pullup ticket #2372 - requested by tonnerre licq-core: fix for DoS vulnerability revisions pulled up: - pkgsrc/chat/licq-core/Makefile 1.11 - pkgsrc/chat/licq-core/distinfo 1.13 - pkgsrc/chat/licq-core/patches/patch-aa 1.2 - pkgsrc/chat/licq-core/patches/patch-ab 1.3 - pkgsrc/chat/licq-core/patches/patch-ac 1.3 - pkgsrc/chat/licq-core/patches/patch-ag 1.5 Module Name: pkgsrc Committed By: tonnerre Date: Sun May 11 04:12:34 UTC 2008 Modified Files: pkgsrc/chat/licq-core: Makefile distinfo pkgsrc/chat/licq-core/patches: patch-aa Added Files: pkgsrc/chat/licq-core/patches: patch-ab patch-ac patch-ag Log Message: Fix multiple connection handling Denial of Service vulnerability in licq (CVE-2008-1996). Before this, the application would crash if too many TCP connections are opened.

(rtr)

 @@ -1,18 +1,19 @@
-# $NetBSD: Makefile,v 1.10 2007/12/22 22:34:22 jdolecek Exp $
+# $NetBSD: Makefile,v 1.10.4.1 2008/05/12 10:47:37 rtr Exp $
+#
 DISTNAME=	licq-1.3.5
 PKGNAME=	${DISTNAME:C/-/-core-/}
 PKGREVISION=	1
 CATEGORIES=	chat
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=licq/}
 EXTRACT_SUFX=	.tar.bz2
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://www.licq.org/
 COMMENT=	ICQ client with plugin support
 USE_LANGUAGES=	c c++
 USE_LIBTOOL=	YES
 GNU_CONFIGURE=	YES
 .include "../../mk/bsd.prefs.mk"

 @@ -1,14 +1,17 @@
-$NetBSD: distinfo,v 1.12 2008/01/05 21:00:18 rillig Exp $
+$NetBSD: distinfo,v 1.12.2.1 2008/05/12 10:47:37 rtr Exp $
 SHA1 (licq-1.3.5.tar.bz2) = a1059173f36694e6e5ec9ba62ced6e9738807916
 RMD160 (licq-1.3.5.tar.bz2) = 4442f6cb3630d8300e5f128617a522bd2cb863dc
 Size (licq-1.3.5.tar.bz2) = 3260471 bytes
-SHA1 (patch-aa) = 974a65e3483b3438fb3c6c9aaf96aa67e4c60fa6
+SHA1 (patch-aa) = 643c4a7ac8abada0a60eb16f66e845fbb8e8a0e2
 SHA1 (patch-ab) = f6cefc63ebff977300b85eeee4c69694f27a1b04
 SHA1 (patch-ac) = 8bd085b41c37df19b45e772d3b7c2eef9f45490a
 SHA1 (patch-ad) = d53a300e08852c9ad09ec900b46feb2c37129d76
 SHA1 (patch-ae) = cf0ad230f4dcaca9ed1d3f92a4c5e6e131029d68
 SHA1 (patch-af) = 86a99ad96c56f0e53547025a7c5536a01fd2a8b8
 SHA1 (patch-ag) = 57f07955f7710b4ff2d7e453518eb1bdee45a4b5
 SHA1 (patch-ai) = f8cebb4e821a1b648e69135db5dd232a9459773a
 SHA1 (patch-ca) = 36475ac0642e8908a2ae6a8913efa25ba09af1c3
 SHA1 (patch-cb) = 3a4f3f35825207693dc87112899a3e6bb3ec71a0
 SHA1 (patch-qa) = 1fb1821418c151d7a43085d9b1038279dca59f4d
 SHA1 (patch-qb) = 2fa14d43c3d415947fdd67db30642b31030e5a3b

 @@ -1,12 +1,20 @@
-$NetBSD: patch-aa,v 1.1 2005/10/31 18:58:38 tv Exp $
+$NetBSD: patch-aa,v 1.1.20.1 2008/05/12 10:47:37 rtr Exp $
---- include/licq_socket.h.orig	2002-03-20 11:00:54.000000000 -0500
+--- include/licq_socket.h.orig	2006-10-18 10:59:12.000000000 +0200
 +++ include/licq_socket.h
 @@ -6,6 +6,7 @@
  #endif
  #include <sys/types.h>
 +#include <sys/time.h>
  #include <sys/socket.h>
  #include <netinet/in.h>
  #include <arpa/inet.h>
@@ -250,6 +251,7 @@ public:
    fd_set SocketSet()   {  return m_sSockets.SocketSet(); }
    int LargestSocket()  {  return m_sSockets.Largest(); }
 +  unsigned short Num() {  return m_sSockets.Num(); }
  protected:
    CSocketSet m_sSockets;

$NetBSD: patch-ab,v 1.2.4.1 2008/05/12 10:47:37 rtr Exp $ --- src/icqd-chat.cpp.orig 2007-09-09 14:05:24.000000000 +0200 +++ src/icqd-chat.cpp @@ -23,6 +23,7 @@ // Localization #include "gettext.h" +#define MAX_CONNECTS 256 #define DEBUG_THREADS(x) @@ -2383,16 +2384,24 @@ void *ChatManager_tep(void *arg) // Connection on the server port --------------------------------------- else if (nCurrentSocket == chatman->chatServer.Descriptor()) { - CChatUser *u = new CChatUser; - u->m_pClient = new CChatClient; - - chatman->chatServer.RecvConnection(u->sock); - chatman->sockman.AddSocket(&u->sock); - chatman->sockman.DropSocket(&u->sock); - - u->state = CHAT_STATE_HANDSHAKE; - chatman->chatUsers.push_back(u); - gLog.Info(tr("%sChat: Received connection.\n"), L_TCPxSTR); + if (chatman->sockman.Num() >= MAX_CONNECTS) + { + // Too many sockets, drop this one + gLog.Warn(tr("%sToo many connected clients, rejecting new connection.\n"), L_WARNxSTR); + } + else + { + CChatUser *u = new CChatUser; + u->m_pClient = new CChatClient; + + chatman->chatServer.RecvConnection(u->sock); + chatman->sockman.AddSocket(&u->sock); + chatman->sockman.DropSocket(&u->sock); + + u->state = CHAT_STATE_HANDSHAKE; + chatman->chatUsers.push_back(u); + gLog.Info(tr("%sChat: Received connection.\n"), L_TCPxSTR); + } } // Message from connected socket----------------------------------------

$NetBSD: patch-ag,v 1.2.4.1 2008/05/12 10:47:37 rtr Exp $ --- src/socket.cpp.orig 2007-10-15 20:11:50.000000000 +0200 +++ src/socket.cpp @@ -817,8 +817,19 @@ void TCPSocket::RecvConnection(TCPSocket { socklen_t sizeofSockaddr = sizeof(struct sockaddr_in); - newSocket.m_nDescriptor = accept(m_nDescriptor, (struct sockaddr *)&newSocket.m_sRemoteAddr, &sizeofSockaddr); - newSocket.SetLocalAddress(); + int newDesc = accept(m_nDescriptor, (struct sockaddr *)&newSocket.m_sRemoteAddr, &sizeofSockaddr); + if (newDesc < FD_SETSIZE) + { + newSocket.m_nDescriptor = newDesc; + newSocket.SetLocalAddress(); + } + else + { + gLog.Error(tr("%sCannot accept new connection, too many descriptors in use.\n"), L_ERRORxSTR); + close(newDesc); + + // TODO throw an exception, or do something to tell the caller it failed + } } #define m_pSSL ((SSL *) m_p_SSL)

$NetBSD: patch-ac,v 1.4.4.1 2008/05/12 10:47:37 rtr Exp $ --- src/icqd-threads.cpp.orig 2007-09-28 22:11:35.000000000 +0200 +++ src/icqd-threads.cpp @@ -23,6 +23,7 @@ // Localization #include "gettext.h" +#define MAX_CONNECTS 256 #define DEBUG_THREADS(x) //#define DEBUG_THREADS(x) gLog.Info(x) @@ -780,8 +781,21 @@ void *MonitorSockets_tep(void *p) TCPSocket *newSocket = new TCPSocket(0); tcp->RecvConnection(*newSocket); gSocketManager.DropSocket(tcp); - gSocketManager.AddSocket(newSocket); - gSocketManager.DropSocket(newSocket); + + // Make sure we can handle another socket before accepting it + if (gSocketManager.Num() > MAX_CONNECTS) + { + // Too many sockets, drop this one + char remoteIp[32]; + gLog.Warn(tr("%sToo many connected sockets, rejecting connection from %s.\n"), + L_WARNxSTR, newSocket->RemoteIpStr(remoteIp)); + delete newSocket; + } + else + { + gSocketManager.AddSocket(newSocket); + gSocketManager.DropSocket(newSocket); + } } }