.tar.bz2
diff --git a/chat/licq-core/distinfo b/chat/licq-core/distinfo
index 21ea18cd22d..a5705fdf35c 100644
--- a/chat/licq-core/distinfo
+++ b/chat/licq-core/distinfo
@@ -1,12 +1,15 @@
-$NetBSD: distinfo,v 1.12 2008/01/05 21:00:18 rillig Exp $
+$NetBSD: distinfo,v 1.13 2008/05/11 04:12:34 tonnerre Exp $
 
 SHA1 (licq-1.3.5.tar.bz2) = a1059173f36694e6e5ec9ba62ced6e9738807916
 RMD160 (licq-1.3.5.tar.bz2) = 4442f6cb3630d8300e5f128617a522bd2cb863dc
 Size (licq-1.3.5.tar.bz2) = 3260471 bytes
-SHA1 (patch-aa) = 974a65e3483b3438fb3c6c9aaf96aa67e4c60fa6
+SHA1 (patch-aa) = 643c4a7ac8abada0a60eb16f66e845fbb8e8a0e2
+SHA1 (patch-ab) = f6cefc63ebff977300b85eeee4c69694f27a1b04
+SHA1 (patch-ac) = 8bd085b41c37df19b45e772d3b7c2eef9f45490a
 SHA1 (patch-ad) = d53a300e08852c9ad09ec900b46feb2c37129d76
 SHA1 (patch-ae) = cf0ad230f4dcaca9ed1d3f92a4c5e6e131029d68
 SHA1 (patch-af) = 86a99ad96c56f0e53547025a7c5536a01fd2a8b8
+SHA1 (patch-ag) = 57f07955f7710b4ff2d7e453518eb1bdee45a4b5
 SHA1 (patch-ai) = f8cebb4e821a1b648e69135db5dd232a9459773a
 SHA1 (patch-ca) = 36475ac0642e8908a2ae6a8913efa25ba09af1c3
 SHA1 (patch-cb) = 3a4f3f35825207693dc87112899a3e6bb3ec71a0
diff --git a/chat/licq-core/patches/patch-aa b/chat/licq-core/patches/patch-aa
index 2fa7c96cef8..839f452358d 100644
--- a/chat/licq-core/patches/patch-aa
+++ b/chat/licq-core/patches/patch-aa
@@ -1,6 +1,6 @@
-$NetBSD: patch-aa,v 1.1 2005/10/31 18:58:38 tv Exp $
+$NetBSD: patch-aa,v 1.2 2008/05/11 04:12:34 tonnerre Exp $
 
---- include/licq_socket.h.orig	2002-03-20 11:00:54.000000000 -0500
+--- include/licq_socket.h.orig	2006-10-18 10:59:12.000000000 +0200
 +++ include/licq_socket.h
 @@ -6,6 +6,7 @@
  #endif
@@ -10,3 +10,11 @@ $NetBSD: patch-aa,v 1.1 2005/10/31 18:58:38 tv Exp $
  #include <sys/socket.h>
  #include <netinet/in.h>
  #include <arpa/inet.h>
+@@ -250,6 +251,7 @@ public:
+ 
+   fd_set SocketSet()   {  return m_sSockets.SocketSet(); }
+   int LargestSocket()  {  return m_sSockets.Largest(); }
++  unsigned short Num() {  return m_sSockets.Num(); }
+ 
+ protected:
+   CSocketSet m_sSockets;
diff --git a/chat/licq-core/patches/patch-ab b/chat/licq-core/patches/patch-ab
new file mode 100644
index 00000000000..96c62c06fa2
--- /dev/null
+++ b/chat/licq-core/patches/patch-ab
@@ -0,0 +1,47 @@
+$NetBSD: patch-ab,v 1.3 2008/05/11 04:12:34 tonnerre Exp $
+
+--- src/icqd-chat.cpp.orig	2007-09-09 14:05:24.000000000 +0200
++++ src/icqd-chat.cpp
+@@ -23,6 +23,7 @@
+ // Localization
+ #include "gettext.h"
+ 
++#define MAX_CONNECTS  256
+ #define DEBUG_THREADS(x)
+ 
+ 
+@@ -2383,16 +2384,24 @@ void *ChatManager_tep(void *arg)
+         // Connection on the server port ---------------------------------------
+         else if (nCurrentSocket == chatman->chatServer.Descriptor())
+         {
+-          CChatUser *u = new CChatUser;
+-          u->m_pClient = new CChatClient;
+-
+-          chatman->chatServer.RecvConnection(u->sock);
+-          chatman->sockman.AddSocket(&u->sock);
+-          chatman->sockman.DropSocket(&u->sock);
+-
+-          u->state = CHAT_STATE_HANDSHAKE;
+-          chatman->chatUsers.push_back(u);
+-          gLog.Info(tr("%sChat: Received connection.\n"), L_TCPxSTR);
++	  if (chatman->sockman.Num() >= MAX_CONNECTS)
++	  {
++	    // Too many sockets, drop this one
++	    gLog.Warn(tr("%sToo many connected clients, rejecting new connection.\n"), L_WARNxSTR);
++	  }
++	  else
++	  {
++            CChatUser *u = new CChatUser;
++            u->m_pClient = new CChatClient;
++
++            chatman->chatServer.RecvConnection(u->sock);
++            chatman->sockman.AddSocket(&u->sock);
++            chatman->sockman.DropSocket(&u->sock);
++
++            u->state = CHAT_STATE_HANDSHAKE;
++            chatman->chatUsers.push_back(u);
++            gLog.Info(tr("%sChat: Received connection.\n"), L_TCPxSTR);
++	  }
+         }
+ 
+         // Message from connected socket----------------------------------------
diff --git a/chat/licq-core/patches/patch-ac b/chat/licq-core/patches/patch-ac
new file mode 100644
index 00000000000..fa863cf0901
--- /dev/null
+++ b/chat/licq-core/patches/patch-ac
@@ -0,0 +1,36 @@
+$NetBSD: patch-ac,v 1.5 2008/05/11 04:12:34 tonnerre Exp $
+
+--- src/icqd-threads.cpp.orig	2007-09-28 22:11:35.000000000 +0200
++++ src/icqd-threads.cpp
+@@ -23,6 +23,7 @@
+ // Localization
+ #include "gettext.h"
+ 
++#define MAX_CONNECTS  256
+ #define DEBUG_THREADS(x)
+ //#define DEBUG_THREADS(x) gLog.Info(x)
+ 
+@@ -780,8 +781,21 @@ void *MonitorSockets_tep(void *p)
+               TCPSocket *newSocket = new TCPSocket(0);
+               tcp->RecvConnection(*newSocket);
+               gSocketManager.DropSocket(tcp);
+-              gSocketManager.AddSocket(newSocket);
+-              gSocketManager.DropSocket(newSocket);
++
++	      // Make sure we can handle another socket before accepting it
++	      if (gSocketManager.Num() > MAX_CONNECTS)
++	      {
++		// Too many sockets, drop this one
++		char remoteIp[32];
++		gLog.Warn(tr("%sToo many connected sockets, rejecting connection from %s.\n"),
++			L_WARNxSTR, newSocket->RemoteIpStr(remoteIp));
++		delete newSocket;
++	      }
++	      else
++	      {
++                gSocketManager.AddSocket(newSocket);
++                gSocketManager.DropSocket(newSocket);
++	      }
+             }
+           }
+ 
diff --git a/chat/licq-core/patches/patch-ag b/chat/licq-core/patches/patch-ag
new file mode 100644
index 00000000000..c2b76b137ca
--- /dev/null
+++ b/chat/licq-core/patches/patch-ag
@@ -0,0 +1,26 @@
+$NetBSD: patch-ag,v 1.3 2008/05/11 04:12:34 tonnerre Exp $
+
+--- src/socket.cpp.orig	2007-10-15 20:11:50.000000000 +0200
++++ src/socket.cpp
+@@ -817,8 +817,19 @@ void TCPSocket::RecvConnection(TCPSocket
+ {
+   socklen_t sizeofSockaddr = sizeof(struct sockaddr_in);
+ 
+-  newSocket.m_nDescriptor = accept(m_nDescriptor, (struct sockaddr *)&newSocket.m_sRemoteAddr, &sizeofSockaddr);
+-  newSocket.SetLocalAddress();
++  int newDesc = accept(m_nDescriptor, (struct sockaddr *)&newSocket.m_sRemoteAddr, &sizeofSockaddr);
++  if (newDesc < FD_SETSIZE)
++  {
++    newSocket.m_nDescriptor = newDesc;
++    newSocket.SetLocalAddress();
++  }
++  else
++  {
++    gLog.Error(tr("%sCannot accept new connection, too many descriptors in use.\n"), L_ERRORxSTR);
++    close(newDesc);
++
++    // TODO throw an exception, or do something to tell the caller it failed
++  }
+ }
+ 
+ #define m_pSSL ((SSL *) m_p_SSL)
author	tonnerre <tonnerre@pkgsrc.org>	2008-05-11 04:12:34 +0000
committer	tonnerre <tonnerre@pkgsrc.org>	2008-05-11 04:12:34 +0000
commit	2b32a72a590ed2ec80dab7c3e28c5889250303d3 (patch)
tree	16a46a339aab78892ae13709f9c4c8ce4d52bec7 /chat/licq-core
parent	78764441f34d091b20a712610c93aac5238e717e (diff)
download	pkgsrc-2b32a72a590ed2ec80dab7c3e28c5889250303d3.tar.gz