webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-22 17:02:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into kernel-test

Browse Source
This commit is contained in:
Arne Fitzenreiter
2014-08-08 08:52:52 +02:00
parent af39690185 2b23289ca2
commit ee34ac4562
26 changed files with 413 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config/backup/includes/check_mk_agent Normal file
View File

@@ -0,0 +1 @@
/etc/check_mk/

27
config/cfgroot/general-functions.pl
View File

@@ -413,9 +413,9 @@ sub getnetworkip
#Gets: IP, CIDR (10.10.10.0-255, 24)
#Gives: 10.10.10.0
my ($ccdip,$ccdsubnet) = @_;
my $ip_address_binary = &Socket::inet_pton( AF_INET,$ccdip );
my $netmask_binary = &Socket::inet_pton(AF_INET,&iporsubtodec($ccdsubnet));
my $network_address = &Socket::inet_ntop( AF_INET,$ip_address_binary & $netmask_binary );
my $ip_address_binary = inet_aton( $ccdip );
my $netmask_binary = ~pack("N", (2**(32-$ccdsubnet))-1);
my $network_address = inet_ntoa( $ip_address_binary & $netmask_binary );
return $network_address;
}
@@ -773,21 +773,12 @@ sub validportrange # used to check a port range
# Return: TRUE/FALSE
sub IpInSubnet
{
my $addr = shift;
my $network = shift;
my $netmask = shift;
my $addr_num = &Socket::inet_pton(AF_INET,$addr);
my $network_num = &Socket::inet_pton(AF_INET,$network);
my $netmask_num = &Socket::inet_pton(AF_INET,$netmask);
# Find start address
my $network_start = $network_num & $netmask_num;
# Find end address
my $network_end = $network_start ^ ~$netmask_num;
return (($addr_num ge $network_start) && ($addr_num le $network_end));
my $ip = unpack('N', &Socket::inet_aton(shift));
my $start = unpack('N', &Socket::inet_aton(shift));
my $mask = unpack('N', &Socket::inet_aton(shift));
$start &= $mask; # base of subnet...
my $end = $start + ~$mask;
return (($ip >= $start) && ($ip <= $end));
}
#

3
config/rootfiles/common/ddns
View File

@@ -60,4 +60,7 @@ usr/lib/python2.7/site-packages/ddns/system.pyo
#usr/share/locale/uz@Latn/LC_MESSAGES
#usr/share/locale/uz@Latn/LC_MESSAGES/ddns.mo
#usr/share/locale/vi/LC_MESSAGES/ddns.mo
#usr/share/locale/zh
#usr/share/locale/zh/LC_MESSAGES
#usr/share/locale/zh/LC_MESSAGES/ddns.mo
#var/ipfire/ddns/ddns.conf.sample

2
config/rootfiles/core/80/filelists/files
View File

@@ -6,7 +6,9 @@ etc/rc.d/init.d/dhcrelay
etc/rc.d/init.d/dnsmasq
etc/rc.d/init.d/firewall
etc/rc.d/init.d/networking/red.up/30-ddns
etc/rc.d/init.d/rngd
srv/web/ipfire/cgi-bin/ddns.cgi
srv/web/ipfire/cgi-bin/ids.cgi
srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat
srv/web/ipfire/cgi-bin/logs.cgi/log.dat
srv/web/ipfire/cgi-bin/netexternal.cgi

20
config/rootfiles/core/81/exclude Normal file
View File

@@ -0,0 +1,20 @@
boot/config.txt
etc/collectd.custom
etc/ipsec.conf
etc/ipsec.secrets
etc/ipsec.user.conf
etc/ipsec.user.secrets
etc/localtime
etc/shadow
etc/ssh/ssh_config
etc/ssh/sshd_config
etc/ssl/openssl.cnf
etc/sudoers
etc/sysconfig/firewall.local
etc/sysconfig/rc.local
etc/udev/rules.d/30-persistent-network.rules
srv/web/ipfire/html/proxy.pac
var/ipfire/ovpn
var/log/cache
var/state/dhcp/dhcpd.leases
var/updatecache

1
config/rootfiles/core/81/filelists/ddns Symbolic link
View File

@@ -0,0 +1 @@
../../../common/ddns

5
config/rootfiles/core/81/filelists/files Normal file
View File

@@ -0,0 +1,5 @@
etc/system-release
etc/issue
etc/rc.d/init.d/firewall
srv/web/ipfire/cgi-bin/ddns.cgi
srv/web/ipfire/cgi-bin/ovpnmain.cgi

1
config/rootfiles/core/81/filelists/lzo Symbolic link
View File

@@ -0,0 +1 @@
../../../common/lzo

1
config/rootfiles/core/81/filelists/openssh Symbolic link
View File

@@ -0,0 +1 @@
../../../common/openssh

1
config/rootfiles/core/81/filelists/openssl Symbolic link
View File

@@ -0,0 +1 @@
../../../common/openssl

1
config/rootfiles/core/81/meta Normal file
View File

@@ -0,0 +1 @@
DEPS=""

57
config/rootfiles/core/81/update.sh Normal file
View File

@@ -0,0 +1,57 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 3 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2014 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
/usr/local/bin/backupctrl exclude >/dev/null 2>&1
# Remove old core updates from pakfire cache to save space...
core=81
for (( i=1; i<=$core; i++ ))
do
rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
done
# Stop services
# Remove old strongswan files
# Extract files
extract_files
# Start services
/etc/init.d/apache restart
# Update Language cache
#perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
sync
# This update need a reboot...
touch /var/run/need_reboot
^^
# Finish
/etc/init.d/fireinfo start
sendprofile
# Don't report the exitcode last command
exit 0

39
html/cgi-bin/ddns.cgi
View File

@@ -187,7 +187,7 @@ if (($settings{'ACTION'} eq $Lang::tr{'add'}) || ($settings{'ACTION'} eq $Lang::
# Check if a password has been typed in.
# freedns.afraid.org does not require this field.
if (($settings{'PASSWORD'} eq '') && ($settings{'SERVICE'} ne 'freedns.afraid.org')) {
if (($settings{'PASSWORD'} eq '') && ($settings{'SERVICE'} ne 'freedns.afraid.org') && ($settings{'SERVICE'} ne 'regfish.com')) {
$errormessage = $Lang::tr{'password not set'};
}
@@ -197,6 +197,12 @@ if (($settings{'ACTION'} eq $Lang::tr{'add'}) || ($settings{'ACTION'} eq $Lang::
# Splitt hostname field into 2 parts for storrage.
my($hostname, $domain) = split(/\./, $settings{'HOSTNAME'}, 2);
# Handle enabled checkbox. When the checkbox is selected a "on" will be returned,
# if the checkbox is not checked nothing is returned in this case we set the value to "off".
if ($settings{'ENABLED'} ne 'on') {
$settings{'ENABLED'} = 'off';
}
# Handle adding new accounts.
if ($settings{'ACTION'} eq $Lang::tr{'add'}) {
@@ -215,8 +221,6 @@ if (($settings{'ACTION'} eq $Lang::tr{'add'}) || ($settings{'ACTION'} eq $Lang::
# Write out notice to logfile.
&General::log($Lang::tr{'ddns hostname added'});
# Update ddns config file.
# Handle account edditing.
} elsif ($settings{'ACTION'} eq $Lang::tr{'update'}) {
@@ -354,7 +358,9 @@ $checked{'BEHINDROUTER'}{'RED_IP'} = '';
$checked{'BEHINDROUTER'}{'FETCH_IP'} = '';
$checked{'BEHINDROUTER'}{$settings{'BEHINDROUTER'}} = "checked='checked'";
$checked{'ENABLED'}{'on'} = ($settings{'ENABLED'} eq '' ) ? '' : "checked='checked'";
$checked{'ENABLED'}{'on'} = '';
$checked{'ENABLED'}{'off'} = '';
$checked{'ENABLED'}{$settings{'ENABLED'}} = "checked='checked'";
# Show box for errormessages..
if ($errormessage) {
@@ -451,7 +457,7 @@ print <<END
<tr>
<td class='base'>$Lang::tr{'enabled'}</td>
<td><input type='checkbox' name='ENABLED' value='on' $checked{'ENABLED'}{'on'} /></td>
<td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>
<td class='base'>$Lang::tr{'username'}</td>
<td><input type='text' name='LOGIN' value='$settings{'LOGIN'}' /></td>
</tr>
@@ -507,17 +513,32 @@ END
chomp(@current);
my @temp = split(/\,/,$line);
# Handle hostname details. Only connect the values with a dott if both are available.
my $hostname="";
if (($temp[1]) && ($temp[2])) {
$hostname="$temp[1].$temp[2]";
} else {
$hostname="$temp[1]";
}
# Generate value for enable/disable checkbox.
my $sync = "<font color='blue'>";
my $sync = '';
my $gif = '';
my $gdesc = '';
if ($temp[7] eq "on") {
$gif = 'on.gif';
$gdesc = $Lang::tr{'click to disable'};
$sync = (&General::DyndnsServiceSync ($ip,$temp[1], $temp[2]) ? "<font color='green'>": "<font color='red'>") ;
# Check if the given hostname is a FQDN before doing a nslookup.
if (&General::validfqdn($hostname)) {
$sync = (&General::DyndnsServiceSync ($ip,$temp[1], $temp[2]) ? "<font color='green'>": "<font color='red'>") ;
}
$toggle_enabled = 'off';
} else {
$sync = "<font color='blue'>";
$gif = 'off.gif';
$gdesc = $Lang::tr{'click to enable'};
$toggle_enabled = 'on';
@@ -650,8 +671,8 @@ sub GenerateDDNSConfigFile {
if ($provider ~~ ["dns.lightningwirelabs.com", "entrydns.net", "regfish.com"] && $username eq "token") {
$use_token = 1;
# Handle token auth for freedns.afraid.org.
} elsif ($provider eq "freedns.afraid.org" && $password eq "") {
# Handle token auth for freedns.afraid.org and regfish.com.
} elsif ($provider ~~ ["freedns.afraid.org", "regfish.com"] && $password eq "") {
$use_token = 1;
$password = $username;

6
html/cgi-bin/ids.cgi
View File

@@ -263,11 +263,11 @@ if (-e "/etc/snort/snort.conf") {
####################### End added for snort rules control #################################
if ($snortsettings{'RULES'} eq 'subscripted') {
$url=" http://www.snort.org/sub-rules/snortrules-snapshot-2961.tar.gz/$snortsettings{'OINKCODE'}";
$url=" https://www.snort.org/rules/snortrules-snapshot-2961.tar.gz?oinkcode=$snortsettings{'OINKCODE'}";
} elsif ($snortsettings{'RULES'} eq 'registered') {
$url=" http://www.snort.org/reg-rules/snortrules-snapshot-2960.tar.gz/$snortsettings{'OINKCODE'}";
$url=" https://www.snort.org/rules/snortrules-snapshot-2961.tar.gz?oinkcode=$snortsettings{'OINKCODE'}";
} elsif ($snortsettings{'RULES'} eq 'community') {
$url=" http://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz";
$url=" https://www.snort.org/rules/community";
} else {
$url="http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz";
}

4
html/cgi-bin/ovpnmain.cgi
View File

@@ -3968,10 +3968,8 @@ if ($cgiparams{'TYPE'} eq 'net') {
$errormessage = $Lang::tr{'name too long'};
goto VPNCONF_ERROR;
}
if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
if ($cgiparams{'CERT_NAME'} eq '' || $cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
$errormessage = $Lang::tr{'invalid input for name'};
unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
goto VPNCONF_ERROR;
}
if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {

2
lfs/check_mk_agent
View File

@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/check_mk-${VER}
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = check_mk_agent
PAK_VER = 3
PAK_VER = 4
DEPS = ""

6
lfs/ddns
View File

@@ -24,7 +24,7 @@
include Config
VER = 003
VER = 004
THISAPP = ddns-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 9ff8ab5fa716859b51f63b0a241f1337
$(DL_FILE)_MD5 = ff77cb72d0cb06c73bde70419b15bae8
install : $(TARGET)
@@ -71,8 +71,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/ddns-003-Add-a-program-prefix-to-syslog-messages.patch
cd $(DIR_APP) && [ -x "configure" ] || sh ./autogen.sh
cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/var/ipfire
cd $(DIR_APP) && make $(MAKETUNING)

5
lfs/lzo
View File

@@ -24,7 +24,7 @@
include Config
VER = 2.08
VER = 2.06
THISAPP = lzo-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = fcec64c26a0f4f4901468f360029678f
$(DL_FILE)_MD5 = 95380bd4081f85ef08c5209f4107e9f8
install : $(TARGET)
@@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/lzo-2.06-CVE-2014-4607.patch
cd $(DIR_APP) && ./configure --prefix=/usr --enable-shared
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install

4
lfs/openssl
View File

@@ -24,7 +24,7 @@
include Config
VER = 1.0.1h
VER = 1.0.1i
THISAPP = openssl-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -51,7 +51,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 8d6d684a9430d5cc98a62a5d8fbda8cf
$(DL_FILE)_MD5 = c8dc151a671b9b92ff3e4c118b174972
install : $(TARGET)

6
lfs/tor
View File

@@ -24,7 +24,7 @@
include Config
VER = 0.2.4.22
VER = 0.2.4.23
THISAPP = tor-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = tor
PAK_VER = 7
PAK_VER = 8
DEPS = "libevent2"
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 5a7eee0d9df87233255d78b25c6f8270
$(DL_FILE)_MD5 = 9e39928e310612c3bffee727f554c63f
install : $(TARGET)

4
make.sh
View File

@@ -25,8 +25,8 @@
NAME="IPFire" # Software name
SNAME="ipfire" # Short name
VERSION="2.15" # Version number
CORE="80" # Core Level (Filename)
PAKFIRE_CORE="80" # Core Level (PAKFIRE)
CORE="81" # Core Level (Filename)
PAKFIRE_CORE="81" # Core Level (PAKFIRE)
GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch
SLOGAN="www.ipfire.org" # Software slogan
CONFIG_ROOT=/var/ipfire # Configuration rootdir

15
src/initscripts/init.d/firewall
View File

@@ -64,16 +64,20 @@ iptables_init() {
iptables -A BADTCP -i lo -j RETURN
# Disallow packets frequently used by port-scanners
# nmap xmas
iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
# Null
iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
# FIN
# NMAP FIN/URG/PSH (XMAS scan)
iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
# SYN/RST/ACK/FIN/URG
iptables -A BADTCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j PSCAN
# ALL/ALL
iptables -A BADTCP -p tcp --tcp-flags ALL ALL -j PSCAN
# FIN Stealth
iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN
# SYN/RST (also catches xmas variants that set SYN+RST+...)
iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
# SYN/FIN (QueSO or nmap OS probe)
iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
# Null
iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
# NEW TCP without SYN
iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
@@ -83,6 +87,7 @@ iptables_init() {
# Connection tracking chain
iptables -N CONNTRACK
iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP
# Fix for braindead ISP's
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

10
src/initscripts/init.d/rngd
View File

@@ -28,12 +28,18 @@ case "${1}" in
fi
boot_mesg "Starting Random Number Generator Daemon..."
loadproc /usr/sbin/rngd --no-tpm=1
if pidofproc /usr/sbin/rngd &>/dev/null; then
# Is already running.
echo_ok
else
loadproc /usr/sbin/rngd --no-tpm=1
fi
;;
stop)
boot_mesg "Stopping Random Number Generator Daemon..."
killproc /usr/sbin/rngd
killproc -p /var/run/rngd.pid /usr/sbin/rngd
;;
restart)

1
src/paks/check_mk_agent/uninstall.sh
View File

@@ -22,6 +22,7 @@
############################################################################
#
. /opt/pakfire/lib/functions.sh
extract_backup_includes
make_backup ${NAME}
remove_files

25
src/patches/ddns-003-Add-a-program-prefix-to-syslog-messages.patch
View File

@@ -1,25 +0,0 @@
From 21fd4b8d26d01d622185ab8de971a9ee934220a3 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 24 Jul 2014 13:23:36 +0200
Subject: [PATCH] Add a program prefix to syslog messages.
---
src/ddns/__init__.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/ddns/__init__.py b/src/ddns/__init__.py
index 22764e6..6fe3a33 100644
--- a/src/ddns/__init__.py
+++ b/src/ddns/__init__.py
@@ -42,6 +42,8 @@ def setup_logging():
handler = logging.handlers.SysLogHandler(address="/dev/log",
facility=logging.handlers.SysLogHandler.LOG_DAEMON
)
+ formatter = logging.Formatter("ddns[%(process)d]: %(message)s")
+ handler.setFormatter(formatter)
handler.setLevel(logging.INFO)
rootlogger.addHandler(handler)
--
1.9.3

245
src/patches/lzo-2.06-CVE-2014-4607.patch Executable file
View File

@@ -0,0 +1,245 @@
diff --git a/minilzo/minilzo.c b/minilzo/minilzo.c
index 34ce0f0..ecfdf66 100644
--- a/minilzo/minilzo.c
+++ b/minilzo/minilzo.c
@@ -3547,6 +3547,8 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len,
#undef TEST_LBO
#undef NEED_IP
#undef NEED_OP
+#undef TEST_IV
+#undef TEST_OV
#undef HAVE_TEST_IP
#undef HAVE_TEST_OP
#undef HAVE_NEED_IP
@@ -3561,6 +3563,7 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len,
# if (LZO_TEST_OVERRUN_INPUT >= 2)
# define NEED_IP(x) \
if ((lzo_uint)(ip_end - ip) < (lzo_uint)(x)) goto input_overrun
+# define TEST_IV(x) if ((x) > (lzo_uint)0 - (511)) goto input_overrun
# endif
#endif
@@ -3572,6 +3575,7 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len,
# undef TEST_OP
# define NEED_OP(x) \
if ((lzo_uint)(op_end - op) < (lzo_uint)(x)) goto output_overrun
+# define TEST_OV(x) if ((x) > (lzo_uint)0 - (511)) goto output_overrun
# endif
#endif
@@ -3602,11 +3606,13 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len,
# define HAVE_NEED_IP 1
#else
# define NEED_IP(x) ((void) 0)
+# define TEST_IV(x) ((void) 0)
#endif
#if defined(NEED_OP)
# define HAVE_NEED_OP 1
#else
# define NEED_OP(x) ((void) 0)
+# define TEST_OV(x) ((void) 0)
#endif
#if defined(HAVE_TEST_IP) || defined(HAVE_NEED_IP)
@@ -3687,6 +3693,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len,
{
t += 255;
ip++;
+ TEST_IV(t);
NEED_IP(1);
}
t += 15 + *ip++;
@@ -3835,6 +3842,7 @@ match:
{
t += 255;
ip++;
+ TEST_OV(t);
NEED_IP(1);
}
t += 31 + *ip++;
@@ -3879,6 +3887,7 @@ match:
{
t += 255;
ip++;
+ TEST_OV(t);
NEED_IP(1);
}
t += 7 + *ip++;
@@ -4073,6 +4082,8 @@ lookbehind_overrun:
#undef TEST_LBO
#undef NEED_IP
#undef NEED_OP
+#undef TEST_IV
+#undef TEST_OV
#undef HAVE_TEST_IP
#undef HAVE_TEST_OP
#undef HAVE_NEED_IP
@@ -4087,6 +4098,7 @@ lookbehind_overrun:
# if (LZO_TEST_OVERRUN_INPUT >= 2)
# define NEED_IP(x) \
if ((lzo_uint)(ip_end - ip) < (lzo_uint)(x)) goto input_overrun
+# define TEST_IV(x) if ((x) > (lzo_uint)0 - (511)) goto input_overrun
# endif
#endif
@@ -4098,6 +4110,7 @@ lookbehind_overrun:
# undef TEST_OP
# define NEED_OP(x) \
if ((lzo_uint)(op_end - op) < (lzo_uint)(x)) goto output_overrun
+# define TEST_OV(x) if ((x) > (lzo_uint)0 - (511)) goto output_overrun
# endif
#endif
@@ -4128,11 +4141,13 @@ lookbehind_overrun:
# define HAVE_NEED_IP 1
#else
# define NEED_IP(x) ((void) 0)
+# define TEST_IV(x) ((void) 0)
#endif
#if defined(NEED_OP)
# define HAVE_NEED_OP 1
#else
# define NEED_OP(x) ((void) 0)
+# define TEST_OV(x) ((void) 0)
#endif
#if defined(HAVE_TEST_IP) || defined(HAVE_NEED_IP)
@@ -4213,6 +4228,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len,
{
t += 255;
ip++;
+ TEST_IV(t);
NEED_IP(1);
}
t += 15 + *ip++;
@@ -4361,6 +4377,7 @@ match:
{
t += 255;
ip++;
+ TEST_OV(t);
NEED_IP(1);
}
t += 31 + *ip++;
@@ -4405,6 +4422,7 @@ match:
{
t += 255;
ip++;
+ TEST_OV(t);
NEED_IP(1);
}
t += 7 + *ip++;
diff --git a/src/lzo1_d.ch b/src/lzo1_d.ch
index 40a5bfd..c442d9c 100644
--- a/src/lzo1_d.ch
+++ b/src/lzo1_d.ch
@@ -76,6 +76,8 @@
#undef TEST_LBO
#undef NEED_IP
#undef NEED_OP
+#undef TEST_IV
+#undef TEST_OV
#undef HAVE_TEST_IP
#undef HAVE_TEST_OP
#undef HAVE_NEED_IP
@@ -91,6 +93,7 @@
# if (LZO_TEST_OVERRUN_INPUT >= 2)
# define NEED_IP(x) \
if ((lzo_uint)(ip_end - ip) < (lzo_uint)(x)) goto input_overrun
+# define TEST_IV(x) if ((x) > (lzo_uint)0 - (511)) goto input_overrun
# endif
#endif
@@ -102,6 +105,7 @@
# undef TEST_OP /* don't need both of the tests here */
# define NEED_OP(x) \
if ((lzo_uint)(op_end - op) < (lzo_uint)(x)) goto output_overrun
+# define TEST_OV(x) if ((x) > (lzo_uint)0 - (511)) goto output_overrun
# endif
#endif
@@ -135,11 +139,13 @@
# define HAVE_NEED_IP 1
#else
# define NEED_IP(x) ((void) 0)
+# define TEST_IV(x) ((void) 0)
#endif
#if defined(NEED_OP)
# define HAVE_NEED_OP 1
#else
# define NEED_OP(x) ((void) 0)
+# define TEST_OV(x) ((void) 0)
#endif
diff --git a/src/lzo1b_d.ch b/src/lzo1b_d.ch
index fe5f361..36b4b6b 100644
--- a/src/lzo1b_d.ch
+++ b/src/lzo1b_d.ch
@@ -187,6 +187,7 @@ match:
{
t += 255;
ip++;
+ TEST_OV(t);
NEED_IP(1);
}
t += (M4_MIN_LEN - M3_MIN_LEN) + *ip++;
diff --git a/src/lzo1f_d.ch b/src/lzo1f_d.ch
index 9e942f5..0c2199e 100644
--- a/src/lzo1f_d.ch
+++ b/src/lzo1f_d.ch
@@ -84,6 +84,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len,
{
t += 255;
ip++;
+ TEST_IV(t);
NEED_IP(1);
}
t += 31 + *ip++;
@@ -138,6 +139,7 @@ match:
{
t += 255;
ip++;
+ TEST_OV(t);
NEED_IP(1);
}
t += 31 + *ip++;
diff --git a/src/lzo1x_d.ch b/src/lzo1x_d.ch
index 49cf326..c804cc7 100644
--- a/src/lzo1x_d.ch
+++ b/src/lzo1x_d.ch
@@ -120,6 +120,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len,
{
t += 255;
ip++;
+ TEST_IV(t);
NEED_IP(1);
}
t += 15 + *ip++;
@@ -273,6 +274,7 @@ match:
{
t += 255;
ip++;
+ TEST_OV(t);
NEED_IP(1);
}
t += 31 + *ip++;
@@ -317,6 +319,7 @@ match:
{
t += 255;
ip++;
+ TEST_OV(t);
NEED_IP(1);
}
t += 7 + *ip++;
diff --git a/src/lzo2a_d.ch b/src/lzo2a_d.ch
index 48e51ca..954f07e 100644
--- a/src/lzo2a_d.ch
+++ b/src/lzo2a_d.ch
@@ -131,6 +131,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len,
{
t += 255;
ip++;
+ TEST_OV(t);
NEED_IP(1);
}
t += *ip++;