SOURCES: licq-1.3.5-dos.patch (NEW) - fixed DoS vulnerability - CVE-2009-1996

draenog draenog at pld-linux.org
Fri May 16 03:53:56 CEST 2008 

Author: draenog                      Date: Fri May 16 01:53:56 2008 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- fixed DoS vulnerability - CVE-2009-1996

---- Files affected:
SOURCES:
   licq-1.3.5-dos.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/licq-1.3.5-dos.patch
diff -u /dev/null SOURCES/licq-1.3.5-dos.patch:1.1
--- /dev/null	Fri May 16 03:53:56 2008
+++ SOURCES/licq-1.3.5-dos.patch	Fri May 16 03:53:51 2008
@@ -0,0 +1,116 @@
+Index: /trunk/licq/include/licq_socket.h
+===================================================================
+--- licq-1.3.5/include/licq_socket.h (revision 4714)
++++ licq-1.3.5/include/licq_socket.h (revision 6146)
+@@ -251,4 +251,5 @@
+   fd_set SocketSet()   {  return m_sSockets.SocketSet(); }
+   int LargestSocket()  {  return m_sSockets.Largest(); }
++  unsigned short Num() {  return m_sSockets.Num(); }
+ 
+ protected:
+Index: licq-1.3.5/src/socket.cpp
+===================================================================
+--- licq-1.3.5/src/socket.cpp (revision 5629)
++++ licq-1.3.5/src/socket.cpp (revision 6146)
+@@ -818,6 +818,24 @@
+   socklen_t sizeofSockaddr = sizeof(struct sockaddr_in);
+ 
+-  newSocket.m_nDescriptor = accept(m_nDescriptor, (struct sockaddr *)&newSocket.m_sRemoteAddr, &sizeofSockaddr);
+-  newSocket.SetLocalAddress();
++  // Make sure we stay under FD_SETSIZE
++  // See:
++  // * http://www.securityfocus.com/archive/1/490711
++  // * http://securityvulns.com/docs7669.html
++  // for more details
++  // This probably has no affect, since we are using multiple threads, but keep it here 
++  // to be used as a sanity check.
++  int newDesc = accept(m_nDescriptor, (struct sockaddr *)&newSocket.m_sRemoteAddr, &sizeofSockaddr);
++  if (newDesc < FD_SETSIZE)
++  {
++    newSocket.m_nDescriptor = newDesc;
++    newSocket.SetLocalAddress();
++  }
++  else
++  {
++    gLog.Error(tr("%sCannot accept new connection, too many descriptors in use.\n"), L_ERRORxSTR);
++    close(newDesc);
++
++    // TODO throw an exception, or do something to tell the caller it failed
++  }
+ }
+ 
+Index: licq-1.3.5/src/icqd-threads.cpp
+===================================================================
+--- licq-1.3.5/src/icqd-threads.cpp (revision 5450)
++++ licq-1.3.5/src/icqd-threads.cpp (revision 6146)
+@@ -24,4 +24,5 @@
+ #include "gettext.h"
+ 
++#define MAX_CONNECTS  256
+ #define DEBUG_THREADS(x)
+ //#define DEBUG_THREADS(x) gLog.Info(x)
+@@ -781,6 +782,19 @@
+               tcp->RecvConnection(*newSocket);
+               gSocketManager.DropSocket(tcp);
+-              gSocketManager.AddSocket(newSocket);
+-              gSocketManager.DropSocket(newSocket);
++
++              // Make sure we can handle another socket before accepting it
++              if (gSocketManager.Num() > MAX_CONNECTS)
++              {
++                // Too many sockets, drop this one
++                char remoteIp[32];
++                gLog.Warn(tr("%sToo many connected sockets, rejecting connection from %s.\n"),
++                    L_WARNxSTR, newSocket->RemoteIpStr(remoteIp));
++                delete newSocket;
++              }
++              else
++              {
++                gSocketManager.AddSocket(newSocket);
++                gSocketManager.DropSocket(newSocket);
++              }
+             }
+           }
+Index: licq-1.3.5/src/icqd-chat.cpp
+===================================================================
+--- licq-1.3.5/src/icqd-chat.cpp (revision 6136)
++++ licq-1.3.5/src/icqd-chat.cpp (revision 6146)
+@@ -24,4 +24,5 @@
+ #include "gettext.h"
+ 
++#define MAX_CONNECTS  256
+ #define DEBUG_THREADS(x)
+ 
+@@ -2384,14 +2385,22 @@
+         else if (nCurrentSocket == chatman->chatServer.Descriptor())
+         {
+-          CChatUser *u = new CChatUser;
+-          u->m_pClient = new CChatClient;
+-
+-          chatman->chatServer.RecvConnection(u->sock);
+-          chatman->sockman.AddSocket(&u->sock);
+-          chatman->sockman.DropSocket(&u->sock);
+-
+-          u->state = CHAT_STATE_HANDSHAKE;
+-          chatman->chatUsers.push_back(u);
+-          gLog.Info(tr("%sChat: Received connection.\n"), L_TCPxSTR);
++          if (chatman->sockman.Num() >= MAX_CONNECTS)
++          {
++            // Too many sockets, drop this one
++            gLog.Warn(tr("%sToo many connected clients, rejecting new connection.\n"), L_WARNxSTR);
++          }
++          else
++          {
++            CChatUser *u = new CChatUser;
++            u->m_pClient = new CChatClient;
++
++            chatman->chatServer.RecvConnection(u->sock);
++            chatman->sockman.AddSocket(&u->sock);
++            chatman->sockman.DropSocket(&u->sock);
++
++            u->state = CHAT_STATE_HANDSHAKE;
++            chatman->chatUsers.push_back(u);
++            gLog.Info(tr("%sChat: Received connection.\n"), L_TCPxSTR);
++          }
+         }
+ 
================================================================

More information about the pld-cvs-commit mailing list