Location header buffer overflow fix for nagios-plugins-1.4.3

check_http (CVE-2007-5198)
Approved-by: gdt

3 files changed, 105 insertions, 4 deletions

diff --git a/net/nagios-plugins/Makefile b/net/nagios-plugins/Makefile
index 32a39957ea6..f6b8069b597 100644
--- a/net/nagios-plugins/Makefile
+++ b/net/nagios-plugins/Makefile
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.12 2008/01/18 05:08:45 tnn Exp $
+# $NetBSD: Makefile,v 1.13 2008/03/22 14:52:21 tonnerre Exp $
 #
 
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	net sysutils
 
-MAINTAINER=	pkgsrc-users@NetBSD.org
+MAINTAINER=	tonnerre@NetBSD.org
 HOMEPAGE=	http://sourceforge.net/projects/nagiosplug/
 COMMENT=	Nagios plugins
 
diff --git a/net/nagios-plugins/distinfo b/net/nagios-plugins/distinfo
index d259ee95360..cea411a62e0 100644
--- a/net/nagios-plugins/distinfo
+++ b/net/nagios-plugins/distinfo
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.4 2007/03/30 05:52:37 grant Exp $
+$NetBSD: distinfo,v 1.5 2008/03/22 14:52:21 tonnerre Exp $
 
 SHA1 (nagios-plugins-1.4.3.tar.gz) = c26fc2f31d7579c3a8174dcd1965046c4b1c8d37
 RMD160 (nagios-plugins-1.4.3.tar.gz) = bc1d4f8cddd481775c514758a462fe533e01e846
 Size (nagios-plugins-1.4.3.tar.gz) = 1257775 bytes
+SHA1 (patch-aa) = b0db6110edb7e75121bbee7c996e36454e820a41
 SHA1 (patch-ab) = 1bcd6ddd5ef77c4ab726de4d6ac0a50fd525fa47
 SHA1 (patch-ad) = 2b88b23b790b454cb1f5e2dc1b6735a43534834c
 SHA1 (patch-ae) = c22cbbaece4c9145356f96abd9d72192c226b19f
diff --git a/net/nagios-plugins/patches/patch-aa b/net/nagios-plugins/patches/patch-aa
new file mode 100644
index 00000000000..479b56fb232
--- /dev/null
+++ b/net/nagios-plugins/patches/patch-aa
@@ -0,0 +1,100 @@
+$NetBSD: patch-aa,v 1.1 2008/03/22 14:52:21 tonnerre Exp $
+
+--- plugins/check_http.c.orig	2006-04-05 09:58:27.000000000 +0200
++++ plugins/check_http.c
+@@ -34,7 +34,8 @@ const char *email = "nagiosplug-devel@li
+ enum {
+   MAX_IPV4_HOSTLENGTH = 255,
+   HTTP_PORT = 80,
+-  HTTPS_PORT = 443
++  HTTPS_PORT = 443,
++  MAX_PORT = 65535
+ };
+ 
+ #ifdef HAVE_SSL
+@@ -1043,14 +1044,14 @@ check_http (void)
+ 
+ /* per RFC 2396 */
+ #define HDR_LOCATION "%*[Ll]%*[Oo]%*[Cc]%*[Aa]%*[Tt]%*[Ii]%*[Oo]%*[Nn]: "
+-#define URI_HTTP "%[HTPShtps]://"
+-#define URI_HOST "%[-.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]"
+-#define URI_PORT ":%[0123456789]"
++#define URI_HTTP "%5[HTPShtps]"
++#define URI_HOST "%255[-.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]"
++#define URI_PORT "%6d" /* MAX_PORT's width is 5 chars, 6 to detect overflow */
+ #define URI_PATH "%[-_.!~*'();/?:@&=+$,%#abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]"
+-#define HD1 URI_HTTP URI_HOST URI_PORT URI_PATH
+-#define HD2 URI_HTTP URI_HOST URI_PATH
+-#define HD3 URI_HTTP URI_HOST URI_PORT
+-#define HD4 URI_HTTP URI_HOST
++#define HD1 URI_HTTP "://" URI_HOST ":" URI_PORT "/" URI_PATH
++#define HD2 URI_HTTP "://" URI_HOST "/" URI_PATH
++#define HD3 URI_HTTP "://" URI_HOST ":" URI_PORT
++#define HD4 URI_HTTP "://" URI_HOST
+ #define HD5 URI_PATH
+ 
+ void
+@@ -1061,7 +1062,6 @@ redir (char *pos, char *status_line)
+   char xx[2];
+   char type[6];
+   char *addr;
+-  char port[6];
+   char *url;
+ 
+   addr = malloc (MAX_IPV4_HOSTLENGTH + 1);
+@@ -1093,10 +1093,8 @@ redir (char *pos, char *status_line)
+       die (STATE_UNKNOWN, _("could not allocate url\n"));
+ 
+     /* URI_HTTP, URI_HOST, URI_PORT, URI_PATH */
+-    if (sscanf (pos, HD1, type, addr, port, url) == 4) {
++    if (sscanf (pos, HD1, type, addr, &i, url) == 4)
+       use_ssl = server_type_check (type);
+-      i = atoi (port);
+-    }
+ 
+     /* URI_HTTP URI_HOST URI_PATH */
+     else if (sscanf (pos, HD2, type, addr, url) == 3 ) { 
+@@ -1105,10 +1103,9 @@ redir (char *pos, char *status_line)
+     }
+ 
+     /* URI_HTTP URI_HOST URI_PORT */
+-    else if(sscanf (pos, HD3, type, addr, port) == 3) {
++    else if(sscanf (pos, HD3, type, addr, &i) == 3) {
+       strcpy (url, HTTP_URL);
+       use_ssl = server_type_check (type);
+-      i = atoi (port);
+     }
+ 
+     /* URI_HTTP URI_HOST */
+@@ -1154,7 +1151,6 @@ redir (char *pos, char *status_line)
+          _("WARNING - redirection creates an infinite loop - %s://%s:%d%s%s\n"),
+          type, addr, i, url, (display_html ? "</A>" : ""));
+ 
+-  server_port = i;
+   strcpy (server_type, type);
+ 
+   free (host_name);
+@@ -1164,7 +1160,22 @@ redir (char *pos, char *status_line)
+   server_address = strdup (addr);
+ 
+   free (server_url);
+-  server_url = strdup (url);
++  if ((url[0] == '/'))
++    server_url = strdup (url);
++  else if (asprintf(&server_url, "/%s", url) == -1)
++    die (STATE_UNKNOWN, _("HTTP UNKNOWN - Could not allocate server_url%s\n"),
++         display_html ? "</A>" : "");
++  free(url);
++
++  if ((server_port = i) > MAX_PORT)
++    die (STATE_UNKNOWN,
++         _("HTTP UNKNOWN - Redirection to port above %d - %s://%s:%d%s%s\n"),
++         MAX_PORT, server_type, server_address, server_port, server_url,
++         display_html ? "</A>" : "");
++
++  if (verbose)
++    printf ("Redirection to %s://%s:%d%s\n", server_type, server_address,
++            server_port, server_url);
+ 
+   check_http ();
+ }