]> git.ipfire.org Git - thirdparty/HylaFAX.git/commitdiff
projects / thirdparty / HylaFAX.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 65a586c)
hfaxd: Cleanup uid initizliaztion and theoretical overflow
authorAidan Van Dyk <aidan@ifax.com>
Fri, 14 Aug 2009 16:14:00 +0000 (12:14 -0400)
committerAidan Van Dyk <aidan@ifax.com>
Fri, 21 Aug 2009 18:16:58 +0000 (14:16 -0400)
This fixes a "techincal" array overflow:
FAXUID_MAX == FAXUID_ANON == 60002 == array size.
array[FAXUID_ANON] is out of bounds

It happens to not be one because our "bit array" doesn't end exactly
on long bindaries, to the out-of-bound by 1 is still in the allocated
"long array".

This also tightens up checks on acceptable uid values before being used
or assigned.

hfaxd/User.c++ patch | blob | blame | history

diff --git a/hfaxd/User.c++ b/hfaxd/User.c++
index a5ece5edad8518621d71bf33a0d402adc372ff07..d9b123aeee54f9189bacd10ebe299f76c8b568a7 100644 (file)
--- a/hfaxd/User.c++
+++ b/hfaxd/User.c++
@@ -48,7 +48,6 @@
  * User Access Control Support.
  */
 gid_t  HylaFAXServer::faxuid = 0;              // reserved fax uid
-#define        FAXUID_RESV     HylaFAXServer::faxuid   // reserved fax uid
 
 bool
 HylaFAXServer::checkUser(const char* name)
@@ -362,12 +361,13 @@ HylaFAXServer::findUser(FILE* db, const char* user, u_int& newuid)
 {
     rewind(db);
     char line[1024];
-    u_long allocated[howmany(FAXUID_MAX,NBPL)];
+    u_long allocated[howmany(FAXUID_MAX+1,NBPL)];
     memset(allocated, 0, sizeof (allocated));
     if (faxuid < FAXUID_MAX)
-       SetBit(FAXUID_RESV);                    // reserved uid
+       SetBit(faxuid);                 // reserved uid
     else
        logError("Internal error, \"fax\" UID (%u) too large.", faxuid);
+    SetBit(0);                                 // 0 uid is reserved
     SetBit(FAXUID_ANON);                       // anonymous uid is reserved
     while (nextRecord(db, line, sizeof (line))) {
        if (line[0] == '!')
@@ -379,7 +379,10 @@ HylaFAXServer::findUser(FILE* db, const char* user, u_int& newuid)
            return (true);
        if (*cp == ':' && isdigit(cp[1])) {     // mark uid as in-use
            u_int uid = (u_int) atoi(cp+1);
-           SetBit(uid);
+           if (uid < FAXUID_MAX)
+               SetBit(uid);
+           else
+               logError("Error in %s:  UID (%u) too large.", (const char*)userAccessFile, uid);
        }
     }
     // find unallocated uid
Mirror of git://git.hylafax.org/HylaFAX