From b110bf96d4687ccc35c717dbc750bbb6fa420ee0 Mon Sep 17 00:00:00 2001
From: Karl Ramm <kcr@1ts.org>
Date: Sun, 22 Aug 2010 00:56:13 +0000
Subject: Fix some formatting, and add some paranoia about oversized headers.
 (Thanks to nelhage@mit.edu for noticing the formatting problem)

---
 server/dispatch.c | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

(limited to 'server/dispatch.c')

diff --git a/server/dispatch.c b/server/dispatch.c
index cdc589c..2e701c3 100644
--- a/server/dispatch.c
+++ b/server/dispatch.c
@@ -631,16 +631,21 @@ xmit(ZNotice_t *notice,
             return;
           }
 
-          if (notice->z_multinotice && strcmp(notice->z_multinotice, ""))
-            if (sscanf(notice->z_multinotice, "%d/%d", &origoffset, &origlen)
-                != 2)
-              {
-                syslog(LOG_WARNING, "xmit unauth refrag: parse failed");
-                free(buffer);
-                return;
-              }
-
-              fragsize = Z_MAXPKTLEN-hdrlen-Z_FRAGFUDGE;
+          if (notice->z_multinotice && strcmp(notice->z_multinotice, "")) {
+	      if (sscanf(notice->z_multinotice, "%d/%d", &origoffset,
+			 &origlen) != 2) {
+		  syslog(LOG_WARNING, "xmit unauth refrag: parse failed");
+		  free(buffer);
+		  return;
+	      }
+	  }
+
+	  fragsize = Z_MAXPKTLEN - hdrlen - Z_FRAGFUDGE;
+
+	  if (fragsize < 0) {
+	      syslog(LOG_ERR, "xmit: negative fragsize, dropping packet");
+	      return;
+	  }
 
           while (offset < notice->z_message_len || !notice->z_message_len) {
             (void) sprintf(multi, "%d/%d", offset+origoffset, origlen);
-- 
cgit v1.2.3