Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-4]: src/usr.sbin/amd/libamu pull up rev 1.4 from trunk (request...
details: https://anonhg.NetBSD.org/src/rev/9932b761a648
branches: netbsd-1-4
changeset: 469454:9932b761a648
user: cgd <cgd%NetBSD.org@localhost>
date: Tue Sep 21 04:58:32 1999 +0000
description:
pull up rev 1.4 from trunk (requested by christos):
Upgrade amd(8) and related software to fix expoitable stack overflows
in amq(8), as reported in BUGTRAQ and elsewhere.
diffstat:
usr.sbin/amd/libamu/xutil.c | 49 ++++++++++++++++++++++++++++++++------------
1 files changed, 35 insertions(+), 14 deletions(-)
diffs (118 lines):
diff -r 56c63cf58b27 -r 9932b761a648 usr.sbin/amd/libamu/xutil.c
--- a/usr.sbin/amd/libamu/xutil.c Tue Sep 21 04:58:27 1999 +0000
+++ b/usr.sbin/amd/libamu/xutil.c Tue Sep 21 04:58:32 1999 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: xutil.c,v 1.3 1999/02/01 19:05:13 christos Exp $ */
+/* $NetBSD: xutil.c,v 1.3.2.1 1999/09/21 04:58:32 cgd Exp $ */
/*
* Copyright (c) 1997-1999 Erez Zadok
@@ -40,7 +40,7 @@
*
* %W% (Berkeley) %G%
*
- * Id: xutil.c,v 1.3 1999/01/10 21:54:39 ezk Exp
+ * Id: xutil.c,v 1.5 1999/08/24 21:31:10 ezk Exp
*
*/
@@ -50,7 +50,12 @@
#include <am_defs.h>
#include <amu.h>
-FILE *logfp = stderr; /* Log errors to stderr initially */
+/*
+ * Logfp is the default logging device, and is initialized to stderr by
+ * default in dplog/plog below, and in
+ * amd/amfs_program.c:amfs_program_exec().
+ */
+FILE *logfp = NULL;
static char *am_progname = "unknown"; /* "amd" */
static char am_hostname[MAXHOSTNAMELEN + 1] = "unknown"; /* Hostname */
@@ -274,34 +279,38 @@
/*
* Take a log format string and expand occurrences of %m
- * with the current error code taken from errno.
+ * with the current error code taken from errno. Make sure
+ * 'e' never gets longer than maxlen characters.
*/
static void
-expand_error(char *f, char *e)
+expand_error(char *f, char *e, int maxlen)
{
extern int sys_nerr;
- char *p;
+ char *p, *q;
int error = errno;
+ int len = 0;
- for (p = f; (*e = *p); e++, p++) {
+ for (p = f, q = e; (*q = *p) && len < maxlen; len++, q++, p++) {
if (p[0] == '%' && p[1] == 'm') {
+ const char *errstr;
#ifdef HAVE_STRERROR
- strcpy(e, strerror(error));
+ errstr = strerror(error);
#else
- const char *errstr;
if (error < 0 || error >= sys_nerr)
errstr = NULL;
else
errstr = sys_errlist[error];
+#endif
if (errstr)
- strcpy(e, errstr);
+ strcpy(q, errstr);
else
- sprintf(e, "Error %d", error);
-#endif
- e += strlen(e) - 1;
+ sprintf(q, "Error %d", error);
+ len += strlen(q) - 1;
+ q += strlen(q) - 1;
p++;
}
}
+ e[maxlen-1] = '\0'; /* null terminate, to be sure */
}
@@ -373,6 +382,9 @@
{
va_list ap;
+ if (!logfp)
+ logfp = stderr; /* initialize before possible first use */
+
va_start(ap, fmt);
real_plog(XLOG_DEBUG, fmt, ap);
va_end(ap);
@@ -385,6 +397,9 @@
{
va_list ap;
+ if (!logfp)
+ logfp = stderr; /* initialize before possible first use */
+
va_start(ap, fmt);
real_plog(lvl, fmt, ap);
va_end(ap);
@@ -407,9 +422,15 @@
checkup_mem();
#endif /* DEBUG_MEM */
- expand_error(fmt, efmt);
+ expand_error(fmt, efmt, 1024);
+ /*
+ * XXX: ptr is 1024 bytes long. It is possible to write into it
+ * more than 1024 bytes, if efmt is already large, and vargs expand
+ * as well.
+ */
vsprintf(ptr, efmt, vargs);
+ msg[1023] = '\0'; /* null terminate, to be sure */
ptr += strlen(ptr);
if (ptr[-1] == '\n')
Home |
Main Index |
Thread Index |
Old Index