[PATCH 2/5] add PAN GlobalProtect protocol support (HTTPS tunnel only)
David Woodhouse
dwmw2 at infradead.org
Wed Mar 7 01:34:02 PST 2018
On Wed, 2018-03-07 at 10:01 +0200, Daniel Lenski wrote:
> What do you prefer? Refactoring the two versions of xmlnode_get_text()
> down to a single function, renaming the gpst.c version, something
> else…?
Don't know... one option is to ditch it entirely. Some of those cases
where you're just using atoi(s); free(s); after it might be better done
with xmlnode_is_named() and atoi(xml_node->content) perhaps?
ISTR you saying that referencing node->content doesn't work? I don't
recall the details...
> > > +/* We behave like CSTP — create a linked list in vpninfo->cstp_options
> > > + * with the strings containing the information we got from the server,
> > > + * and oc_ip_info contains const copies of those pointers.
> > > + *
> > > + * (unlike version in oncp.c, val is stolen rather than strdup'ed) */
> > Er...
> >
> > >
> > > +
> > > +static const char *add_option(struct openconnect_info *vpninfo, const char *opt, const char *val)
> > .... make it 'char *val' then, if it's stolen...
> >
> > >
> > > +{
> > > + struct oc_vpn_option *new = malloc(sizeof(*new));
> > > + if (!new)
> > > + return NULL;
> > > +
> > > + new->option = strdup(opt);
> > > + if (!new->option) {
> > > + free(new);
> > > + return NULL;
> > > + }
> > > + new->value = strdup(val);
> >
> > ... but I still see a strdup(). And should it *free* 'val' in the error
> > patch if it was going to take ownership of it?
>
> Comment is straight-up wrong and obsolete. We changed this in a
> previous iteration of the patches. Good catch.
But then you are *using* add_option as the comment describes it:
for (xml_node = xml_node->children; xml_node; xml_node=xml_node->next) {
if (!xmlnode_get_text(xml_node, "ip-address", &s))
vpninfo->ip_info.addr = add_option(vpninfo, "ipaddr", s);
That add_option() call *is* assuming that the 's' value will be stolen, surely?
Maybe we should pass the xmlNode into add_option() not a string? Then
it's nice and simple. And more xmlnode_get_text() invocations can turn
into simple xmlnode_is_named()? The above code becomes
for (xml_node = xml_node->children; xml_node; xml_node=xml_node->next) {
if (!xmlnode_is_named(xml_node, "ip-address"))
vpninfo->ip_info.addr = add_option(vpninfo, "ipaddr", xml_node);
> >
> > Also, in parse_javascript(), consider an input line which looks like:
> >
> > var respMsg = ";
> >
> > When you set '*prompt = strndup(start, end-start-2);
> >
> > ... what is the value of 'end-start-2'?
> 0 in that case. I've already verified that end[-1] == ';' && end[-2]
> == '"' before getting to this point, so it's not possible for it to be
> negative.
#include <stdio.h>
#include <string.h>
int main(void)
{
const char *pre_prompt = "var respMsg = \"";
char *attack = "var respMsg = \";\n";
char *start, *end = attack;
start = end+strlen(pre_prompt);
end = strchr(start, '\n');
if (!end || end[-1] != ';' || end[-2] != '"') {
printf("no match\n");
return 1;
}
printf("end is %p, start %p, end-start-2 %ld\n",
end, start, (long)(end-start-2));
return 0;
}
$ ./f
end is 0x400758, start 0x400757, end-start-2 -1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5213 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20180307/966d8a17/attachment-0001.bin>
More information about the openconnect-devel
mailing list