diff options
author | Daniel Stenberg <daniel@haxx.se> | 2006-03-20 07:32:50 +0000 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2006-03-20 07:32:50 +0000 |
commit | 5975229919b54c0a780bdc8d1bdd5baf6d5959bf (patch) | |
tree | fd144da47bb071213e2957ccff7929d7f530940b | |
parent | 38295e8a75c5189fbb382c0bcb5720e47778e61a (diff) |
fixed tftp packet overflow risk
-rw-r--r-- | CHANGES | 11 | ||||
-rw-r--r-- | RELEASE-NOTES | 13 | ||||
-rw-r--r-- | lib/tftp.c | 9 |
3 files changed, 25 insertions, 8 deletions
@@ -6,6 +6,17 @@ Changelog +Daniel (16 March 2006) +- Tor Arntsen provided a RPM spec file for AIX Toolbox, that now is included + in the release archive. + +Daniel (14 March 2006) +- David McCreedy fixed: + + a bad SSL error message when OpenSSL certificates are verified fine. + + a missing return code assignment in the FTP code + Daniel (7 March 2006) - Markus Koetter filed debian bug report #355715 which identified a problem with the multi interface and multi-part formposts. The fix from February diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 4de87c211..5ce5b8e11 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -11,25 +11,30 @@ Curl and libcurl 7.15.3 This release includes the following changes: - o + o added docs for --ftp-method and CURLOPT_FTP_FILEMETHOD This release includes the following bugfixes: + o TFTP Packet Buffer Overflow Vulnerability: + http://curl.haxx.se/docs/adv_20060320.html + o properly detecting problems with sending the FTP command USER + o wrong error message shown when certificate verification failed o multi-part formpost with multi interface crash o the CURLFTPSSL_CONTROL setting for CURLOPT_FTP_SSL is acknowledged - o "SSL: couldn't set callback" is now a less serious problem + o "SSL: couldn't set callback" is now treated as a less serious problem o Interix build fix - o fixed "hang" when out of file handles at start + o fixed curl "hang" when out of file handles at start o prevent FTP uploads to URLs with trailing slash Other curl-related news since the previous public release: o pycurl-7.15.2 has been released: http://pycurl.sf.net + o http://curl.download.nextag.com/ is a new US curl web mirror! This release would not have looked like this without help, code, reports and advice from friends like these: Gisle Vanem, Dan Fandrich, Thomas Klausner, Todd Vierling, Peter Heuchert, - Markus Koetter + Markus Koetter, David McCreedy, Tor Arntsen Thanks! (and sorry if I forgot to mention someone) diff --git a/lib/tftp.c b/lib/tftp.c index da250fca8..6560a484d 100644 --- a/lib/tftp.c +++ b/lib/tftp.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2005, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -271,8 +271,9 @@ static void tftp_send_first(tftp_state_data_t *state, tftp_event_t event) /* If we are downloading, send an RRQ */ state->spacket.event = htons(TFTP_EVENT_RRQ); } - sprintf((char *)state->spacket.u.request.data, "%s%c%s%c", - filename, '\0', mode, '\0'); + snprintf((char *)state->spacket.u.request.data, + sizeof(state->spacket.u.request.data), + "%s%c%s%c", filename, '\0', mode, '\0'); sbytes = 4 + (int)strlen(filename) + (int)strlen(mode); sbytes = sendto(state->sockfd, (void *)&state->spacket, sbytes, 0, @@ -533,7 +534,7 @@ CURLcode Curl_tftp_connect(struct connectdata *conn, bool *done) * The TFTP code is not portable because it sends C structs directly over * the wire. Since C gives compiler writers a wide latitude in padding and * aligning structs, this fails on many architectures (e.g. ARM). - * + * * The only portable way to fix this is to copy each struct item into a * flat buffer and send the flat buffer instead of the struct. The * alternative, trying to get the compiler to eliminate padding bytes |