[openobex/f13/master] - fix security issue when creating file - fix obex_object_resume for server side role
Vojtěch Vítek
vvitek at fedoraproject.org
Tue Oct 19 08:40:15 UTC 2010
commit 1eeb791a7f220abf627be955dc42b6caeacf23f6
Author: Vojtech Vitek (V-Teq) <vvitek at redhat.com>
Date: Mon Oct 18 17:47:51 2010 +0200
- fix security issue when creating file
- fix obex_object_resume for server side role
openobex-1.3-ircp.patch | 30 ----------
openobex-1.5-create-file.patch | 55 +++++++++++++++++
openobex-1.5-server-object-resume.patch | 97 +++++++++++++++++++++++++++++++
openobex.spec | 12 +++-
4 files changed, 161 insertions(+), 33 deletions(-)
---
diff --git a/openobex-1.5-create-file.patch b/openobex-1.5-create-file.patch
new file mode 100644
index 0000000..880fd0f
--- /dev/null
+++ b/openobex-1.5-create-file.patch
@@ -0,0 +1,55 @@
+From 680644122e46c96864873ce92cbe1c21e295f847 Mon Sep 17 00:00:00 2001
+From: Hendrik Sattler <post at hendrik-sattler.de>
+Date: Sun, 14 Dec 2008 09:54:13 +0100
+Subject: [PATCH] Fix security issue when creating file
+
+This patch fixes receiving files without overwriting existing files by
+giving the new file a random name using mkstemp().
+---
+ ircp/ircp_io.c | 20 +++++++++++++++-----
+ 1 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/ircp/ircp_io.c b/ircp/ircp_io.c
+index a3db965..fcd4365 100644
+--- a/ircp/ircp_io.c
++++ b/ircp/ircp_io.c
+@@ -143,13 +143,20 @@ int ircp_open_safe(const char *path, const char *name)
+ if(ircp_nameok(name) == FALSE)
+ return -1;
+
+- //TODO! Rename file if already exist.
++ if (path == NULL || strnlen(path,sizeof(diskname)) == 0)
++ path = ".";
++ if (snprintf(diskname, sizeof(diskname), "%s/%s", path, name) >= sizeof(diskname))
++ return -1;
+
+- snprintf(diskname, MAXPATHLEN, "%s/%s", path, name);
++ /* never overwrite an existing file */
++ fd = open(diskname, O_RDWR | O_CREAT | O_EXCL, DEFFILEMODE);
++ if (fd < 0 &&
++ snprintf(diskname, sizeof(diskname), "%s/%s_XXXXXX", path, name) < sizeof(diskname))
++ fd = mkstemp(diskname);
+
+- DEBUG(4, "Creating file %s\n", diskname);
++ if (fd >= 0)
++ DEBUG(4, "Creating file %s\n", diskname);
+
+- fd = open(diskname, O_RDWR | O_CREAT | O_TRUNC, DEFFILEMODE);
+ return fd;
+ }
+
+@@ -167,7 +174,10 @@ int ircp_checkdir(const char *path, const char *dir, cd_flags flags)
+ return -1;
+ }
+
+- snprintf(newpath, MAXPATHLEN, "%s/%s", path, dir);
++ if (strnlen(path,sizeof(newpath)) != 0)
++ snprintf(newpath, sizeof(newpath), "%s/%s", path, dir);
++ else
++ strncpy(newpath, dir, sizeof(newpath));
+
+ DEBUG(4, "path = %s dir = %s, flags = %d\n", path, dir, flags);
+ if(stat(newpath, &statbuf) == 0) {
+--
+1.7.2.3
+
diff --git a/openobex-1.5-server-object-resume.patch b/openobex-1.5-server-object-resume.patch
new file mode 100644
index 0000000..6fa6824
--- /dev/null
+++ b/openobex-1.5-server-object-resume.patch
@@ -0,0 +1,97 @@
+From 9f01069f6844a371ae14c30d85ae6d88467394eb Mon Sep 17 00:00:00 2001
+From: Zhao Forrest <forrest.zhao at gmail.com>
+Date: Wed, 24 Dec 2008 03:19:49 +0200
+Subject: [PATCH] Fix obex_object_resume for server side role
+
+---
+ lib/obex_object.c | 32 +++++++++++++++++++++++++-------
+ lib/obex_server.c | 9 ++++++++-
+ 2 files changed, 33 insertions(+), 8 deletions(-)
+
+diff --git a/lib/obex_object.c b/lib/obex_object.c
+index 482e6a7..f0e69a7 100644
+--- a/lib/obex_object.c
++++ b/lib/obex_object.c
+@@ -908,6 +908,8 @@ int obex_object_suspend(obex_object_t *object)
+
+ int obex_object_resume(obex_t *self, obex_object_t *object)
+ {
++ int ret;
++
+ if (!object->suspend)
+ return 0;
+
+@@ -916,16 +918,32 @@ int obex_object_resume(obex_t *self, obex_object_t *object)
+ if (object->first_packet_sent && !object->continue_received)
+ return 0;
+
+- if (obex_object_send(self, object, TRUE, FALSE) < 0) {
+- obex_deliver_event(self, OBEX_EV_LINKERR, object->opcode, 0, TRUE);
++ ret = obex_object_send(self, object, TRUE, FALSE);
++
++ if (ret < 0) {
++ obex_deliver_event(self, OBEX_EV_LINKERR,
++ object->opcode & ~OBEX_FINAL, 0, TRUE);
+ return -1;
++ } else if (ret == 0) {
++ obex_deliver_event(self, OBEX_EV_PROGRESS,
++ object->opcode & ~OBEX_FINAL, 0,
++ FALSE);
++ object->first_packet_sent = 1;
++ object->continue_received = 0;
++ } else {
++ if (self->state & MODE_SRV) {
++ obex_deliver_event(self, OBEX_EV_REQDONE,
++ object->opcode & ~OBEX_FINAL,
++ 0, TRUE);
++ self->state = MODE_SRV | STATE_IDLE;
++ return 0;
++ }
+ }
+
+- obex_deliver_event(self, OBEX_EV_PROGRESS, object->opcode, 0, FALSE);
+-
+- self->state = MODE_CLI | STATE_REC;
+- object->first_packet_sent = 1;
+- object->continue_received = 0;
++ if (self->state & MODE_SRV)
++ self->state = MODE_SRV | STATE_REC;
++ else
++ self->state = MODE_CLI | STATE_REC;
+
+ return 0;
+ }
+diff --git a/lib/obex_server.c b/lib/obex_server.c
+index f27c8ee..cf19529 100644
+--- a/lib/obex_server.c
++++ b/lib/obex_server.c
+@@ -159,7 +159,7 @@ int obex_server(obex_t *self, buf_t *msg, int final)
+ } else
+ obex_deliver_event(self, OBEX_EV_PROGRESS, cmd, 0, FALSE);
+ break; /* Stay in this state if not final */
+- } else {
++ } else if (!self->object->first_packet_sent) {
+ DEBUG(4, "We got a request!\n");
+ /* More connect-magic woodoo stuff */
+ if (cmd == OBEX_CMD_CONNECT)
+@@ -234,10 +234,17 @@ int obex_server(obex_t *self, buf_t *msg, int final)
+ * See Obex spec v1.2, chapter 3.2, page 21 and 22.
+ * See also example on chapter 7.3, page 47.
+ * So, force the final bit here. - Jean II */
++ self->object->continue_received = 1;
++
++ if (self->object->suspend)
++ break;
++
+ ret = obex_object_send(self, self->object, TRUE, TRUE);
+ if (ret == 0) {
+ /* Made some progress */
+ obex_deliver_event(self, OBEX_EV_PROGRESS, cmd, 0, FALSE);
++ self->object->first_packet_sent = 1;
++ self->object->continue_received = 0;
+ } else if (ret < 0) {
+ /* Error sending response */
+ obex_deliver_event(self, OBEX_EV_LINKERR, cmd, 0, TRUE);
+--
+1.7.2.3
+
diff --git a/openobex.spec b/openobex.spec
index a51d60a..db1f08e 100644
--- a/openobex.spec
+++ b/openobex.spec
@@ -1,7 +1,7 @@
Summary: Library for using OBEX
Name: openobex
Version: 1.4
-Release: 3%{?dist}.1
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Libraries
URL: http://openobex.sourceforge.net
@@ -9,7 +9,8 @@ Source: http://downloads.sourceforge.net/openobex/openobex-%{version}.tar.gz
Patch: openobex-apps-flush.patch
Patch1: openobex-1.3-push.patch
Patch2: openobex-1.3-autoconf.patch
-Patch3: openobex-1.3-ircp.patch
+Patch3: openobex-1.5-create-file.patch
+Patch4: openobex-1.5-server-object-resume.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: autoconf >= 2.57, bluez-libs-devel, sed, libusb-devel
@@ -43,7 +44,8 @@ calendar entries (vCal) and business cards (vCard) using the OBEX protocol.
%patch -p1 -b .flush
%patch1 -p1 -b .push
%patch2 -p1 -b .autoconf
-%patch3 -p1 -b .ircp
+%patch3 -p1 -b .create-file
+%patch4 -p1 -b .server-object-resume
autoreconf --install --force
%build
@@ -87,6 +89,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Mon Oct 18 2010 Vojtech Vitek (V-Teq) <vvitek at redhat.com> 1.4-4
+- fix security issue when creating file
+- fix obex_object_resume for server side role
+
* Thu Apr 01 2010 Karsten Hopp <karsten at redhat.com> 1.4-3.1
- drop excludearch s390 s390x
More information about the scm-commits
mailing list