Changeset 34 for trunk/src/sh_forward.c

Timestamp:

May 19, 2006, 8:09:51 PM (18 years ago)

Author:

rainer

Message:

Code cleanup and minor fixes

File:

• trunk/src/sh_forward.c (modified) (22 diffs)

trunk/src/sh_forward.c

@@ -139 +139 @@
 #include "rijndael-api-fst.h"
 char * sh_tools_makePack (unsigned char * header, 
-                          char * payload, int payload_size,
+                          char * payload, unsigned long payload_size,
                           keyInstance * keyInstE);
 char * sh_tools_revertPack (unsigned char * header, char * message,
@@ -305 +305 @@
     }
 
-  len = sl_strlen(salt) + sl_strlen(skey->vernam) + 1;
-  if (nounce != NULL) 
+  len = sl_strlen(salt) + 1;
+  if (sl_ok_adds(len, sl_strlen(skey->vernam)))
+    len += sl_strlen(skey->vernam);
+  if (nounce != NULL && sl_ok_adds(len, sl_strlen(nounce))) 
     len += sl_strlen(nounce);
   
@@ -394 +396 @@
     {
       put_header (head, (int)protocol, &length, micro);
-      msg2buf  = sh_tools_makePack (head, msgbuf, (int) length, 
+      msg2buf  = sh_tools_makePack (head, msgbuf, length, 
                                     &(skey->keyInstE));
       /*@-usedef@*/
@@ -406 +408 @@
       blkfac  = length/B_SIZ;
       rem     = (int) (length - (B_SIZ * blkfac));
-      length2 = (B_SIZ * blkfac) + ((rem == 0) ? 0 : B_SIZ);
+      length2 = (B_SIZ * blkfac);
+      if ((rem > 0) && (length2+B_SIZ) > length2) 
+        length2 += B_SIZ;
+      else
+        rem = 0;
 
       msg2buf = SH_ALLOC((size_t)length2);
@@ -549 +555 @@
   SL_ENTER(_("sh_forward_receive_intern"));
 
+#ifdef SH_ENCRYPT
+  /* make sure length is not multiple of B_SIZ, see below 
+   */
+  ASSERT_RET((length % B_SIZ != 0), _("length % 16 != 0"), flag_err);
+#endif
+
   if (micro != NULL)
     micro[4]     = '\0';
@@ -608 +620 @@
       head_length = (unsigned long) (256 * (unsigned int)head[1] + 
                                      (unsigned int)head[2]);
-      head_length = (head_length > length ? length : head_length);
-      length      = head_length;
+
+      /* 
+       * revertPack returns header with length <= (original_length-16), so
+       * the following msgbuf[length] = '\0' is always safe.
+       * Nevertheless, check for proper length.
+       */
+      if (head_length <= (length-1))
+        length      = head_length;
+      else
+        --length;
 
       memcpy(msgbuf, tmp, (size_t)length);
@@ -627 +647 @@
        */
       blkfac  = countbytes/B_SIZ;
-      /* length2 = (B_SIZ * blkfac); */
+
       p       = msgbuf;
       q       = msgbuf;
@@ -638 +658 @@
                         _("sh_forward_receive_intern: cipherInit"));
 
+      /* here we want to have (length % B_SIZ != 0), such that the
+       * terminating '\0' cannot be overwritten
+       */
       for (j = 0; j < blkfac; ++j)
         {
@@ -648 +671 @@
                             _("sh_forward_receive_intern: blockDecrypt"));
           memcpy(q, outBlock, B_SIZ);
-          p += 16;
-          q += 16;
+          p += B_SIZ;
+          q += B_SIZ;
         }
     }
@@ -1047 +1070 @@
           timeout_val *= 2;
           sh_error_handle((-1), FIL__, __LINE__, 0, MSG_TCP_NOAUTH);
-          memset(answer, 0, sizeof(answer));
+          memset(answer, 0, 512);
           MUNLOCK(answer, 512);
           SH_FREE(answer);
@@ -1238 +1261 @@
           timeout_val *= 2;
           sh_error_handle((-1), FIL__, __LINE__, 0, MSG_TCP_NOAUTH);
-          memset(answer, '\0', sizeof(answer));
+          memset(answer, '\0', 512);
           MUNLOCK(answer, 512);
           SH_FREE(answer);
@@ -1257 +1280 @@
     {
       timeout_val = 1;
-      memset(answer, 0, sizeof(answer));
+      memset(answer, 0, 512);
       MUNLOCK(answer, 512);
       SH_FREE(answer);
@@ -1626 +1649 @@
                                             head_u, 
                                             answer, 
-                                            TRANS_BYTES + 256);
+                                            TRANS_BYTES + 255);
 
                 TPT(( 0, FIL__, __LINE__, 
@@ -2004 +2027 @@
     }
   
-  if (sepnum == 2 && sep[0] > 0)
+  if ((sepnum == 2) && (sep[0] > 0) && (sep[1] > sep[0]))
     {
       newclt = SH_ALLOC (sizeof(client_t));
@@ -2222 +2245 @@
                                int docrypt)
 {
-  register unsigned long i;
+  /* register unsigned long i; */
   unsigned long           length2;
 
@@ -2251 +2274 @@
       blkfac  = length/B_SIZ;
       rem     = length - (B_SIZ * blkfac);
-      length2 = (B_SIZ * blkfac) + ((rem == 0) ? 0 : B_SIZ);
+      length2 = (B_SIZ * blkfac);
+      if (rem > 0 && (length2 + B_SIZ) > length2) 
+        length2 += B_SIZ;
+      else
+        rem = 0;
     }
   else
@@ -2289 +2316 @@
                                      &(conn->client_entry->keyInstE));
     }
-  else if ((S_TRUE == docrypt) && ((protocol & SH_PROTO_ENC) != 0))
+  else if ((S_TRUE == docrypt) && ((protocol & SH_PROTO_ENC) != 0) &&
+           ((length2 + 1) > length2))
     {
       conn->buf       = SH_ALLOC(length2 + 1);
@@ -2337 +2365 @@
   else
     {
+      if ((length2 + 1) < length2) --length2;
       conn->buf       = SH_ALLOC(length2 + 1);
 
+      memcpy(conn->buf, msg, length2);
+      /*
       for (i = 0; i < length2; ++i) 
         conn->buf[i] = msg[i];
+      */
       conn->buf[length2] = '\0';
       TPT((0, FIL__, __LINE__, _("msg=<no encryption done>\n") ));
     }
 #else
+  if ((length2 + 1) < length2) --length2;
   conn->buf       = SH_ALLOC(length2 + 1);
 
+  memcpy(conn->buf, msg, length2);
+  /*
   for (i = 0; i < length; ++i) 
     conn->buf[i] = msg[i];
+  */
   conn->buf[length2] = '\0';
   TPT((0, FIL__, __LINE__, _("msg=<no encryption done>\n") ));
@@ -2856 +2892 @@
                   conn->K = NULL;
                 }
-              len = sl_strlen(&(conn->buf[KEY_LEN])) + KEY_LEN + 1;
-              conn->K = SH_ALLOC(len);
+
+              /* FIXME
+              len = sl_strlen(&(conn->buf[KEY_LEN])) + 1;
+              if (sl_ok_adds(len, KEY_LEN))
+                len += KEY_LEN;
+              len = (len < (KEY_LEN+1)) ? (KEY_LEN+1) : len;
+              */
+              conn->K = SH_ALLOC(KEY_LEN+1);
 
               sl_strlcpy (conn->K, 
@@ -3316 +3358 @@
                   conn->K = NULL;
                 }
-              len = sl_strlen(&(conn->buf[KEY_LEN])) + KEY_LEN + 1;
-              conn->K = SH_ALLOC(len);
+              /* FIXME len = sl_strlen(&(conn->buf[KEY_LEN])) + KEY_LEN + 1; */
+              conn->K = SH_ALLOC(KEY_LEN + 1);
 
               sl_strlcpy (conn->K, 
@@ -4327 +4369 @@
           if (conn->buf != NULL)
             SH_FREE (conn->buf);
-          conn->buf       = SH_ALLOC (conn->bytes_to_get + 1);
+          conn->buf = SH_ALLOC(conn->bytes_to_get + 1); /* <= TRANS_BYTES+1 */
           conn->bytecount = 0;
         }
@@ -4863 +4905 @@
   maxconn = (((int)FD_SETSIZE) < maxconn) ? FD_SETSIZE : maxconn;
 
+  if (maxconn < 0 || !sl_ok_muls(maxconn, sizeof(sh_conn_t)))
+    {
+      sh_error_handle((-1), FIL__, __LINE__, 0, MSG_START_SRV,
+                      0, sock);
+      aud_exit (FIL__, __LINE__, EXIT_FAILURE);
+    }
   conns   = SH_ALLOC (sizeof(sh_conn_t) * maxconn);