Fixed proxy user/password buffer overflow

By using a dedicated buffer for sending the username and password for the SOCKS5 proxy, there will be no overflow when copying them to the buffer.
And therefore, RFC 1929 is fully supported.
This commit is contained in:
DjLegolas 2020-04-11 13:01:35 +03:00 committed by Patrick
parent 37192a9136
commit 7b950eb021

View File

@ -1116,6 +1116,7 @@ traverse_socks5 (int print_fd, int sok, char *serverAddr, int port)
if (auth) if (auth)
{ {
int len_u=0, len_p=0; int len_u=0, len_p=0;
unsigned char *u_p_buf;
/* authentication sub-negotiation (RFC1929) */ /* authentication sub-negotiation (RFC1929) */
if (buf[1] != 2) /* UPA not supported by server */ if (buf[1] != 2) /* UPA not supported by server */
@ -1124,18 +1125,22 @@ traverse_socks5 (int print_fd, int sok, char *serverAddr, int port)
return 1; return 1;
} }
memset (buf, 0, sizeof(buf));
/* form the UPA request */ /* form the UPA request */
len_u = strlen (prefs.hex_net_proxy_user); len_u = strlen (prefs.hex_net_proxy_user);
len_p = strlen (prefs.hex_net_proxy_pass); len_p = strlen (prefs.hex_net_proxy_pass);
buf[0] = 1;
buf[1] = len_u;
memcpy (buf + 2, prefs.hex_net_proxy_user, len_u);
buf[2 + len_u] = len_p;
memcpy (buf + 3 + len_u, prefs.hex_net_proxy_pass, len_p);
send (sok, buf, 3 + len_u + len_p, 0); packetlen = 2 + len_u + 1 + len_p;
u_p_buf = g_malloc0 (packetlen);
u_p_buf[0] = 1;
u_p_buf[1] = len_u;
memcpy (u_p_buf + 2, prefs.hex_net_proxy_user, len_u);
u_p_buf[2 + len_u] = len_p;
memcpy (u_p_buf + 3 + len_u, prefs.hex_net_proxy_pass, len_p);
send (sok, u_p_buf, packetlen, 0);
g_free(u_p_buf);
if ( recv (sok, buf, 2, 0) != 2 ) if ( recv (sok, buf, 2, 0) != 2 )
goto read_error; goto read_error;
if ( buf[1] != 0 ) if ( buf[1] != 0 )