Merge branch '1.29-security'

2025-12-03 17:25:07 -05:00 · 2014-01-31 17:06:08 +01:00
parent 916ca7ab86 2afdd4544d
commit dc8a46363f
7 changed files with 239 additions and 62 deletions
--- a/client.c
+++ b/client.c
@@ -1239,6 +1239,7 @@ static unsigned long token = 0;

 static int max_retries = 2;
 static int initial_timeout = 1000;
+static int proto_version = PROTO_VERSION_NUMBER;

 /* This is the core protocol module.  Complete particular fields in
   the outgoing packet, send it, wait for a response, handle retries,
@@ -1257,13 +1258,13 @@ submit_request(CMD_Request *request, CMD_Reply *reply, int *reply_auth_ok)
  int read_length;
  int expected_length;
  int command_length;
+  int padding_length;
  int auth_length;
  struct timeval tv;
  int timeout;
  int n_attempts;
  fd_set rdfd, wrfd, exfd;

-  request->version = PROTO_VERSION_NUMBER;
  request->pkt_type = PKT_TYPE_CMD_REQUEST;
  request->res1 = 0;
  request->res2 = 0;
@@ -1278,6 +1279,14 @@ submit_request(CMD_Request *request, CMD_Reply *reply, int *reply_auth_ok)
  n_attempts = 0;

  do {
+    request->version = proto_version;
+    command_length = PKL_CommandLength(request);
+    padding_length = PKL_CommandPaddingLength(request);
+    assert(command_length > 0 && command_length > padding_length);
+
+    /* Zero the padding to avoid sending uninitialized data. This needs to be
+       done before generating auth data as it includes the padding. */
+    memset(((char *)request) + command_length - padding_length, 0, padding_length);

    /* Decide whether to authenticate */
    if (password) {
@@ -1291,9 +1300,6 @@ submit_request(CMD_Request *request, CMD_Reply *reply, int *reply_auth_ok)
      auth_length = 0;
    }

-    command_length = PKL_CommandLength(request);
-    assert(command_length > 0);
-
    /* add empty MD5 auth so older servers will not drop the request
       due to bad length */
    if (!auth_length) {
@@ -1400,8 +1406,8 @@ submit_request(CMD_Request *request, CMD_Reply *reply, int *reply_auth_ok)
          continue;
        }
        
-        bad_header = ((reply->version != PROTO_VERSION_NUMBER &&
-                       !(reply->version >= PROTO_VERSION_MISMATCH_COMPAT &&
+        bad_header = ((reply->version != proto_version &&
+                       !(reply->version >= PROTO_VERSION_MISMATCH_COMPAT_CLIENT &&
                         ntohs(reply->status) == STT_BADPKTVERSION)) ||
                      (reply->pkt_type != PKT_TYPE_CMD_REPLY) ||
                      (reply->res1 != 0) ||
@@ -1416,6 +1422,19 @@ submit_request(CMD_Request *request, CMD_Reply *reply, int *reply_auth_ok)
          continue;
        }
        
+#if PROTO_VERSION_NUMBER == 6
+        /* Protocol version 5 is similar to 6 except there is no padding.
+           If a version 5 reply with STT_BADPKTVERSION is received,
+           switch our version and try again. */
+        if (proto_version == PROTO_VERSION_NUMBER &&
+            reply->version == PROTO_VERSION_NUMBER - 1) {
+          proto_version = PROTO_VERSION_NUMBER - 1;
+          continue;
+        }
+#else
+#error unknown compatibility with PROTO_VERSION - 1
+#endif
+
        /* Good packet received, print out results */
 #if 0
        printf("Reply cmd=%d reply=%d stat=%d seq=%d utok=%08lx tok=%d\n",