From 3d6f95ede6e98cd245cfbdc4c429a184f6c0d717 Mon Sep 17 00:00:00 2001 From: Denys Vlasenko Date: Tue, 4 Sep 2018 14:48:00 +0200 Subject: whois: fix a possible out-of-bounds stack access If fgets() returns incomplete string, we replace NUL with '\n', and then trim() runs on a non-NUL-terminated buffer. Prevent that. While at it, bump buffer from 1k to 2k. function old new delta query 519 524 +5 Signed-off-by: Denys Vlasenko --- networking/whois.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'networking/whois.c') diff --git a/networking/whois.c b/networking/whois.c index f0ec86301..f3da32b4e 100644 --- a/networking/whois.c +++ b/networking/whois.c @@ -39,20 +39,26 @@ static char *query(const char *host, int port, const char *domain) bool success; char *redir = NULL; const char *pfx = ""; - char linebuf[1024]; + /* some .io domains reported to have very long strings in whois + * responses, 1k was not enough: + */ + char linebuf[2 * 1024]; char *buf = NULL; unsigned bufpos = 0; again: printf("[Querying %s:%d '%s%s']\n", host, port, pfx, domain); fd = create_and_connect_stream_or_die(host, port); - success = 0; fdprintf(fd, "%s%s\r\n", pfx, domain); fp = xfdopen_for_read(fd); - while (fgets(linebuf, sizeof(linebuf), fp)) { - unsigned len = strcspn(linebuf, "\r\n"); + success = 0; + while (fgets(linebuf, sizeof(linebuf)-1, fp)) { + unsigned len; + + len = strcspn(linebuf, "\r\n"); linebuf[len++] = '\n'; + linebuf[len] = '\0'; buf = xrealloc(buf, bufpos + len + 1); memcpy(buf + bufpos, linebuf, len); -- cgit v1.2.3