summary refs log tree commit diff stats
path: root/src/common
diff options
context:
space:
mode:
authorDjLegolas <DjLegolas@protonmail.com>2020-04-11 13:01:35 +0300
committerPatrick <tingping@tingping.se>2020-04-11 13:19:31 -0700
commit7b950eb0218a19620b9b885818ac031d29ecab09 (patch)
treee1a0dd5cf7a8808cfccaa1309044cee3e2e2c591 /src/common
parent37192a913603c11ac652fa8fc3a74dc281542e4d (diff)
Fixed proxy user/password buffer overflow
By using a dedicated buffer for sending the username and password for the SOCKS5 proxy, there will be no overflow when copying them to the buffer.
And therefore, RFC 1929 is fully supported.
Diffstat (limited to 'src/common')
-rw-r--r--src/common/server.c21
1 files changed, 13 insertions, 8 deletions
diff --git a/src/common/server.c b/src/common/server.c
index f7fa8b96..c6fa1ced 100644
--- a/src/common/server.c
+++ b/src/common/server.c
@@ -1116,6 +1116,7 @@ traverse_socks5 (int print_fd, int sok, char *serverAddr, int port)
 	if (auth)
 	{
 		int len_u=0, len_p=0;
+		unsigned char *u_p_buf;
 
 		/* authentication sub-negotiation (RFC1929) */
 		if (buf[1] != 2)  /* UPA not supported by server */
@@ -1124,18 +1125,22 @@ traverse_socks5 (int print_fd, int sok, char *serverAddr, int port)
 			return 1;
 		}
 
-		memset (buf, 0, sizeof(buf));
-
 		/* form the UPA request */
 		len_u = strlen (prefs.hex_net_proxy_user);
 		len_p = strlen (prefs.hex_net_proxy_pass);
-		buf[0] = 1;
-		buf[1] = len_u;
-		memcpy (buf + 2, prefs.hex_net_proxy_user, len_u);
-		buf[2 + len_u] = len_p;
-		memcpy (buf + 3 + len_u, prefs.hex_net_proxy_pass, len_p);
 
-		send (sok, buf, 3 + len_u + len_p, 0);
+        packetlen = 2 + len_u + 1 + len_p;
+		u_p_buf = g_malloc0 (packetlen);
+
+		u_p_buf[0] = 1;
+		u_p_buf[1] = len_u;
+		memcpy (u_p_buf + 2, prefs.hex_net_proxy_user, len_u);
+		u_p_buf[2 + len_u] = len_p;
+		memcpy (u_p_buf + 3 + len_u, prefs.hex_net_proxy_pass, len_p);
+
+		send (sok, u_p_buf, packetlen, 0);
+		g_free(u_p_buf);
+
 		if ( recv (sok, buf, 2, 0) != 2 )
 			goto read_error;
 		if ( buf[1] != 0 )