------------------------------------------------------------------------
r287 | auerswald | 2013-08-09 19:19:13 +0200 (Pá, 09 srp 2013) | 18 lines

Accept only possible values for listen port offset of nasd.

Verify that the listen port offset specified as a command line argument
to nasd is a non-negative number that will result in a valid TCP port
number if added to AU_DEFAULT_TCP_PORT (currently 8000).

Specifying a long argument starting with a colon would otherwise result
in buffer overflows later on.

The problem was reported to the nas mailing list  by
Hamid Zamani <me@hamidx9.ir>, together with other vulnerabilities
in NAS 1.9.3:

http://radscan.com/pipermail/nas/2013-August/001270.html

[Adding bounds checks to the string operations is still needed to guarantee
they do not overflow.]

------------------------------------------------------------------------
Index: server/os/utils.c
===================================================================
--- server/os/utils.c	(revision 286)
+++ server/os/utils.c	(revision 287)
@@ -50,6 +50,9 @@
 
 #include <audio/audio.h>
 #include <audio/Aos.h>
+#include <audio/Aproto.h>
+#include <errno.h>
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include "nasconf.h"
@@ -298,6 +301,26 @@
 
     for (i = 1; i < argc; i++) {
         if (argv[i][0] == ':') {
+            char *check;
+            long display_value;
+            errno = 0;
+            display_value = strtol(argv[i]+1, &check, 10);
+            if (errno) {
+                Error("Unable to parse display number");
+                continue;
+            }
+            if (check[0] != '\0') {
+                fprintf(stderr, "Listen port offset must be a number.\n");
+                continue;
+            }
+            if (display_value > USHRT_MAX - AU_DEFAULT_TCP_PORT) {
+                fprintf(stderr, "Ignoring too big listen port offset.\n");
+                continue;
+            }
+            if (display_value < 0) {
+                fprintf(stderr, "Ignoring negative listen port offset.\n");
+                continue;
+            }
             display = argv[i];
             display++;
         } else if (strcmp(argv[i], "-aa") == 0)