From 2b32a72a590ed2ec80dab7c3e28c5889250303d3 Mon Sep 17 00:00:00 2001 From: tonnerre Date: Sun, 11 May 2008 04:12:34 +0000 Subject: Fix multiple connection handling Denial of Service vulnerability in licq (CVE-2008-1996). Before this, the application would crash if too many TCP connections are opened. --- chat/licq-core/Makefile | 3 ++- chat/licq-core/distinfo | 7 ++++-- chat/licq-core/patches/patch-aa | 12 +++++++++-- chat/licq-core/patches/patch-ab | 47 +++++++++++++++++++++++++++++++++++++++++ chat/licq-core/patches/patch-ac | 36 +++++++++++++++++++++++++++++++ chat/licq-core/patches/patch-ag | 26 +++++++++++++++++++++++ 6 files changed, 126 insertions(+), 5 deletions(-) create mode 100644 chat/licq-core/patches/patch-ab create mode 100644 chat/licq-core/patches/patch-ac create mode 100644 chat/licq-core/patches/patch-ag (limited to 'chat') diff --git a/chat/licq-core/Makefile b/chat/licq-core/Makefile index 944e7930605..7527b5e4765 100644 --- a/chat/licq-core/Makefile +++ b/chat/licq-core/Makefile @@ -1,8 +1,9 @@ -# $NetBSD: Makefile,v 1.10 2007/12/22 22:34:22 jdolecek Exp $ +# $NetBSD: Makefile,v 1.11 2008/05/11 04:12:34 tonnerre Exp $ # DISTNAME= licq-1.3.5 PKGNAME= ${DISTNAME:C/-/-core-/} +PKGREVISION= 1 CATEGORIES= chat MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=licq/} EXTRACT_SUFX= .tar.bz2 diff --git a/chat/licq-core/distinfo b/chat/licq-core/distinfo index 21ea18cd22d..a5705fdf35c 100644 --- a/chat/licq-core/distinfo +++ b/chat/licq-core/distinfo @@ -1,12 +1,15 @@ -$NetBSD: distinfo,v 1.12 2008/01/05 21:00:18 rillig Exp $ +$NetBSD: distinfo,v 1.13 2008/05/11 04:12:34 tonnerre Exp $ SHA1 (licq-1.3.5.tar.bz2) = a1059173f36694e6e5ec9ba62ced6e9738807916 RMD160 (licq-1.3.5.tar.bz2) = 4442f6cb3630d8300e5f128617a522bd2cb863dc Size (licq-1.3.5.tar.bz2) = 3260471 bytes -SHA1 (patch-aa) = 974a65e3483b3438fb3c6c9aaf96aa67e4c60fa6 +SHA1 (patch-aa) = 643c4a7ac8abada0a60eb16f66e845fbb8e8a0e2 +SHA1 (patch-ab) = f6cefc63ebff977300b85eeee4c69694f27a1b04 +SHA1 (patch-ac) = 8bd085b41c37df19b45e772d3b7c2eef9f45490a SHA1 (patch-ad) = d53a300e08852c9ad09ec900b46feb2c37129d76 SHA1 (patch-ae) = cf0ad230f4dcaca9ed1d3f92a4c5e6e131029d68 SHA1 (patch-af) = 86a99ad96c56f0e53547025a7c5536a01fd2a8b8 +SHA1 (patch-ag) = 57f07955f7710b4ff2d7e453518eb1bdee45a4b5 SHA1 (patch-ai) = f8cebb4e821a1b648e69135db5dd232a9459773a SHA1 (patch-ca) = 36475ac0642e8908a2ae6a8913efa25ba09af1c3 SHA1 (patch-cb) = 3a4f3f35825207693dc87112899a3e6bb3ec71a0 diff --git a/chat/licq-core/patches/patch-aa b/chat/licq-core/patches/patch-aa index 2fa7c96cef8..839f452358d 100644 --- a/chat/licq-core/patches/patch-aa +++ b/chat/licq-core/patches/patch-aa @@ -1,6 +1,6 @@ -$NetBSD: patch-aa,v 1.1 2005/10/31 18:58:38 tv Exp $ +$NetBSD: patch-aa,v 1.2 2008/05/11 04:12:34 tonnerre Exp $ ---- include/licq_socket.h.orig 2002-03-20 11:00:54.000000000 -0500 +--- include/licq_socket.h.orig 2006-10-18 10:59:12.000000000 +0200 +++ include/licq_socket.h @@ -6,6 +6,7 @@ #endif @@ -10,3 +10,11 @@ $NetBSD: patch-aa,v 1.1 2005/10/31 18:58:38 tv Exp $ #include #include #include +@@ -250,6 +251,7 @@ public: + + fd_set SocketSet() { return m_sSockets.SocketSet(); } + int LargestSocket() { return m_sSockets.Largest(); } ++ unsigned short Num() { return m_sSockets.Num(); } + + protected: + CSocketSet m_sSockets; diff --git a/chat/licq-core/patches/patch-ab b/chat/licq-core/patches/patch-ab new file mode 100644 index 00000000000..96c62c06fa2 --- /dev/null +++ b/chat/licq-core/patches/patch-ab @@ -0,0 +1,47 @@ +$NetBSD: patch-ab,v 1.3 2008/05/11 04:12:34 tonnerre Exp $ + +--- src/icqd-chat.cpp.orig 2007-09-09 14:05:24.000000000 +0200 ++++ src/icqd-chat.cpp +@@ -23,6 +23,7 @@ + // Localization + #include "gettext.h" + ++#define MAX_CONNECTS 256 + #define DEBUG_THREADS(x) + + +@@ -2383,16 +2384,24 @@ void *ChatManager_tep(void *arg) + // Connection on the server port --------------------------------------- + else if (nCurrentSocket == chatman->chatServer.Descriptor()) + { +- CChatUser *u = new CChatUser; +- u->m_pClient = new CChatClient; +- +- chatman->chatServer.RecvConnection(u->sock); +- chatman->sockman.AddSocket(&u->sock); +- chatman->sockman.DropSocket(&u->sock); +- +- u->state = CHAT_STATE_HANDSHAKE; +- chatman->chatUsers.push_back(u); +- gLog.Info(tr("%sChat: Received connection.\n"), L_TCPxSTR); ++ if (chatman->sockman.Num() >= MAX_CONNECTS) ++ { ++ // Too many sockets, drop this one ++ gLog.Warn(tr("%sToo many connected clients, rejecting new connection.\n"), L_WARNxSTR); ++ } ++ else ++ { ++ CChatUser *u = new CChatUser; ++ u->m_pClient = new CChatClient; ++ ++ chatman->chatServer.RecvConnection(u->sock); ++ chatman->sockman.AddSocket(&u->sock); ++ chatman->sockman.DropSocket(&u->sock); ++ ++ u->state = CHAT_STATE_HANDSHAKE; ++ chatman->chatUsers.push_back(u); ++ gLog.Info(tr("%sChat: Received connection.\n"), L_TCPxSTR); ++ } + } + + // Message from connected socket---------------------------------------- diff --git a/chat/licq-core/patches/patch-ac b/chat/licq-core/patches/patch-ac new file mode 100644 index 00000000000..fa863cf0901 --- /dev/null +++ b/chat/licq-core/patches/patch-ac @@ -0,0 +1,36 @@ +$NetBSD: patch-ac,v 1.5 2008/05/11 04:12:34 tonnerre Exp $ + +--- src/icqd-threads.cpp.orig 2007-09-28 22:11:35.000000000 +0200 ++++ src/icqd-threads.cpp +@@ -23,6 +23,7 @@ + // Localization + #include "gettext.h" + ++#define MAX_CONNECTS 256 + #define DEBUG_THREADS(x) + //#define DEBUG_THREADS(x) gLog.Info(x) + +@@ -780,8 +781,21 @@ void *MonitorSockets_tep(void *p) + TCPSocket *newSocket = new TCPSocket(0); + tcp->RecvConnection(*newSocket); + gSocketManager.DropSocket(tcp); +- gSocketManager.AddSocket(newSocket); +- gSocketManager.DropSocket(newSocket); ++ ++ // Make sure we can handle another socket before accepting it ++ if (gSocketManager.Num() > MAX_CONNECTS) ++ { ++ // Too many sockets, drop this one ++ char remoteIp[32]; ++ gLog.Warn(tr("%sToo many connected sockets, rejecting connection from %s.\n"), ++ L_WARNxSTR, newSocket->RemoteIpStr(remoteIp)); ++ delete newSocket; ++ } ++ else ++ { ++ gSocketManager.AddSocket(newSocket); ++ gSocketManager.DropSocket(newSocket); ++ } + } + } + diff --git a/chat/licq-core/patches/patch-ag b/chat/licq-core/patches/patch-ag new file mode 100644 index 00000000000..c2b76b137ca --- /dev/null +++ b/chat/licq-core/patches/patch-ag @@ -0,0 +1,26 @@ +$NetBSD: patch-ag,v 1.3 2008/05/11 04:12:34 tonnerre Exp $ + +--- src/socket.cpp.orig 2007-10-15 20:11:50.000000000 +0200 ++++ src/socket.cpp +@@ -817,8 +817,19 @@ void TCPSocket::RecvConnection(TCPSocket + { + socklen_t sizeofSockaddr = sizeof(struct sockaddr_in); + +- newSocket.m_nDescriptor = accept(m_nDescriptor, (struct sockaddr *)&newSocket.m_sRemoteAddr, &sizeofSockaddr); +- newSocket.SetLocalAddress(); ++ int newDesc = accept(m_nDescriptor, (struct sockaddr *)&newSocket.m_sRemoteAddr, &sizeofSockaddr); ++ if (newDesc < FD_SETSIZE) ++ { ++ newSocket.m_nDescriptor = newDesc; ++ newSocket.SetLocalAddress(); ++ } ++ else ++ { ++ gLog.Error(tr("%sCannot accept new connection, too many descriptors in use.\n"), L_ERRORxSTR); ++ close(newDesc); ++ ++ // TODO throw an exception, or do something to tell the caller it failed ++ } + } + + #define m_pSSL ((SSL *) m_p_SSL) -- cgit v1.2.3