------------------------------------------------------------------------
r287 | auerswald | 2013-08-09 19:19:13 +0200 (Pá, 09 srp 2013) | 18 lines
Accept only possible values for listen port offset of nasd.
Verify that the listen port offset specified as a command line argument
to nasd is a non-negative number that will result in a valid TCP port
number if added to AU_DEFAULT_TCP_PORT (currently 8000).
Specifying a long argument starting with a colon would otherwise result
in buffer overflows later on.
The problem was reported to the nas mailing list by
Hamid Zamani <me@hamidx9.ir>, together with other vulnerabilities
in NAS 1.9.3:
http://radscan.com/pipermail/nas/2013-August/001270.html
[Adding bounds checks to the string operations is still needed to guarantee
they do not overflow.]
------------------------------------------------------------------------
Index: server/os/utils.c
===================================================================
--- server/os/utils.c (revision 286)
+++ server/os/utils.c (revision 287)
@@ -50,6 +50,9 @@
#include <audio/audio.h>
#include <audio/Aos.h>
+#include <audio/Aproto.h>
+#include <errno.h>
+#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include "nasconf.h"
@@ -298,6 +301,26 @@
for (i = 1; i < argc; i++) {
if (argv[i][0] == ':') {
+ char *check;
+ long display_value;
+ errno = 0;
+ display_value = strtol(argv[i]+1, &check, 10);
+ if (errno) {
+ Error("Unable to parse display number");
+ continue;
+ }
+ if (check[0] != '\0') {
+ fprintf(stderr, "Listen port offset must be a number.\n");
+ continue;
+ }
+ if (display_value > USHRT_MAX - AU_DEFAULT_TCP_PORT) {
+ fprintf(stderr, "Ignoring too big listen port offset.\n");
+ continue;
+ }
+ if (display_value < 0) {
+ fprintf(stderr, "Ignoring negative listen port offset.\n");
+ continue;
+ }
display = argv[i];
display++;
} else if (strcmp(argv[i], "-aa") == 0)