b24 rel

ChangeLog

@@ -1,4 +1,4 @@
-Version NEXT
+Version 2.8.1b24 - 19 Feb 2005
 	use getopt from stdio.h instead of getopt.h in fspscan.c
 	  fspscan now compiles on AIX and other OS without glibc (hoaxter)
 	!! fixed fatal bug from b23. Server sends large packets to clients if
@@ -10,7 +10,12 @@ Version NEXT
 	started work on alternate SCons based build system
 	fspd: use urandom, not random -> avoid hangs on Lin suck 2.6
 	build system converted to SCons
-	fixed directory listing bug in client library introduced in beta23
+	!! fixed directory listing bug in client library introduced in beta23
+	improvements to security of FSP clients
+	  seq. numbers are now randomized
+	  seed random number generator in fsp clients
+	  check cmd in received packets
+	  check pos in received packets
 
 Version 2.8.1b23 - 14 Jan 2005
 	use srandomdev for seeding of client seq. number generator

TODO

@@ -22,7 +22,7 @@ we should add real,portable error codes support to CC_ERR extended data area.
 
 PORTING
 Sven's Slowaris 8 compile problem
-still not builds on freebsd 4 and FreeBSD 5 - non intel platforms?
+still do not builds on freebsd 4 and FreeBSD 5 - non intel platforms?
 
 NEEDS IMPROVMENT:
 
@@ -37,8 +37,6 @@ LOCKING
 
 CLIENTS 
 :high: 
-bug in directory listing parsing code, fspclient has it also
-  pyfsp and fsplib seems to be ok.
 some client commands should exit with nonzero rc on failure
 
 :low:
@@ -94,6 +92,7 @@ libraries and support for FSP protocol
 DONE: FSP library for Java
 DONE: FSP over HTTP
 DONE: new small,light fsplib for C.
+DONE: fsp backend in gftp
 
 FSP plugin for Netscape/MSIE. 
   Not possible to write protocol plugins with Netscape 3 SDK,
@@ -101,6 +100,7 @@ FSP plugin for Netscape/MSIE.
   we have fsproxy now.
 FSP backend for APT
 FSP support in major ftp programs: lftp,wget,curl
+Gnome vfs2 plugin
 AVFS plugin http://sourceforge.net/projects/avf
 
 LARGEFILES64 how to turn them on:

client/lib.c

@@ -68,12 +68,18 @@ UBUF *client_interact 	(unsigned char cmd, unsigned long pos,
   mlen = d - (unsigned char *) &sbuf;
 
   key = client_get_key();
+  u = random() & 0xfff8;
+  if ( u == myseq )
+  {
+      myseq ^= 0x1080;
+  }
+  else myseq = u;
 
   for(retry_send = 0; ; retry_send++) {
-    total_delay += w_delay;  
+    total_delay += w_delay;
     BB_WRITE2(sbuf.bb_key,key);
-    sbuf.bb_seq[0] = seq0 = (myseq >> 8) & 0xff;
+    sbuf.bb_seq[0] = seq0 = (myseq >> 8) & 0x00ff;
-    sbuf.bb_seq[1] = seq1 = (myseq & 0xf8) | (retry_send & 0x0007);
+    sbuf.bb_seq[1] = seq1 = (myseq & 0x00f8) | (retry_send & 0x0007);
     sbuf.sum = 0;
 
     for(t = (unsigned char *) &sbuf, sum = n = mlen; n--; sum += *t++);
@@ -97,7 +103,7 @@ UBUF *client_interact 	(unsigned char cmd, unsigned long pos,
 	if(client_trace) write(2,"R",1);
 	stat_resends++;
 	break;
-	
+
       default:
 #ifdef CLIENT_TIMEOUT
 	if (total_delay/1000 >= env_timeout ) {
@@ -124,7 +130,7 @@ UBUF *client_interact 	(unsigned char cmd, unsigned long pos,
 	  case EPIPE:
 	       /* try to resend packet */
 	       continue;
-	  default:     
+	  default:
                perror("sendto");
                exit(EX_IOERR);
       }
@@ -138,7 +144,7 @@ UBUF *client_interact 	(unsigned char cmd, unsigned long pos,
 
 #ifdef DEBUG
     printf("Waiting %lu ms for server response.\n",w_delay);
-#endif        
+#endif
     udp_sent_time = time((time_t *) 0);
     gettimeofday(&start[retry_send & 0x7],NULL);
     FD_SET(myfd,&mask);
@@ -166,7 +172,7 @@ UBUF *client_interact 	(unsigned char cmd, unsigned long pos,
 	    stat_bad++;
 	    continue;
 	}
-	
+
 	s = (unsigned char *) &rbuf;
 	d = s + bytes;
 	u = rbuf.sum; rbuf.sum = 0;
@@ -179,7 +185,7 @@ UBUF *client_interact 	(unsigned char cmd, unsigned long pos,
 	    stat_bad++;
 	    continue;
 	}
-	
+        /* check seq. number */
 	if( (rbuf.bb_seq[0] ^ seq0) ||
 	   ((rbuf.bb_seq[1] ^ seq1)&0xf8)) 
 	{
@@ -188,7 +194,23 @@ UBUF *client_interact 	(unsigned char cmd, unsigned long pos,
 	    stat_dupes++;
 	    continue;
 	}
-	myseq = (myseq + 0x0008) & 0xfff8;  /* seq for next request */
+	/* check command */
+        if (cmd != rbuf.cmd && rbuf.cmd != CC_ERR)
+	{
+            if (client_trace) write(2,"C",1);
+	    stat_bad++;
+	    continue;
+	}
+	/* check pos */
+	if (BB_READ4(rbuf.bb_pos) != pos && (cmd == CC_GET_DIR ||
+	    cmd == CC_GET_FILE || cmd == CC_UP_LOAD || cmd == CC_INFO ||
+	    cmd == CC_GRAB_FILE))
+	{
+	    /* wrong seq # */
+            if (client_trace) write(2,"P",1);
+	    stat_bad++;
+	    continue;
+	}
 	key = BB_READ2(rbuf.bb_key); /* key for next request */
 	/* calculate real busy delay */
         gettimeofday(&stop,NULL);
@@ -196,7 +218,7 @@ UBUF *client_interact 	(unsigned char cmd, unsigned long pos,
 	busy_delay += (stop.tv_usec-start[rbuf.bb_seq[1] & 0x7].tv_usec)/1000;
 #ifdef DEBUG
     printf("Server reply RTT was %lu ms.\n",busy_delay);
-#endif        
+#endif
 	client_set_key(key);
 	stat_ok++;
 
@@ -234,6 +256,8 @@ void init_client (const char * host, unsigned short port, unsigned short myport)
   stat_resends = stat_iresends = stat_dupes = stat_bad = stat_ok;
 #ifdef HAVE_SRANDOMDEV
   srandomdev();
+#else
+  srandom(getpid()*time(NULL));
 #endif
   myseq = random() & 0xfff8;
 
@@ -253,7 +277,7 @@ void init_client (const char * host, unsigned short port, unsigned short myport)
 
 void client_finish(void)
 {
-  env_timeout=10;  
+  env_timeout=10;
   (void) client_interact(CC_BYE, 0L, 0, (unsigned char *)NULLP, 0,
 			 (unsigned char *)NULLP);
   client_destroy_key();

include/common_def.h

@@ -54,7 +54,7 @@
 #define UBUF_HSIZE 12                           /* 12 bytes for the header */
 #define UBUF_SPACE 1024			        /* maximum standard payload. */
 #define UBUF_MAXSPACE 4096                      /* maximum payload supported by server */
-#define DEFAULT_SPACE 1200			/* Default packet size */
+#define DEFAULT_SPACE 1370			/* Default packet size */
 
 #define NBSIZE (UBUF_MAXSPACE+UBUF_SPACE)