Description: Fix buffer overflows/CVE-2013-7106
Forwarded: not-needed
Origin: backport, https://dev.icinga.org/projects/icinga-core/repository/revisions/cdb78902ecb7e91b838232246c1f939b4ee9ce0a
Bug: https://dev.icinga.org/issues/5250
--- a/cgi/cgiutils.c
+++ b/cgi/cgiutils.c
@@ -2490,14 +2490,24 @@
/* just do stuff if some options are requested */
if (getenv("QUERY_STRING") != NULL && strcmp(getenv("QUERY_STRING"), "")) {
+ if(strlen(getenv("QUERY_STRING")) + 1 > sizeof(stripped_query_string)) {
+ write_to_cgi_log("print_export_link(): Query string exceeds max length. Returning without displaying export link.\n");
+ return;
+ }
strcpy(stripped_query_string, getenv("QUERY_STRING"));
strip_html_brackets(stripped_query_string);
+
+ if (strlen(link) + 1 + strlen(stripped_query_string) + 1 > sizeof(link)) {
+ write_to_cgi_log("print_export_link(): Full query string exceeds max length. Returning without displaying export link.\n");
+ return;
+ }
+
strcat(link, "?");
strcat(link, stripped_query_string);
}
/* add string to url */
- if (add_to_url != NULL && (strlen(add_to_url) != 0)) {
+ if (add_to_url != NULL && (strlen(add_to_url) != 0) && strlen(link) + 1 + strlen(add_to_url) + 1 <= sizeof(link)) {
if (strlen(stripped_query_string) != 0)
strcat(link, "&");
else
--- a/cgi/config.c
+++ b/cgi/config.c
@@ -3595,6 +3595,8 @@
for (c = commandline; c && (cc = strstr(c, "$"));) {
(*(cc++)) = '\0';
printf("%s", html_encode(c, FALSE));
+ if (strlen(commandline_pre_processed) + strlen(c) + 1 > sizeof(commandline_pre_processed))
+ return;
strcat(commandline_pre_processed,c);
if ((*cc) == '$') {
/* Escaped '$' */
@@ -3605,6 +3607,8 @@
c = strstr(cc, "$");
if (c)(*(c++)) = '\0';
printf("$%s%s", html_encode(cc, FALSE), (c ? "$" : ""));
+ if (strlen(commandline_pre_processed) + 1 + strlen(cc) + 1 + 1 > sizeof(commandline_pre_processed))
+ return;
strcat(commandline_pre_processed,"$");
strcat(commandline_pre_processed,cc);
if (c) strcat(commandline_pre_processed,"$");
@@ -3622,6 +3626,7 @@
printf("%s%s%s",
hash_color(i), ((lead_space[i] > 0) || (trail_space[i] > 0) ? "" : ""),
escape_string(command_args[i]), ((lead_space[i] > 0) || (trail_space[i] > 0) ? "" : ""));
+ if (strlen(commandline_pre_processed) + strlen(command_args[i]) + 1 > sizeof(commandline_pre_processed)) return;
strcat(commandline_pre_processed,command_args[i]);
} else printf("(empty)");
} else printf("(undefined)");
@@ -3638,6 +3643,7 @@
}
if (c) {
printf("%s", html_encode(c, FALSE));
+ if (strlen(commandline_pre_processed) + strlen(c) + 1 > sizeof(commandline_pre_processed)) return;
strcat(commandline_pre_processed,c);
}
commandline_pre_processed[MAX_COMMAND_BUFFER-1] = '\0';