diff options
author | Denys Vlasenko | 2018-09-04 14:48:00 +0200 |
---|---|---|
committer | Denys Vlasenko | 2018-09-04 14:48:00 +0200 |
commit | 3d6f95ede6e98cd245cfbdc4c429a184f6c0d717 (patch) | |
tree | 5b44abec395055fc861ad07bd4f8a2a7acdb1caf /networking/whois.c | |
parent | 8f1ae256347b32057d32846f915f53f9106f00bc (diff) | |
download | busybox-3d6f95ede6e98cd245cfbdc4c429a184f6c0d717.zip busybox-3d6f95ede6e98cd245cfbdc4c429a184f6c0d717.tar.gz |
whois: fix a possible out-of-bounds stack access
If fgets() returns incomplete string, we replace NUL with
'\n', and then trim() runs on a non-NUL-terminated buffer.
Prevent that.
While at it, bump buffer from 1k to 2k.
function old new delta
query 519 524 +5
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'networking/whois.c')
-rw-r--r-- | networking/whois.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/networking/whois.c b/networking/whois.c index f0ec863..f3da32b 100644 --- a/networking/whois.c +++ b/networking/whois.c @@ -39,20 +39,26 @@ static char *query(const char *host, int port, const char *domain) bool success; char *redir = NULL; const char *pfx = ""; - char linebuf[1024]; + /* some .io domains reported to have very long strings in whois + * responses, 1k was not enough: + */ + char linebuf[2 * 1024]; char *buf = NULL; unsigned bufpos = 0; again: printf("[Querying %s:%d '%s%s']\n", host, port, pfx, domain); fd = create_and_connect_stream_or_die(host, port); - success = 0; fdprintf(fd, "%s%s\r\n", pfx, domain); fp = xfdopen_for_read(fd); - while (fgets(linebuf, sizeof(linebuf), fp)) { - unsigned len = strcspn(linebuf, "\r\n"); + success = 0; + while (fgets(linebuf, sizeof(linebuf)-1, fp)) { + unsigned len; + + len = strcspn(linebuf, "\r\n"); linebuf[len++] = '\n'; + linebuf[len] = '\0'; buf = xrealloc(buf, bufpos + len + 1); memcpy(buf + bufpos, linebuf, len); |