[PATCH to fix my PATCH 2/5] fix a bug by which a malicious "GlobalProtect JavaScript mess" could cause a buffer overflow

Daniel Lenski dlenski at gmail.com
Wed Mar 7 04:33:08 PST 2018


David Woodhouse wrote:
>
> Daniel Lenski wrote:
> >
> > Also, in parse_javascript(), consider an input line which looks like:
> >
> >    var respMsg = ";\n
> >
> > When you set '*prompt = strndup(start, end-start-2);
> >
> > ... what is the value of 'end-start-2'?
>

Signed-off-by: Daniel Lenski <dlenski at gmail.com>
---
 gpst.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gpst.c b/gpst.c
index 85987b2..e890098 100644
--- a/gpst.c
+++ b/gpst.c
@@ -172,7 +172,7 @@ static int parse_javascript(char *buf, char **prompt, char **inputStr)
 
 	start = end+strlen(pre_prompt);
 	end = strchr(start, '\n');
-	if (!end || end[-1] != ';' || end[-2] != '"')
+	if (!end || end[-1] != ';' || end[-2] != '"' || (end<start+2))
 		goto err;
 
 	if (prompt)
@@ -186,7 +186,7 @@ static int parse_javascript(char *buf, char **prompt, char **inputStr)
 
 	start = end+strlen(pre_inputStr);
 	end = strchr(start, '\n');
-	if (!end || end[-1] != ';' || end[-2] != '"')
+	if (!end || end[-1] != ';' || end[-2] != '"' || (end<start+2))
 		goto err2;
 
 	if (inputStr)
-- 
2.7.4




More information about the openconnect-devel mailing list