Mon May 12 10:47:37 2008 UTC ()
pullup ticket #2372 - requested by tonnerre
licq-core: fix for DoS vulnerability
revisions pulled up:
- pkgsrc/chat/licq-core/Makefile 1.11
- pkgsrc/chat/licq-core/distinfo 1.13
- pkgsrc/chat/licq-core/patches/patch-aa 1.2
- pkgsrc/chat/licq-core/patches/patch-ab 1.3
- pkgsrc/chat/licq-core/patches/patch-ac 1.3
- pkgsrc/chat/licq-core/patches/patch-ag 1.5
Module Name: pkgsrc
Committed By: tonnerre
Date: Sun May 11 04:12:34 UTC 2008
Modified Files:
pkgsrc/chat/licq-core: Makefile distinfo
pkgsrc/chat/licq-core/patches: patch-aa
Added Files:
pkgsrc/chat/licq-core/patches: patch-ab patch-ac patch-ag
Log Message:
Fix multiple connection handling Denial of Service vulnerability in licq
(CVE-2008-1996). Before this, the application would crash if too many
TCP connections are opened.
(rtr)
diff -r1.10 -r1.10.4.1 pkgsrc/chat/licq-core/Makefile
diff -r1.12 -r1.12.2.1 pkgsrc/chat/licq-core/distinfo
diff -r1.1 -r1.1.20.1 pkgsrc/chat/licq-core/patches/patch-aa
diff -r0 -r1.2.4.1 pkgsrc/chat/licq-core/patches/patch-ab
diff -r0 -r1.2.4.1 pkgsrc/chat/licq-core/patches/patch-ag
diff -r0 -r1.4.4.1 pkgsrc/chat/licq-core/patches/patch-ac
--- pkgsrc/chat/licq-core/Attic/Makefile 2007/12/22 22:34:22 1.10
+++ pkgsrc/chat/licq-core/Attic/Makefile 2008/05/12 10:47:37 1.10.4.1
| @@ -1,18 +1,19 @@ | | | @@ -1,18 +1,19 @@ |
1 | # $NetBSD: Makefile,v 1.10 2007/12/22 22:34:22 jdolecek Exp $ | | 1 | # $NetBSD: Makefile,v 1.10.4.1 2008/05/12 10:47:37 rtr Exp $ |
2 | # | | 2 | # |
3 | | | 3 | |
4 | DISTNAME= licq-1.3.5 | | 4 | DISTNAME= licq-1.3.5 |
5 | PKGNAME= ${DISTNAME:C/-/-core-/} | | 5 | PKGNAME= ${DISTNAME:C/-/-core-/} |
| | | 6 | PKGREVISION= 1 |
6 | CATEGORIES= chat | | 7 | CATEGORIES= chat |
7 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=licq/} | | 8 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=licq/} |
8 | EXTRACT_SUFX= .tar.bz2 | | 9 | EXTRACT_SUFX= .tar.bz2 |
9 | | | 10 | |
10 | MAINTAINER= pkgsrc-users@NetBSD.org | | 11 | MAINTAINER= pkgsrc-users@NetBSD.org |
11 | HOMEPAGE= http://www.licq.org/ | | 12 | HOMEPAGE= http://www.licq.org/ |
12 | COMMENT= ICQ client with plugin support | | 13 | COMMENT= ICQ client with plugin support |
13 | | | 14 | |
14 | USE_LANGUAGES= c c++ | | 15 | USE_LANGUAGES= c c++ |
15 | USE_LIBTOOL= YES | | 16 | USE_LIBTOOL= YES |
16 | GNU_CONFIGURE= YES | | 17 | GNU_CONFIGURE= YES |
17 | | | 18 | |
18 | .include "../../mk/bsd.prefs.mk" | | 19 | .include "../../mk/bsd.prefs.mk" |
--- pkgsrc/chat/licq-core/Attic/distinfo 2008/01/05 21:00:18 1.12
+++ pkgsrc/chat/licq-core/Attic/distinfo 2008/05/12 10:47:37 1.12.2.1
| @@ -1,14 +1,17 @@ | | | @@ -1,14 +1,17 @@ |
1 | $NetBSD: distinfo,v 1.12 2008/01/05 21:00:18 rillig Exp $ | | 1 | $NetBSD: distinfo,v 1.12.2.1 2008/05/12 10:47:37 rtr Exp $ |
2 | | | 2 | |
3 | SHA1 (licq-1.3.5.tar.bz2) = a1059173f36694e6e5ec9ba62ced6e9738807916 | | 3 | SHA1 (licq-1.3.5.tar.bz2) = a1059173f36694e6e5ec9ba62ced6e9738807916 |
4 | RMD160 (licq-1.3.5.tar.bz2) = 4442f6cb3630d8300e5f128617a522bd2cb863dc | | 4 | RMD160 (licq-1.3.5.tar.bz2) = 4442f6cb3630d8300e5f128617a522bd2cb863dc |
5 | Size (licq-1.3.5.tar.bz2) = 3260471 bytes | | 5 | Size (licq-1.3.5.tar.bz2) = 3260471 bytes |
6 | SHA1 (patch-aa) = 974a65e3483b3438fb3c6c9aaf96aa67e4c60fa6 | | 6 | SHA1 (patch-aa) = 643c4a7ac8abada0a60eb16f66e845fbb8e8a0e2 |
| | | 7 | SHA1 (patch-ab) = f6cefc63ebff977300b85eeee4c69694f27a1b04 |
| | | 8 | SHA1 (patch-ac) = 8bd085b41c37df19b45e772d3b7c2eef9f45490a |
7 | SHA1 (patch-ad) = d53a300e08852c9ad09ec900b46feb2c37129d76 | | 9 | SHA1 (patch-ad) = d53a300e08852c9ad09ec900b46feb2c37129d76 |
8 | SHA1 (patch-ae) = cf0ad230f4dcaca9ed1d3f92a4c5e6e131029d68 | | 10 | SHA1 (patch-ae) = cf0ad230f4dcaca9ed1d3f92a4c5e6e131029d68 |
9 | SHA1 (patch-af) = 86a99ad96c56f0e53547025a7c5536a01fd2a8b8 | | 11 | SHA1 (patch-af) = 86a99ad96c56f0e53547025a7c5536a01fd2a8b8 |
| | | 12 | SHA1 (patch-ag) = 57f07955f7710b4ff2d7e453518eb1bdee45a4b5 |
10 | SHA1 (patch-ai) = f8cebb4e821a1b648e69135db5dd232a9459773a | | 13 | SHA1 (patch-ai) = f8cebb4e821a1b648e69135db5dd232a9459773a |
11 | SHA1 (patch-ca) = 36475ac0642e8908a2ae6a8913efa25ba09af1c3 | | 14 | SHA1 (patch-ca) = 36475ac0642e8908a2ae6a8913efa25ba09af1c3 |
12 | SHA1 (patch-cb) = 3a4f3f35825207693dc87112899a3e6bb3ec71a0 | | 15 | SHA1 (patch-cb) = 3a4f3f35825207693dc87112899a3e6bb3ec71a0 |
13 | SHA1 (patch-qa) = 1fb1821418c151d7a43085d9b1038279dca59f4d | | 16 | SHA1 (patch-qa) = 1fb1821418c151d7a43085d9b1038279dca59f4d |
14 | SHA1 (patch-qb) = 2fa14d43c3d415947fdd67db30642b31030e5a3b | | 17 | SHA1 (patch-qb) = 2fa14d43c3d415947fdd67db30642b31030e5a3b |
--- pkgsrc/chat/licq-core/patches/Attic/patch-aa 2005/10/31 18:58:38 1.1
+++ pkgsrc/chat/licq-core/patches/Attic/patch-aa 2008/05/12 10:47:37 1.1.20.1
| @@ -1,12 +1,20 @@ | | | @@ -1,12 +1,20 @@ |
1 | $NetBSD: patch-aa,v 1.1 2005/10/31 18:58:38 tv Exp $ | | 1 | $NetBSD: patch-aa,v 1.1.20.1 2008/05/12 10:47:37 rtr Exp $ |
2 | | | 2 | |
3 | --- include/licq_socket.h.orig 2002-03-20 11:00:54.000000000 -0500 | | 3 | --- include/licq_socket.h.orig 2006-10-18 10:59:12.000000000 +0200 |
4 | +++ include/licq_socket.h | | 4 | +++ include/licq_socket.h |
5 | @@ -6,6 +6,7 @@ | | 5 | @@ -6,6 +6,7 @@ |
6 | #endif | | 6 | #endif |
7 | | | 7 | |
8 | #include <sys/types.h> | | 8 | #include <sys/types.h> |
9 | +#include <sys/time.h> | | 9 | +#include <sys/time.h> |
10 | #include <sys/socket.h> | | 10 | #include <sys/socket.h> |
11 | #include <netinet/in.h> | | 11 | #include <netinet/in.h> |
12 | #include <arpa/inet.h> | | 12 | #include <arpa/inet.h> |
| | | 13 | @@ -250,6 +251,7 @@ public: |
| | | 14 | |
| | | 15 | fd_set SocketSet() { return m_sSockets.SocketSet(); } |
| | | 16 | int LargestSocket() { return m_sSockets.Largest(); } |
| | | 17 | + unsigned short Num() { return m_sSockets.Num(); } |
| | | 18 | |
| | | 19 | protected: |
| | | 20 | CSocketSet m_sSockets; |
$NetBSD: patch-ab,v 1.2.4.1 2008/05/12 10:47:37 rtr Exp $
--- src/icqd-chat.cpp.orig 2007-09-09 14:05:24.000000000 +0200
+++ src/icqd-chat.cpp
@@ -23,6 +23,7 @@
// Localization
#include "gettext.h"
+#define MAX_CONNECTS 256
#define DEBUG_THREADS(x)
@@ -2383,16 +2384,24 @@ void *ChatManager_tep(void *arg)
// Connection on the server port ---------------------------------------
else if (nCurrentSocket == chatman->chatServer.Descriptor())
{
- CChatUser *u = new CChatUser;
- u->m_pClient = new CChatClient;
-
- chatman->chatServer.RecvConnection(u->sock);
- chatman->sockman.AddSocket(&u->sock);
- chatman->sockman.DropSocket(&u->sock);
-
- u->state = CHAT_STATE_HANDSHAKE;
- chatman->chatUsers.push_back(u);
- gLog.Info(tr("%sChat: Received connection.\n"), L_TCPxSTR);
+ if (chatman->sockman.Num() >= MAX_CONNECTS)
+ {
+ // Too many sockets, drop this one
+ gLog.Warn(tr("%sToo many connected clients, rejecting new connection.\n"), L_WARNxSTR);
+ }
+ else
+ {
+ CChatUser *u = new CChatUser;
+ u->m_pClient = new CChatClient;
+
+ chatman->chatServer.RecvConnection(u->sock);
+ chatman->sockman.AddSocket(&u->sock);
+ chatman->sockman.DropSocket(&u->sock);
+
+ u->state = CHAT_STATE_HANDSHAKE;
+ chatman->chatUsers.push_back(u);
+ gLog.Info(tr("%sChat: Received connection.\n"), L_TCPxSTR);
+ }
}
// Message from connected socket----------------------------------------
$NetBSD: patch-ag,v 1.2.4.1 2008/05/12 10:47:37 rtr Exp $
--- src/socket.cpp.orig 2007-10-15 20:11:50.000000000 +0200
+++ src/socket.cpp
@@ -817,8 +817,19 @@ void TCPSocket::RecvConnection(TCPSocket
{
socklen_t sizeofSockaddr = sizeof(struct sockaddr_in);
- newSocket.m_nDescriptor = accept(m_nDescriptor, (struct sockaddr *)&newSocket.m_sRemoteAddr, &sizeofSockaddr);
- newSocket.SetLocalAddress();
+ int newDesc = accept(m_nDescriptor, (struct sockaddr *)&newSocket.m_sRemoteAddr, &sizeofSockaddr);
+ if (newDesc < FD_SETSIZE)
+ {
+ newSocket.m_nDescriptor = newDesc;
+ newSocket.SetLocalAddress();
+ }
+ else
+ {
+ gLog.Error(tr("%sCannot accept new connection, too many descriptors in use.\n"), L_ERRORxSTR);
+ close(newDesc);
+
+ // TODO throw an exception, or do something to tell the caller it failed
+ }
}
#define m_pSSL ((SSL *) m_p_SSL)
$NetBSD: patch-ac,v 1.4.4.1 2008/05/12 10:47:37 rtr Exp $
--- src/icqd-threads.cpp.orig 2007-09-28 22:11:35.000000000 +0200
+++ src/icqd-threads.cpp
@@ -23,6 +23,7 @@
// Localization
#include "gettext.h"
+#define MAX_CONNECTS 256
#define DEBUG_THREADS(x)
//#define DEBUG_THREADS(x) gLog.Info(x)
@@ -780,8 +781,21 @@ void *MonitorSockets_tep(void *p)
TCPSocket *newSocket = new TCPSocket(0);
tcp->RecvConnection(*newSocket);
gSocketManager.DropSocket(tcp);
- gSocketManager.AddSocket(newSocket);
- gSocketManager.DropSocket(newSocket);
+
+ // Make sure we can handle another socket before accepting it
+ if (gSocketManager.Num() > MAX_CONNECTS)
+ {
+ // Too many sockets, drop this one
+ char remoteIp[32];
+ gLog.Warn(tr("%sToo many connected sockets, rejecting connection from %s.\n"),
+ L_WARNxSTR, newSocket->RemoteIpStr(remoteIp));
+ delete newSocket;
+ }
+ else
+ {
+ gSocketManager.AddSocket(newSocket);
+ gSocketManager.DropSocket(newSocket);
+ }
}
}