Fix buffer overflow in fr_pton_port

[freeradius.git] / src / lib / misc.c

diff --git a/src/lib/misc.c b/src/lib/misc.c
index f81289b..cbc38ea 100644 (file)
--- a/src/lib/misc.c
+++ b/src/lib/misc.c
@@ -31,22 +31,26 @@ RCSID("$Id$")
 #include <pwd.h>
 #include <sys/uio.h>
 
+#ifdef HAVE_DIRENT_H
+#include <dirent.h>
+
 /*
  *     Some versions of Linux don't have closefrom(), but they will
  *     have /proc.
  *
  *     BSD systems will generally have closefrom(), but not proc.
  *
- *     If a system doesn't have closefrom() and isn't Linux, it
- *     doesn't have /proc, either.  So don't waste time trying
- *     to open /proc.
+ *     OSX doesn't have closefrom() or /proc/self/fd, but it does
+ *     have /dev/fd
  */
-#ifdef HAVE_DIRENT_H
 #ifdef __linux__
-#include <dirent.h>
+#define CLOSEFROM_DIR "/proc/self/fd"
+#elif defined(__APPLE__)
+#define CLOSEFROM_DIR "/dev/fd"
 #else
 #undef HAVE_DIRENT_H
 #endif
+
 #endif
 
 #define FR_PUT_LE16(a, val)\
@@ -298,10 +302,12 @@ static int ip_prefix_from_str(char const *str, uint32_t *paddr)
 }
 
 
-/** Parse an IPv4 address or IPv4 prefix in presentation format (and others)
+/**
+ * Parse an IPv4 address, IPv4 prefix in presentation format (and others), or
+ * a hostname.
  *
  * @param out Where to write the ip address value.
- * @param value to parse, may be dotted quad [+ prefix], or integer, or octal number, or '*' (INADDR_ANY).
+ * @param value to parse, may be dotted quad [+ prefix], or integer, or octal number, or '*' (INADDR_ANY), or a hostname.
  * @param inlen Length of value, if value is \0 terminated inlen may be -1.
  * @param resolve If true and value doesn't look like an IP address, try and resolve value as a hostname.
  * @param fallback to IPv6 resolution if no A records can be found.
@@ -313,8 +319,8 @@ int fr_pton4(fr_ipaddr_t *out, char const *value, ssize_t inlen, bool resolve, b
        unsigned int mask;
        char *eptr;
 
-       /* Dotted quad + / + [0-9]{1,2} */
-       char buffer[INET_ADDRSTRLEN + 3];
+       /* Dotted quad + / + [0-9]{1,2} or a hostname (RFC1035 2.3.4 Size limits) */
+       char buffer[256];
 
        /*
         *      Copy to intermediary buffer if we were given a length
@@ -396,7 +402,9 @@ int fr_pton4(fr_ipaddr_t *out, char const *value, ssize_t inlen, bool resolve, b
        return 0;
 }
 
-/** Parse an IPv6 address or IPv6 prefix in presentation format (and others)
+/**
+ * Parse an IPv6 address or IPv6 prefix in presentation format (and others),
+ * or a hostname.
  *
  * @param out Where to write the ip address value.
  * @param value to parse.
@@ -411,8 +419,8 @@ int fr_pton6(fr_ipaddr_t *out, char const *value, ssize_t inlen, bool resolve, b
        unsigned int prefix;
        char *eptr;
 
-       /* IPv6  + / + [0-9]{1,3} */
-       char buffer[INET6_ADDRSTRLEN + 4];
+       /* IPv6  + / + [0-9]{1,3} or a hostname (RFC1035 2.3.4 Size limits) */
+       char buffer[256];
 
        /*
         *      Copy to intermediary buffer if we were given a length
@@ -618,7 +626,7 @@ do_port:
         *      input length indicates there are more than 5 chars
         *      after the ':' then there's an issue.
         */
-       if (inlen > ((q + sizeof(buffer)) - value)) {
+       if (len > ((q + sizeof(buffer)) - value)) {
        error:
                fr_strerror_printf("IP string contains trailing garbage after port delimiter");
                return -1;
@@ -1403,7 +1411,7 @@ int closefrom(int fd)
        /*
         *      Use /proc/self/fd directory if it exists.
         */
-       dir = opendir("/proc/self/fd");
+       dir = opendir(CLOSEFROM_DIR);
        if (dir != NULL) {
                long my_fd;
                char *endp;
@@ -1413,7 +1421,7 @@ int closefrom(int fd)
                        my_fd = strtol(dp->d_name, &endp, 10);
                        if (my_fd <= 0) continue;
 
-                       if ((endp > dp->d_name) && *endp) continue;
+                       if (*endp) continue;
 
                        if (my_fd == dirfd(dir)) continue;