From: <jk...@us...> - 2003-02-22 03:41:01
|
Update of /cvsroot/msyslog/syslog/src/modules In directory sc8-pr-cvs1:/tmp/cvs-serv14655/src/modules Modified Files: im_bsd.c im_file.c im_serial.c im_tcp.c im_udp.c Log Message: Fix at least five buffer overflows around strncat(3) calls. It's very likely most of them (if not all) were exploitable. Be warned, as I don't use this software myself, and given the changes are minor, I didn't bother to test these modifications beyond checking the program still compiles cleanly. I'm positive I didn't break anything, though. Index: im_bsd.c =================================================================== RCS file: /cvsroot/msyslog/syslog/src/modules/im_bsd.c,v retrieving revision 1.86 retrieving revision 1.87 diff -u -d -r1.86 -r1.87 --- im_bsd.c 17 Sep 2002 05:20:27 -0000 1.86 +++ im_bsd.c 22 Feb 2003 03:40:58 -0000 1.87 @@ -92,8 +92,8 @@ char *p, *q, *lp; int i, c; - strncpy(ret->im_msg, _PATH_UNIX, sizeof(ret->im_msg) - 4); - strncat(ret->im_msg, ": ", 2); + assert(sizeof (ret->im_msg) >= sizeof (_PATH_UNIX ": ")); + snprintf(ret->im_msg, sizeof (ret->im_msg), _PATH_UNIX ": "); lp = ret->im_msg + strlen(ret->im_msg); i = read(im->im_fd, im->im_buf, sizeof(im->im_buf) - 1); Index: im_file.c =================================================================== RCS file: /cvsroot/msyslog/syslog/src/modules/im_file.c,v retrieving revision 1.8 retrieving revision 1.9 diff -u -d -r1.8 -r1.9 --- im_file.c 17 Sep 2002 05:20:27 -0000 1.8 +++ im_file.c 22 Feb 2003 03:40:58 -0000 1.9 @@ -303,7 +303,8 @@ m_dprintf(MSYSLOG_INFORMATIVE, "im_file_read: append current line with prior partial message: [%s] [%s]\n", c->saveline, thisline); - strncat(c->saveline, thisline, sizeof(c->saveline) - 1); + strncat(c->saveline, thisline, + sizeof(c->saveline) - strlen(c->saveline) - 1); c->saveline[sizeof(c->saveline) - 1] = '\0'; thisline = c->saveline; } @@ -358,8 +359,10 @@ /* put the hostname into the message */ /* - strncat(ret->im_msg, c->name, sizeof(ret->im_msg) - 1); - strncat(ret->im_msg, ":", sizeof(ret->im_msg) - 1); + strncat(ret->im_msg, c->name, + sizeof(ret->im_msg) - strlen(ret->im_msg) - 1); + strncat(ret->im_msg, ":", + sizeof(ret->im_msg) - strlen(ret->im_msg) - 1); m_dprintf(MSYSLOG_INFORMATIVE, "im_file_read: reformed header: [%s]\n", ret->im_msg); */ Index: im_serial.c =================================================================== RCS file: /cvsroot/msyslog/syslog/src/modules/im_serial.c,v retrieving revision 1.3 retrieving revision 1.4 diff -u -d -r1.3 -r1.4 --- im_serial.c 26 Sep 2002 18:09:35 -0000 1.3 +++ im_serial.c 22 Feb 2003 03:40:58 -0000 1.4 @@ -261,7 +261,8 @@ m_dprintf(MSYSLOG_INFORMATIVE, "im_serial_read: append current line with prior partial message: [%s] [%s]\n", c->saveline, thisline); - strncat(c->saveline, thisline, sizeof(c->saveline) - 1); + strncat(c->saveline, thisline, + sizeof(c->saveline) - strlen(c->saveline) - 1); c->saveline[sizeof(c->saveline) - 1] = '\0'; thisline = c->saveline; } @@ -315,8 +316,10 @@ } /* put the hostname into the message */ - strncat(ret->im_msg, c->name, sizeof(ret->im_msg) - 1); - strncat(ret->im_msg, ":", sizeof(ret->im_msg) - 1); + strncat(ret->im_msg, c->name, + sizeof(ret->im_msg) - strlen(ret->im_msg) - 1); + strncat(ret->im_msg, ":", + sizeof(ret->im_msg) - strlen(ret->im_msg) - 1); m_dprintf(MSYSLOG_INFORMATIVE, "im_serial_read: reformed header: [%s]\n", ret->im_msg); if (ret->im_pri &~ (LOG_FACMASK|LOG_PRIMASK)) ret->im_pri = DEFSPRI; Index: im_tcp.c =================================================================== RCS file: /cvsroot/msyslog/syslog/src/modules/im_tcp.c,v retrieving revision 1.43 retrieving revision 1.44 diff -u -d -r1.43 -r1.44 --- im_tcp.c 17 Sep 2002 06:30:41 -0000 1.43 +++ im_tcp.c 22 Feb 2003 03:40:58 -0000 1.44 @@ -362,7 +362,8 @@ m_dprintf(MSYSLOG_INFORMATIVE, "im_tcp_read: append current line with prior partial message: [%s] [%s]\n", con->saveline, thisline); - strncat(con->saveline, thisline, sizeof(con->saveline) - 1); + strncat(con->saveline, thisline, + sizeof(con->saveline) - strlen(con->saveline) - 1); con->saveline[sizeof(con->saveline) - 1] = '\0'; thisline = con->saveline; } Index: im_udp.c =================================================================== RCS file: /cvsroot/msyslog/syslog/src/modules/im_udp.c,v retrieving revision 1.79 retrieving revision 1.80 diff -u -d -r1.79 -r1.80 --- im_udp.c 25 Sep 2002 22:50:16 -0000 1.79 +++ im_udp.c 22 Feb 2003 03:40:58 -0000 1.80 @@ -230,7 +230,8 @@ ret->im_msg[n1++] = ret->im_msg[n2++]; ret->im_msg[n1] = '\0'; - strncat(ret->im_host, host, sizeof(ret->im_host)); + strncat(ret->im_host, host, + sizeof(ret->im_host) - strlen(ret->im_host) - 1); ret->im_host[sizeof (ret->im_host) - 1] = '\0'; } |