* Fixed potential buffer overflow when line length exceeds MAXLINE

- Thanks Raphael Marichez

* Fixed potential buffer overflow when line length exceeds MAXLINE
- Thanks Raphael Marichez
039f9e6d · Nigel Kukard · 030849ac · 039f9e6d · 039f9e6d · 039f9e6d
Commit 039f9e6d authored Jun 20, 2007 by Nigel Kukard
--- a/policyd.c
+++ b/policyd.c
@@ -8,6 +8,7 @@
 *
 *  policy daemon is used in conjuction with postfix to combat spam.
 *
+ *  Copyright (C) 2007 Nigel Kukard <nkukard@lbsd.net>
 *  Copyright (C) 2004 Cami Sardinha (cami@mweb.co.za)
 *
 *
@@ -216,10 +217,11 @@ main(int argc, char **argv)
          logmessage("DEBUG: fd: %d select(): fd %d is ready for read\n", sockfd, sockfd);
     
        /* read as much data as we can */
-	rres = w_read(sockfd,buf[sockfd]);
+        rres = w_read(sockfd,buf[sockfd],MAXLINE);
 	switch (rres)
 	{
-	  case -1:
+          case -3:
+          case -1:
            w_close(sockfd);            /* shut down socket           */
            FD_CLR(sockfd, &rallset);   /* remove fd from read set    */
            client[numi] = -1;          /* make descriptor available  */

--- a/policyd.h
+++ b/policyd.h
@@ -5,6 +5,7 @@
 *
 *  policy daemon is used in conjuction with postfix to combat spam.
 *
+ *  Copyright (C) 2007 Nigel Kukard <nkukard@lbsd.net>
 *  Copyright (C) 2004 Cami Sardinha (cami@mweb.co.za)
 *
 *
@@ -59,7 +60,7 @@

 /* CONFIGS */
 #define PROJECT         "policyd"
-#define VERSION         "v1.80"
+#define VERSION         "v1.81a"

 /* Miscellaneous constants */
 #define LISTENQ         1023    /* 2nd argument to listen() */
@@ -221,7 +222,7 @@ unsigned long int mysql_timeout;        /* mysql query timeout   */
  int    cidr_ip_match (unsigned long ip, char *range);
  pid_t w_fork(void);
 const char *w_inet_ntop(int family, const void *addrptr, char *strptr, size_t len);
- ssize_t w_read(unsigned int fd, char *ptr);
+ ssize_t w_read(unsigned int fd, char *ptr, size_t max_size);
 ssize_t w_write(unsigned int fd, const void *vbuf);
 ssize_t f_write(unsigned int volatile fd, const void *vptr, size_t n);
 void w_close(unsigned int fd);

--- a/sockets.c
+++ b/sockets.c
@@ -7,6 +7,7 @@
 *
 *  policy daemon is used in conjuction with postfix to combat spam.
 *
+ *  Copyright (C) 2007 Nigel Kukard <nkukard@lbsd.net>
 *  Copyright (C) 2004 Cami Sardinha (cami@mweb.co.za)
 *
 *
@@ -147,7 +148,7 @@ w_listen(unsigned int fd, unsigned int backlog)
 *   return: number bytes read
 */ 
 ssize_t
-w_read(unsigned int fd, char *ptr)
+w_read(unsigned int fd, char *ptr, size_t max_size)
 {       
  ssize_t  n;
  size_t   data_read = 0;                                    /* for debug only */
@@ -159,6 +160,16 @@ w_read(unsigned int fd, char *ptr)
    buf_counter[fd]++;
    buf_size[fd]++;

+
+    /* check if we've reached the end of the buffer */
+    if (buf_counter[fd] == max_size)
+    {
+      if (DEBUG > 2)
+        logmessage("DEBUG: fd: %d reached end of buffer, aborting\n", fd);
+
+      return -3;
+    }
+
    /* need at least 2 bytes to check against */
    if (buf_counter[fd] > 2)
    {