summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorDjLegolas <DjLegolas@protonmail.com>2020-04-11 13:01:35 +0300
committerPatrick <tingping@tingping.se>2020-04-11 13:19:31 -0700
commit7b950eb0218a19620b9b885818ac031d29ecab09 (patch)
treee1a0dd5cf7a8808cfccaa1309044cee3e2e2c591
parent37192a913603c11ac652fa8fc3a74dc281542e4d (diff)
Fixed proxy user/password buffer overflow
By using a dedicated buffer for sending the username and password for the SOCKS5 proxy, there will be no overflow when copying them to the buffer.
And therefore, RFC 1929 is fully supported.
-rw-r--r--src/common/server.c21
1 files changed, 13 insertions, 8 deletions
diff --git a/src/common/server.c b/src/common/server.c
index f7fa8b96..c6fa1ced 100644
--- a/src/common/server.c
+++ b/src/common/server.c
@@ -1116,6 +1116,7 @@ traverse_socks5 (int print_fd, int sok, char *serverAddr, int port)
 	if (auth)
 	{
 		int len_u=0, len_p=0;
+		unsigned char *u_p_buf;
 
 		/* authentication sub-negotiation (RFC1929) */
 		if (buf[1] != 2)  /* UPA not supported by server */
@@ -1124,18 +1125,22 @@ traverse_socks5 (int print_fd, int sok, char *serverAddr, int port)
 			return 1;
 		}
 
-		memset (buf, 0, sizeof(buf));
-
 		/* form the UPA request */
 		len_u = strlen (prefs.hex_net_proxy_user);
 		len_p = strlen (prefs.hex_net_proxy_pass);
-		buf[0] = 1;
-		buf[1] = len_u;
-		memcpy (buf + 2, prefs.hex_net_proxy_user, len_u);
-		buf[2 + len_u] = len_p;
-		memcpy (buf + 3 + len_u, prefs.hex_net_proxy_pass, len_p);
 
-		send (sok, buf, 3 + len_u + len_p, 0);
+        packetlen = 2 + len_u + 1 + len_p;
+		u_p_buf = g_malloc0 (packetlen);
+
+		u_p_buf[0] = 1;
+		u_p_buf[1] = len_u;
+		memcpy (u_p_buf + 2, prefs.hex_net_proxy_user, len_u);
+		u_p_buf[2 + len_u] = len_p;
+		memcpy (u_p_buf + 3 + len_u, prefs.hex_net_proxy_pass, len_p);
+
+		send (sok, u_p_buf, packetlen, 0);
+		g_free(u_p_buf);
+
 		if ( recv (sok, buf, 2, 0) != 2 )
 			goto read_error;
 		if ( buf[1] != 0 )