[openobex/f13/master] - fix security issue when creating file - fix obex_object_resume for server side role

Vojtěch Vítek vvitek at fedoraproject.org
Tue Oct 19 08:40:15 UTC 2010 

commit 1eeb791a7f220abf627be955dc42b6caeacf23f6
Author: Vojtech Vitek (V-Teq) <vvitek at redhat.com>
Date:   Mon Oct 18 17:47:51 2010 +0200

    - fix security issue when creating file
    - fix obex_object_resume for server side role

 openobex-1.3-ircp.patch                 |   30 ----------
 openobex-1.5-create-file.patch          |   55 +++++++++++++++++
 openobex-1.5-server-object-resume.patch |   97 +++++++++++++++++++++++++++++++
 openobex.spec                           |   12 +++-
 4 files changed, 161 insertions(+), 33 deletions(-)
---
diff --git a/openobex-1.5-create-file.patch b/openobex-1.5-create-file.patch
new file mode 100644
index 0000000..880fd0f
--- /dev/null
+++ b/openobex-1.5-create-file.patch
@@ -0,0 +1,55 @@
+From 680644122e46c96864873ce92cbe1c21e295f847 Mon Sep 17 00:00:00 2001
+From: Hendrik Sattler <post at hendrik-sattler.de>
+Date: Sun, 14 Dec 2008 09:54:13 +0100
+Subject: [PATCH] Fix security issue when creating file
+
+This patch fixes receiving files without overwriting existing files by
+giving the new file a random name using mkstemp().
+---
+ ircp/ircp_io.c |   20 +++++++++++++++-----
+ 1 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/ircp/ircp_io.c b/ircp/ircp_io.c
+index a3db965..fcd4365 100644
+--- a/ircp/ircp_io.c
++++ b/ircp/ircp_io.c
+@@ -143,13 +143,20 @@ int ircp_open_safe(const char *path, const char *name)
+ 	if(ircp_nameok(name) == FALSE)
+ 		return -1;
+ 
+-	//TODO! Rename file if already exist.
++	if (path == NULL || strnlen(path,sizeof(diskname)) == 0)
++	        path = ".";
++	if (snprintf(diskname, sizeof(diskname), "%s/%s", path, name) >= sizeof(diskname))
++	        return -1;
+ 
+-	snprintf(diskname, MAXPATHLEN, "%s/%s", path, name);
++	/* never overwrite an existing file */
++	fd = open(diskname, O_RDWR | O_CREAT | O_EXCL, DEFFILEMODE);
++	if (fd < 0 &&
++	    snprintf(diskname, sizeof(diskname), "%s/%s_XXXXXX", path, name) < sizeof(diskname))
++	        fd = mkstemp(diskname);
+ 
+-	DEBUG(4, "Creating file %s\n", diskname);
++	if (fd >= 0)
++	        DEBUG(4, "Creating file %s\n", diskname);
+ 
+-	fd = open(diskname, O_RDWR | O_CREAT | O_TRUNC, DEFFILEMODE);
+ 	return fd;
+ }
+ 
+@@ -167,7 +174,10 @@ int ircp_checkdir(const char *path, const char *dir, cd_flags flags)
+ 			return -1;
+ 	}
+ 
+-	snprintf(newpath, MAXPATHLEN, "%s/%s", path, dir);
++	if (strnlen(path,sizeof(newpath)) != 0)
++		snprintf(newpath, sizeof(newpath), "%s/%s", path, dir);
++	else
++		strncpy(newpath, dir, sizeof(newpath));
+ 
+ 	DEBUG(4, "path = %s dir = %s, flags = %d\n", path, dir, flags);
+ 	if(stat(newpath, &statbuf) == 0) {
+-- 
+1.7.2.3
+
diff --git a/openobex-1.5-server-object-resume.patch b/openobex-1.5-server-object-resume.patch
new file mode 100644
index 0000000..6fa6824
--- /dev/null
+++ b/openobex-1.5-server-object-resume.patch
@@ -0,0 +1,97 @@
+From 9f01069f6844a371ae14c30d85ae6d88467394eb Mon Sep 17 00:00:00 2001
+From: Zhao Forrest <forrest.zhao at gmail.com>
+Date: Wed, 24 Dec 2008 03:19:49 +0200
+Subject: [PATCH] Fix obex_object_resume for server side role
+
+---
+ lib/obex_object.c |   32 +++++++++++++++++++++++++-------
+ lib/obex_server.c |    9 ++++++++-
+ 2 files changed, 33 insertions(+), 8 deletions(-)
+
+diff --git a/lib/obex_object.c b/lib/obex_object.c
+index 482e6a7..f0e69a7 100644
+--- a/lib/obex_object.c
++++ b/lib/obex_object.c
+@@ -908,6 +908,8 @@ int obex_object_suspend(obex_object_t *object)
+ 
+ int obex_object_resume(obex_t *self, obex_object_t *object)
+ {
++	int ret;
++
+ 	if (!object->suspend)
+ 		return 0;
+ 
+@@ -916,16 +918,32 @@ int obex_object_resume(obex_t *self, obex_object_t *object)
+ 	if (object->first_packet_sent && !object->continue_received)
+ 		return 0;
+ 
+-	if (obex_object_send(self, object, TRUE, FALSE) < 0) {
+-		obex_deliver_event(self, OBEX_EV_LINKERR, object->opcode, 0, TRUE);
++	ret = obex_object_send(self, object, TRUE, FALSE);
++
++	if (ret < 0) {
++		obex_deliver_event(self, OBEX_EV_LINKERR,
++					object->opcode & ~OBEX_FINAL, 0, TRUE);
+ 		return -1;
++	} else if (ret == 0) {
++		obex_deliver_event(self, OBEX_EV_PROGRESS,
++					object->opcode & ~OBEX_FINAL, 0,
++					FALSE);
++		object->first_packet_sent = 1;
++		object->continue_received = 0;
++	} else {
++		if (self->state & MODE_SRV) {
++			obex_deliver_event(self, OBEX_EV_REQDONE,
++						object->opcode & ~OBEX_FINAL,
++						0, TRUE);
++			self->state = MODE_SRV | STATE_IDLE;
++			return 0;
++		}
+ 	}
+ 
+-	obex_deliver_event(self, OBEX_EV_PROGRESS, object->opcode, 0, FALSE);
+-
+-	self->state = MODE_CLI | STATE_REC;
+-	object->first_packet_sent = 1;
+-	object->continue_received = 0;
++	if (self->state & MODE_SRV)
++		self->state = MODE_SRV | STATE_REC;
++	else
++		self->state = MODE_CLI | STATE_REC;
+ 
+ 	return 0;
+ }
+diff --git a/lib/obex_server.c b/lib/obex_server.c
+index f27c8ee..cf19529 100644
+--- a/lib/obex_server.c
++++ b/lib/obex_server.c
+@@ -159,7 +159,7 @@ int obex_server(obex_t *self, buf_t *msg, int final)
+ 			} else
+ 				obex_deliver_event(self, OBEX_EV_PROGRESS, cmd, 0, FALSE);
+ 			break; /* Stay in this state if not final */
+-		} else {
++		} else if (!self->object->first_packet_sent) {
+ 			DEBUG(4, "We got a request!\n");
+ 			/* More connect-magic woodoo stuff */
+ 			if (cmd == OBEX_CMD_CONNECT)
+@@ -234,10 +234,17 @@ int obex_server(obex_t *self, buf_t *msg, int final)
+ 		 * See Obex spec v1.2, chapter 3.2, page 21 and 22.
+ 		 * See also example on chapter 7.3, page 47.
+ 		 * So, force the final bit here. - Jean II */
++		self->object->continue_received = 1;
++
++		if (self->object->suspend)
++			break;
++
+ 		ret = obex_object_send(self, self->object, TRUE, TRUE);
+ 		if (ret == 0) {
+ 			/* Made some progress */
+ 			obex_deliver_event(self, OBEX_EV_PROGRESS, cmd, 0, FALSE);
++			self->object->first_packet_sent = 1;
++			self->object->continue_received = 0;
+ 		} else if (ret < 0) {
+ 			/* Error sending response */
+ 			obex_deliver_event(self, OBEX_EV_LINKERR, cmd, 0, TRUE);
+-- 
+1.7.2.3
+
diff --git a/openobex.spec b/openobex.spec
index a51d60a..db1f08e 100644
--- a/openobex.spec
+++ b/openobex.spec
@@ -1,7 +1,7 @@
 Summary: Library for using OBEX
 Name: openobex
 Version: 1.4
-Release: 3%{?dist}.1
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Libraries
 URL: http://openobex.sourceforge.net
@@ -9,7 +9,8 @@ Source: http://downloads.sourceforge.net/openobex/openobex-%{version}.tar.gz
 Patch: openobex-apps-flush.patch
 Patch1: openobex-1.3-push.patch
 Patch2: openobex-1.3-autoconf.patch
-Patch3: openobex-1.3-ircp.patch
+Patch3: openobex-1.5-create-file.patch
+Patch4: openobex-1.5-server-object-resume.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: autoconf >= 2.57, bluez-libs-devel, sed, libusb-devel
@@ -43,7 +44,8 @@ calendar entries (vCal) and business cards (vCard) using the OBEX protocol.
 %patch -p1 -b .flush
 %patch1 -p1 -b .push
 %patch2 -p1 -b .autoconf
-%patch3 -p1 -b .ircp
+%patch3 -p1 -b .create-file
+%patch4 -p1 -b .server-object-resume
 autoreconf --install --force
 
 %build
@@ -87,6 +89,10 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Mon Oct 18 2010 Vojtech Vitek (V-Teq) <vvitek at redhat.com> 1.4-4
+- fix security issue when creating file
+- fix obex_object_resume for server side role
+
 * Thu Apr 01 2010 Karsten Hopp <karsten at redhat.com> 1.4-3.1
 - drop excludearch s390 s390x

More information about the scm-commits mailing list