aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2006-03-20 07:32:50 +0000
committerDaniel Stenberg <daniel@haxx.se>2006-03-20 07:32:50 +0000
commit5975229919b54c0a780bdc8d1bdd5baf6d5959bf (patch)
treefd144da47bb071213e2957ccff7929d7f530940b
parent38295e8a75c5189fbb382c0bcb5720e47778e61a (diff)
fixed tftp packet overflow risk
-rw-r--r--CHANGES11
-rw-r--r--RELEASE-NOTES13
-rw-r--r--lib/tftp.c9
3 files changed, 25 insertions, 8 deletions
diff --git a/CHANGES b/CHANGES
index 95a9c2a49..bd2a1a7e9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,17 @@
Changelog
+Daniel (16 March 2006)
+- Tor Arntsen provided a RPM spec file for AIX Toolbox, that now is included
+ in the release archive.
+
+Daniel (14 March 2006)
+- David McCreedy fixed:
+
+ a bad SSL error message when OpenSSL certificates are verified fine.
+
+ a missing return code assignment in the FTP code
+
Daniel (7 March 2006)
- Markus Koetter filed debian bug report #355715 which identified a problem
with the multi interface and multi-part formposts. The fix from February
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 4de87c211..5ce5b8e11 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -11,25 +11,30 @@ Curl and libcurl 7.15.3
This release includes the following changes:
- o
+ o added docs for --ftp-method and CURLOPT_FTP_FILEMETHOD
This release includes the following bugfixes:
+ o TFTP Packet Buffer Overflow Vulnerability:
+ http://curl.haxx.se/docs/adv_20060320.html
+ o properly detecting problems with sending the FTP command USER
+ o wrong error message shown when certificate verification failed
o multi-part formpost with multi interface crash
o the CURLFTPSSL_CONTROL setting for CURLOPT_FTP_SSL is acknowledged
- o "SSL: couldn't set callback" is now a less serious problem
+ o "SSL: couldn't set callback" is now treated as a less serious problem
o Interix build fix
- o fixed "hang" when out of file handles at start
+ o fixed curl "hang" when out of file handles at start
o prevent FTP uploads to URLs with trailing slash
Other curl-related news since the previous public release:
o pycurl-7.15.2 has been released: http://pycurl.sf.net
+ o http://curl.download.nextag.com/ is a new US curl web mirror!
This release would not have looked like this without help, code, reports and
advice from friends like these:
Gisle Vanem, Dan Fandrich, Thomas Klausner, Todd Vierling, Peter Heuchert,
- Markus Koetter
+ Markus Koetter, David McCreedy, Tor Arntsen
Thanks! (and sorry if I forgot to mention someone)
diff --git a/lib/tftp.c b/lib/tftp.c
index da250fca8..6560a484d 100644
--- a/lib/tftp.c
+++ b/lib/tftp.c
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2005, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -271,8 +271,9 @@ static void tftp_send_first(tftp_state_data_t *state, tftp_event_t event)
/* If we are downloading, send an RRQ */
state->spacket.event = htons(TFTP_EVENT_RRQ);
}
- sprintf((char *)state->spacket.u.request.data, "%s%c%s%c",
- filename, '\0', mode, '\0');
+ snprintf((char *)state->spacket.u.request.data,
+ sizeof(state->spacket.u.request.data),
+ "%s%c%s%c", filename, '\0', mode, '\0');
sbytes = 4 + (int)strlen(filename) + (int)strlen(mode);
sbytes = sendto(state->sockfd, (void *)&state->spacket,
sbytes, 0,
@@ -533,7 +534,7 @@ CURLcode Curl_tftp_connect(struct connectdata *conn, bool *done)
* The TFTP code is not portable because it sends C structs directly over
* the wire. Since C gives compiler writers a wide latitude in padding and
* aligning structs, this fails on many architectures (e.g. ARM).
- *
+ *
* The only portable way to fix this is to copy each struct item into a
* flat buffer and send the flat buffer instead of the struct. The
* alternative, trying to get the compiler to eliminate padding bytes