procps-ng/w-Prevent-out-of-bounds-reads-in-print_display_or_in.patch

From 3a437012f0e4041c2c1e9cbf0f08ad4b880fe80f Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000
Subject: [PATCH 12/65] w: Prevent out-of-bounds reads in
 print_display_or_interface().

They occur if disp or tmp reaches host + len: add checks. Also, constify
everything.
---
 w.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/w.c b/w.c
index 2bee396..b3c0644 100644
--- a/w.c
+++ b/w.c
@@ -113,21 +113,22 @@ static void print_host(const char *restrict host, int len, const int fromlen)
 /* This routine prints the display part of the host or IPv6 link address interface */
 static void print_display_or_interface(const char *restrict host, int len, int restlen)
 {
-	char *disp,*tmp;
+	const char *const end = host + (len > 0 ? len : 0);
+	const char *disp, *tmp;
 
 	if (restlen <= 0) return; /* not enough space for printing anything */
 
 	/* search for a collon (might be a display) */
-	disp = (char *)host;
-	while ( (disp < (host + len)) && (*disp != ':') && isprint(*disp) ) disp++;
+	disp = host;
+	while ( (disp < end) && (*disp != ':') && isprint(*disp) ) disp++;
 
 	/* colon found */
-	if (*disp == ':') {
+	if (disp < end && *disp == ':') {
 		/* detect multiple colons -> IPv6 in the host (not a display) */
 		tmp = disp+1;
-		while ( (tmp < (host + len)) && (*tmp != ':') && isprint(*tmp) ) tmp++;
+		while ( (tmp < end) && (*tmp != ':') && isprint(*tmp) ) tmp++;
 
-		if (*tmp != ':') { /* multiple colons not found - it's a display */
+		if (tmp >= end || *tmp != ':') { /* multiple colons not found - it's a display */
 
 			/* number of chars till the end of the input field */
 			len -= (disp - host);
@@ -149,9 +150,9 @@ static void print_display_or_interface(const char *restrict host, int len, int r
 		} else { /* multiple colons found - it's an IPv6 address */
 
 			/* search for % (interface separator in case of IPv6 link address) */
-			while ( (tmp < (host + len)) && (*tmp != '%') && isprint(*tmp) ) tmp++;
+			while ( (tmp < end) && (*tmp != '%') && isprint(*tmp) ) tmp++;
 
-			if (*tmp == '%') { /* interface separator found */
+			if (tmp < end && *tmp == '%') { /* interface separator found */
 
 				/* number of chars till the end of the input field */
 				len -= (tmp - host);
@@ -170,7 +171,6 @@ static void print_display_or_interface(const char *restrict host, int len, int r
 					fputc('-', stdout);
 				}
 			}
-
 		}
 	}
 
-- 
2.6.4.windows.1
Package init 2019-12-25 17:13:31 +08:00			`From 3a437012f0e4041c2c1e9cbf0f08ad4b880fe80f Mon Sep 17 00:00:00 2001`
			`From: Qualys Security Advisory <qsa@qualys.com>`
			`Date: Thu, 1 Jan 1970 00:00:00 +0000`
			`Subject: [PATCH 12/65] w: Prevent out-of-bounds reads in`
			`print_display_or_interface().`

			`They occur if disp or tmp reaches host + len: add checks. Also, constify`
			`everything.`
			`---`
			`w.c \| 18 +++++++++---------`
			`1 file changed, 9 insertions(+), 9 deletions(-)`

			`diff --git a/w.c b/w.c`
			`index 2bee396..b3c0644 100644`
			`--- a/w.c`
			`+++ b/w.c`
			`@@ -113,21 +113,22 @@ static void print_host(const char *restrict host, int len, const int fromlen)`
			`/* This routine prints the display part of the host or IPv6 link address interface */`
			`static void print_display_or_interface(const char *restrict host, int len, int restlen)`
			`{`
			`- char disp,tmp;`
			`+ const char *const end = host + (len > 0 ? len : 0);`
			`+ const char disp, tmp;`

			`if (restlen <= 0) return; /* not enough space for printing anything */`

			`/* search for a collon (might be a display) */`
			`- disp = (char *)host;`
			`- while ( (disp < (host + len)) && (disp != ':') && isprint(disp) ) disp++;`
			`+ disp = host;`
			`+ while ( (disp < end) && (disp != ':') && isprint(disp) ) disp++;`

			`/* colon found */`
			`- if (*disp == ':') {`
			`+ if (disp < end && *disp == ':') {`
			`/* detect multiple colons -> IPv6 in the host (not a display) */`
			`tmp = disp+1;`
			`- while ( (tmp < (host + len)) && (tmp != ':') && isprint(tmp) ) tmp++;`
			`+ while ( (tmp < end) && (tmp != ':') && isprint(tmp) ) tmp++;`

			`- if (tmp != ':') { / multiple colons not found - it's a display */`
			`+ if (tmp >= end \|\| tmp != ':') { / multiple colons not found - it's a display */`

			`/* number of chars till the end of the input field */`
			`len -= (disp - host);`
			`@@ -149,9 +150,9 @@ static void print_display_or_interface(const char *restrict host, int len, int r`
			`} else { /* multiple colons found - it's an IPv6 address */`

			`/* search for % (interface separator in case of IPv6 link address) */`
			`- while ( (tmp < (host + len)) && (tmp != '%') && isprint(tmp) ) tmp++;`
			`+ while ( (tmp < end) && (tmp != '%') && isprint(tmp) ) tmp++;`

			`- if (tmp == '%') { / interface separator found */`
			`+ if (tmp < end && tmp == '%') { / interface separator found */`

			`/* number of chars till the end of the input field */`
			`len -= (tmp - host);`
			`@@ -170,7 +171,6 @@ static void print_display_or_interface(const char *restrict host, int len, int r`
			`fputc('-', stdout);`
			`}`
			`}`
			`-`
			`}`
			`}`

			`--`
			`2.6.4.windows.1`