Fix possible out of bounds memory reads when reading configuration.
This would happen with a corrupt/crafted configuration file. Unless your configuration file is writable by untrusted users this is not a risk. Closes #567213. Thanks to Roland Sako.
This commit is contained in:
parent
e3158e2b09
commit
4e146b7b53
@ -1,6 +1,11 @@
|
||||
2.0.12 - 2021-07-xx
|
||||
===================
|
||||
|
||||
Broker:
|
||||
- Fix possible out of bounds memory reads when reading a corrupt/crafted
|
||||
configuration file. Unless your configuration file is writable by untrusted
|
||||
users this is not a risk. Closes #567213.
|
||||
|
||||
Clients:
|
||||
- mosquitto_sub and mosquitto_rr now open stdout in binary mode on Windows
|
||||
so binary payloads are not modified when printing.
|
||||
|
@ -156,6 +156,7 @@ char *fgets_extending(char **buf, int *buflen, FILE *stream)
|
||||
char endchar;
|
||||
int offset = 0;
|
||||
char *newbuf;
|
||||
size_t len;
|
||||
|
||||
if(stream == NULL || buf == NULL || buflen == NULL || *buflen < 1){
|
||||
return NULL;
|
||||
@ -167,7 +168,11 @@ char *fgets_extending(char **buf, int *buflen, FILE *stream)
|
||||
return rc;
|
||||
}
|
||||
|
||||
endchar = (*buf)[strlen(*buf)-1];
|
||||
len = strlen(*buf);
|
||||
if(len == 0){
|
||||
return rc;
|
||||
}
|
||||
endchar = (*buf)[len-1];
|
||||
if(endchar == '\n'){
|
||||
return rc;
|
||||
}
|
||||
|
@ -741,6 +741,7 @@ static int config__read_file_core(struct mosquitto__config *config, bool reload,
|
||||
size_t prefix_len;
|
||||
char **files;
|
||||
int file_count;
|
||||
size_t slen;
|
||||
#ifdef WITH_TLS
|
||||
char *kpass_sha = NULL, *kpass_sha_bin = NULL;
|
||||
char *keyform ;
|
||||
@ -751,8 +752,12 @@ static int config__read_file_core(struct mosquitto__config *config, bool reload,
|
||||
while(fgets_extending(buf, buflen, fptr)){
|
||||
(*lineno)++;
|
||||
if((*buf)[0] != '#' && (*buf)[0] != 10 && (*buf)[0] != 13){
|
||||
while((*buf)[strlen((*buf))-1] == 10 || (*buf)[strlen((*buf))-1] == 13){
|
||||
(*buf)[strlen((*buf))-1] = 0;
|
||||
slen = strlen(*buf);
|
||||
if(slen == 0){
|
||||
continue;
|
||||
}
|
||||
while((*buf)[slen-1] == 10 || (*buf)[slen-1] == 13){
|
||||
(*buf)[slen-1] = 0;
|
||||
}
|
||||
token = strtok_r((*buf), " ", &saveptr);
|
||||
if(token){
|
||||
|
Loading…
Reference in New Issue
Block a user