From cba012157413195706b9a6193020ac3bcc136a9f Mon Sep 17 00:00:00 2001 From: Jan Vidar Krey Date: Mon, 30 Jul 2012 00:08:12 +0200 Subject: [PATCH] ADCH++ had a security bug that allowed UCMD extension to be relayed. uhub did not have this security bug since the hub did not advertise support for the UCMD extension, but the message was still correctly relayed as specified in the protocol specification. However, this commit adds support for the UCMD extension, but only to the extent that uhub will advertise it and uhub will also drop any such CMD message generated by a client and will (currently) never issues a CMD message by itself. --- src/adc/adcconst.h | 11 ++++++++++- src/core/hub.c | 8 ++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/src/adc/adcconst.h b/src/adc/adcconst.h index fc556ba..c4c5c8d 100644 --- a/src/adc/adcconst.h +++ b/src/adc/adcconst.h @@ -33,7 +33,7 @@ typedef uint32_t fourcc_t; #define FOURCC(a,b,c,d) (fourcc_t) ((a << 24) | (b << 16) | (c << 8) | d) /* default welcome protocol support message, as sent by this server */ -#define ADC_PROTO_SUPPORT "ADBASE ADTIGR ADPING" +#define ADC_PROTO_SUPPORT "ADBASE ADTIGR ADPING ADUCMD" /* Server sent commands */ #define ADC_CMD_ISID FOURCC('I','S','I','D') @@ -93,6 +93,15 @@ typedef uint32_t fourcc_t; /* Extension messages */ #define ADC_CMD_HCHK FOURCC('H','C','H','K') +/* UCMD Extension */ +#define ADC_CMD_BCMD FOURCC('B','C','M','D') +#define ADC_CMD_DCMD FOURCC('D','C','M','D') +#define ADC_CMD_ECMD FOURCC('E','C','M','D') +#define ADC_CMD_FCMD FOURCC('F','C','M','D') +#define ADC_CMD_HCMD FOURCC('H','C','M','D') +#define ADC_CMD_ICMD FOURCC('I','C','M','D') + + #define ADC_INF_FLAG_IPV4_ADDR "I4" /* ipv4 address */ #define ADC_INF_FLAG_IPV6_ADDR "I6" /* ipv6 address */ #define ADC_INF_FLAG_IPV4_UDP_PORT "U4" /* port number */ diff --git a/src/core/hub.c b/src/core/hub.c index bc18ad5..8697f96 100644 --- a/src/core/hub.c +++ b/src/core/hub.c @@ -129,6 +129,14 @@ int hub_handle_message(struct hub_info* hub, struct hub_user* u, const char* lin CHECK_FLOOD(connect, 1); ROUTE_MSG; + case ADC_CMD_BCMD: + case ADC_CMD_DCMD: + case ADC_CMD_ECMD: + case ADC_CMD_FCMD: + case ADC_CMD_HCMD: + CHECK_FLOOD(extras, 1); + break; + default: CHECK_FLOOD(extras, 1); ROUTE_MSG;