Browse Source

Fix segfault in pptpctrl argument parser

Christoph Biedl 5 years ago
parent
commit
7859832673

+ 60 - 0
debian/patches/cherry-pick.1.4.0-18-gd7b9552.fix-segfault-in-pptpctrl-argument-parser.patch

@@ -0,0 +1,60 @@
+Subject: Fix segfault in pptpctrl argument parser
+Origin: 1.4.0-18-gd7b9552
+Upstream-Author: Christoph Biedl <sourceforge.bnwi@manchmal.in-ulm.de>
+Date: Fri Jul 8 14:03:18 2016 +1000
+
+    it's easily possible to trigger a segfault in pptpctrl:
+    
+    This happened when triggering a bug in pptpmanager I am currently
+    working on. The check for (argc < 7) isn't sufficient, my suggested
+    fix adds a check to any GETARG_* invocation.
+    
+    Signed-off-by: James Cameron <quozl@laptop.org>
+
+--- a/pptpctrl.c
++++ b/pptpctrl.c
+@@ -92,19 +92,29 @@
+ #define OUR_NB_MODE O_NDELAY
+ #endif
+ 
++void usage()
++{
++        fprintf(stderr, "pptpctrl: insufficient arguments, see man pptpctrl\n");
++        exit(2);
++}
++
+ /* read a command line argument, a flag alone */
+ #define GETARG_INT(X) \
++        if (arg >= argc) usage() ; \
+         X = atoi(argv[arg++])
+ 
+ /* read a command line argument, a string alone */
+ #define GETARG_STRING(X) \
++        if (arg >= argc) usage() ; \
+         X = strdup(argv[arg++])
+ 
+ /* read a command line argument, a presence flag followed by string */
+ #define GETARG_VALUE(X) \
+-        if(atoi(argv[arg++]) != 0) \
++        if (arg >= argc) usage() ; \
++        if (atoi(argv[arg++]) != 0) { \
++                if (arg >= argc) usage() ; \
+                 strlcpy(X, argv[arg++], sizeof(X)); \
+-        else \
++        } else \
+                 *X = '\0'
+ 
+ int main(int argc, char **argv)
+@@ -122,10 +132,8 @@
+         gargv = argv;
+ 
+         /* fail if argument count invalid */
+-        if (argc < 7) {
+-                fprintf(stderr, "pptpctrl: insufficient arguments, see man pptpctrl\n");
+-                exit(2);
+-        }
++        if (argc < 7)
++                usage();
+ 
+         /* open a connection to the syslog daemon */
+         openlog("pptpd", LOG_PID, PPTP_FACILITY);

+ 1 - 0
debian/patches/series

@@ -3,6 +3,7 @@ cherry-pick.1.4.0-10-g6adffc1.bcrelay-fix-typo.patch
 cherry-pick.1.4.0-11-g4ea2db6.ff.bcrelay-c-replace-sprintf-with-snprintf.patch
 cherry-pick.1.4.0-14-gb84360b.pptpctrl-exit-when-bailing.patch
 cherry-pick.1.4.0-16-g0c0ad67.check-for-remote-ip-duplicates-in-pptpd-conf.patch
+cherry-pick.1.4.0-18-gd7b9552.fix-segfault-in-pptpctrl-argument-parser.patch
 
 # local modifications
 local.build_hardening-flags.patch