[PATCH to fix my PATCH 2/5] fix a bug by which a malicious "GlobalProtect JavaScript mess" could cause a buffer overflow
Daniel Lenski
dlenski at gmail.com
Wed Mar 7 04:33:08 PST 2018
David Woodhouse wrote:
>
> Daniel Lenski wrote:
> >
> > Also, in parse_javascript(), consider an input line which looks like:
> >
> > var respMsg = ";\n
> >
> > When you set '*prompt = strndup(start, end-start-2);
> >
> > ... what is the value of 'end-start-2'?
>
Signed-off-by: Daniel Lenski <dlenski at gmail.com>
---
gpst.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gpst.c b/gpst.c
index 85987b2..e890098 100644
--- a/gpst.c
+++ b/gpst.c
@@ -172,7 +172,7 @@ static int parse_javascript(char *buf, char **prompt, char **inputStr)
start = end+strlen(pre_prompt);
end = strchr(start, '\n');
- if (!end || end[-1] != ';' || end[-2] != '"')
+ if (!end || end[-1] != ';' || end[-2] != '"' || (end<start+2))
goto err;
if (prompt)
@@ -186,7 +186,7 @@ static int parse_javascript(char *buf, char **prompt, char **inputStr)
start = end+strlen(pre_inputStr);
end = strchr(start, '\n');
- if (!end || end[-1] != ';' || end[-2] != '"')
+ if (!end || end[-1] != ';' || end[-2] != '"' || (end<start+2))
goto err2;
if (inputStr)
--
2.7.4
More information about the openconnect-devel
mailing list