Check the IP address of the remote host before any communication occurs.

Check for a errors before trsuting values that came from remote.  Make sure
that strings are 0-terminated.

ChangeLog

@@ -1,3 +1,10 @@
+2003-02-09  Henning Meier-Geinitz <henning@meier-geinitz.de>
+
+	* frontend/saned.c sanei/sanei_codec_bin.c sanei/sanei_wire.c: Check
+	  the IP address of the remote host before any communication occurs.
+	  Check for a errors before trsuting values that came from remote.
+	  Make sure that strings are 0-terminated.
+
 2003-02-09   Stéphane Voltz  <svoltz@wanadoo.fr>
 
         * backend/umax_pp.c: fixed big bug related to color plane

frontend/saned.c

@@ -183,6 +183,12 @@ auth_callback (SANE_String_Const res,
       return;
     }
 
+  if (wire.status)
+    {
+      DBG(DBG_ERR, "auth_callback: bad status %d\n", wire.status);
+      return;
+    }
+
   switch (current_request)
     {
     case SANE_NET_OPEN:
@@ -222,10 +228,24 @@ auth_callback (SANE_String_Const res,
 	   current_request, res);
       break;
     }
+
+  if (wire.status)
+    {
+      DBG(DBG_ERR, "auth_callback: bad status %d\n", wire.status);
+      return;
+    }
+
   reset_watchdog ();
 
   sanei_w_set_dir (&wire, WIRE_DECODE);
   sanei_w_word (&wire, &word);
+
+  if (wire.status)
+    {
+      DBG(DBG_ERR, "auth_callback: bad status %d\n", wire.status);
+      return;
+    }
+
   procnum = word;
   if (procnum != SANE_NET_AUTHORIZE)
     {
@@ -237,6 +257,12 @@ auth_callback (SANE_String_Const res,
     }
 
   sanei_w_authorization_req (&wire, &req);
+  if (wire.status)
+    {
+      DBG(DBG_ERR, "auth_callback: bad status %d\n", wire.status);
+      return;
+    }
+
   if (req.username)
     strcpy (username, req.username);
   if (req.password)
@@ -514,30 +540,51 @@ init (Wire * w)
 
   reset_watchdog ();
 
-  sanei_w_set_dir (w, WIRE_DECODE);
+  status = check_host (w->io.fd);
-  sanei_w_word (w, &word);	/* decode procedure number */
+  if (status != SANE_STATUS_GOOD)
-  sanei_w_init_req (w, &req);
+    {
-  w->version = SANEI_NET_PROTOCOL_VERSION;
+      DBG (DBG_WARN, "init: access by host %s denied\n", remote_hostname);
+      return -1;
+    }
 
+  sanei_w_set_dir (w, WIRE_DECODE);
+  if (w->status)
+    {
+      DBG (DBG_ERR, "init: bad status after sanei_w_set_dir: %d\n", w->status);
+      return -1;
+    }
+  
+  sanei_w_word (w, &word);	/* decode procedure number */
   if (w->status || word != SANE_NET_INIT)
     {
       DBG (DBG_ERR, "init: bad status=%d or procnum=%d\n",
 	   w->status, word);
       return -1;
     }
+
+  sanei_w_init_req (w, &req);
+  if (w->status)
+    {
+      DBG (DBG_ERR, "init: bad status after sanei_w_init_req: %d\n", w->status);
+      return -1;
+    }
+
+  w->version = SANEI_NET_PROTOCOL_VERSION;
   if (req.username)
     default_username = strdup (req.username);
 
   sanei_w_free (w, (WireCodecFunc) sanei_w_init_req, &req);
+  if (w->status)
+    {
+      DBG (DBG_ERR, "init: bad status after sanei_w_free: %d\n", w->status);
+      return -1;
+    }
 
   reply.version_code = SANE_VERSION_CODE (V_MAJOR, V_MINOR,
 					  SANEI_NET_PROTOCOL_VERSION);
 
-  status = check_host (w->io.fd);
+  DBG (DBG_WARN, "init: access by %s@%s accepted\n",
-
+       default_username, remote_hostname);
-  DBG (DBG_WARN, "init: access by %s@%s %s\n",
-       default_username, remote_hostname,
-       (status == SANE_STATUS_GOOD) ? "accepted" : "rejected");
 
   if (status == SANE_STATUS_GOOD)
     {
@@ -823,6 +870,14 @@ process_request (Wire * w)
   DBG (DBG_DBG, "process_request: waiting for request\n");
   sanei_w_set_dir (w, WIRE_DECODE);
   sanei_w_word (w, &word);	/* decode procedure number */
+
+  if (w->status)
+    {
+      DBG (DBG_ERR,
+	   "process_request: bad status %d\n", w->status);
+      quit (0);
+    }
+
   current_request = word;
 
   DBG (DBG_MSG, "process_request: got request %d\n", current_request);

sanei/sanei_codec_bin.c

@@ -54,6 +54,9 @@ bin_w_byte (Wire *w, void *v)
   SANE_Byte *b = v;
 
   sanei_w_space (w, 1);
+  if (w->status)
+    return;
+
   switch (w->direction)
     {
     case WIRE_ENCODE:
@@ -82,8 +85,14 @@ bin_w_string (Wire *w, void *v)
 	len = strlen (*s) + 1;
     }
   sanei_w_array (w, &len, v, w->codec.w_byte, 1);
-  if (w->direction == WIRE_DECODE && !len)
+
-    *s = 0;
+  if (w->direction == WIRE_DECODE)
+    {
+      if (len == 0)
+	*s = 0;
+      else if (w->status == 0)
+	*(*s + len - 1) = '\0';
+    }
 }
 
 static void
@@ -92,6 +101,8 @@ bin_w_word (Wire *w, void *v)
   SANE_Word val, *word = v;
 
   sanei_w_space (w, 4);
+  if (w->status)
+    return;
   switch (w->direction)
     {
     case WIRE_ENCODE:

sanei/sanei_wire.c

@@ -192,8 +192,14 @@ sanei_w_array (Wire * w, SANE_Word * len_ptr, void **v,
     len = *len_ptr;
   DBG (4, "sanei_w_array: send/receive array length\n");
   sanei_w_word (w, &len);
-  DBG (4, "sanei_w_array: array has %d elements\n", len);
 
+  if (w->status)
+    {
+      DBG (1, "sanei_w_array: bad status: %d\n", w->status);
+      return;
+    }
+  DBG (4, "sanei_w_array: array has %d elements\n", len);
+      
   if (w->direction == WIRE_DECODE)
     {
       *len_ptr = len;
@@ -219,6 +225,11 @@ sanei_w_array (Wire * w, SANE_Word * len_ptr, void **v,
     {
       (*w_element) (w, val);
       val += element_size;
+      if (w->status)
+	{
+	  DBG (1, "sanei_w_array: bad status: %d\n", w->status);
+	  return;
+	}
     }
   DBG (4, "sanei_w_array: done\n");
 }
@@ -251,6 +262,11 @@ sanei_w_ptr (Wire * w, void **v, WireCodecFunc w_value, size_t value_size)
 
   DBG (4, "sanei_w_ptr: send/receive is_null\n");
   sanei_w_word (w, &is_null);
+  if (w->status)
+    {
+      DBG (1, "sanei_w_ptr: bad status: %d\n", w->status);
+      return;
+    }
 
   if (!is_null)
     {
@@ -307,7 +323,7 @@ sanei_w_string (Wire * w, SANE_String * v)
 {
   DBG (3, "sanei_w_string: wire %d\n", w->io.fd);
   (*w->codec.w_string) (w, v);
-  if (w->direction != WIRE_FREE)
+  if (w->direction != WIRE_FREE && w->status == 0)
     DBG (4, "sanei_w_string: value = %s\n", *v);
 }