[Msyslog-cvs] syslog/src/modules im_bsd.c,1.86,1.87 im_file.c,1.8,1.9 im_serial.c,1.3,1.4 im_tcp.c,1

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Update of /cvsroot/msyslog/syslog/src/modules
In directory sc8-pr-cvs1:/tmp/cvs-serv14655/src/modules

Modified Files:
	im_bsd.c im_file.c im_serial.c im_tcp.c im_udp.c 
Log Message:
Fix at least five buffer overflows around strncat(3) calls. It's very likely most of them (if not all) were exploitable.

Be warned, as I don't use this software myself, and given the changes are minor, I didn't bother to test these modifications beyond checking the program still compiles cleanly. I'm positive I didn't break anything, though.


Index: im_bsd.c
===================================================================
RCS file: /cvsroot/msyslog/syslog/src/modules/im_bsd.c,v
retrieving revision 1.86
retrieving revision 1.87
diff -u -d -r1.86 -r1.87

--- im_bsd.c	17 Sep 2002 05:20:27 -0000	1.86
+++ im_bsd.c	22 Feb 2003 03:40:58 -0000	1.87
@@ -92,8 +92,8 @@
 	char *p, *q, *lp;
 	int i, c;
 
-	strncpy(ret->im_msg, _PATH_UNIX, sizeof(ret->im_msg) - 4);
-	strncat(ret->im_msg, ": ", 2);
+	assert(sizeof (ret->im_msg) >= sizeof (_PATH_UNIX ": "));
+	snprintf(ret->im_msg, sizeof (ret->im_msg), _PATH_UNIX ": ");
 	lp = ret->im_msg + strlen(ret->im_msg);
 
 	i = read(im->im_fd, im->im_buf, sizeof(im->im_buf) - 1);

Index: im_file.c
===================================================================
RCS file: /cvsroot/msyslog/syslog/src/modules/im_file.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -d -r1.8 -r1.9
--- im_file.c	17 Sep 2002 05:20:27 -0000	1.8
+++ im_file.c	22 Feb 2003 03:40:58 -0000	1.9
@@ -303,7 +303,8 @@
       m_dprintf(MSYSLOG_INFORMATIVE,
           "im_file_read: append current line with prior partial message: [%s] [%s]\n",
           c->saveline, thisline);
-      strncat(c->saveline, thisline, sizeof(c->saveline) - 1);
+      strncat(c->saveline, thisline,
+	      sizeof(c->saveline) - strlen(c->saveline) - 1);
       c->saveline[sizeof(c->saveline) - 1] = '\0';
       thisline = c->saveline;
     }
@@ -358,8 +359,10 @@
 
       /* put the hostname into the message */
       /*
-		  strncat(ret->im_msg, c->name, sizeof(ret->im_msg) - 1);
-	  	strncat(ret->im_msg, ":", sizeof(ret->im_msg) - 1);
+		  strncat(ret->im_msg, c->name,
+		  sizeof(ret->im_msg) - strlen(ret->im_msg) - 1);
+	  	strncat(ret->im_msg, ":",
+		sizeof(ret->im_msg) - strlen(ret->im_msg) - 1);
 	  	m_dprintf(MSYSLOG_INFORMATIVE, "im_file_read: reformed header: [%s]\n", ret->im_msg);
       */
 

Index: im_serial.c
===================================================================
RCS file: /cvsroot/msyslog/syslog/src/modules/im_serial.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -d -r1.3 -r1.4
--- im_serial.c	26 Sep 2002 18:09:35 -0000	1.3
+++ im_serial.c	22 Feb 2003 03:40:58 -0000	1.4
@@ -261,7 +261,8 @@
       m_dprintf(MSYSLOG_INFORMATIVE,
           "im_serial_read: append current line with prior partial message: [%s] [%s]\n",
           c->saveline, thisline);
-      strncat(c->saveline, thisline, sizeof(c->saveline) - 1);
+      strncat(c->saveline, thisline,
+	      sizeof(c->saveline) - strlen(c->saveline) - 1);
       c->saveline[sizeof(c->saveline) - 1] = '\0';
       thisline = c->saveline;
     }
@@ -315,8 +316,10 @@
 		  }
 
       /* put the hostname into the message */
-		  strncat(ret->im_msg, c->name, sizeof(ret->im_msg) - 1);
-	  	strncat(ret->im_msg, ":", sizeof(ret->im_msg) - 1);
+		  strncat(ret->im_msg, c->name,
+			  sizeof(ret->im_msg) - strlen(ret->im_msg) - 1);
+	  	strncat(ret->im_msg, ":",
+			sizeof(ret->im_msg) - strlen(ret->im_msg) - 1);
 	  	m_dprintf(MSYSLOG_INFORMATIVE, "im_serial_read: reformed header: [%s]\n", ret->im_msg);
 
 	  	if (ret->im_pri &~ (LOG_FACMASK|LOG_PRIMASK)) ret->im_pri = DEFSPRI;

Index: im_tcp.c
===================================================================
RCS file: /cvsroot/msyslog/syslog/src/modules/im_tcp.c,v
retrieving revision 1.43
retrieving revision 1.44
diff -u -d -r1.43 -r1.44
--- im_tcp.c	17 Sep 2002 06:30:41 -0000	1.43
+++ im_tcp.c	22 Feb 2003 03:40:58 -0000	1.44
@@ -362,7 +362,8 @@
 				m_dprintf(MSYSLOG_INFORMATIVE,
 					      "im_tcp_read: append current line with prior partial message: [%s] [%s]\n",
 					      con->saveline, thisline);
-				strncat(con->saveline, thisline, sizeof(con->saveline) - 1);
+				strncat(con->saveline, thisline,
+					sizeof(con->saveline) - strlen(con->saveline) - 1);
 				con->saveline[sizeof(con->saveline) - 1] = '\0';
 				thisline = con->saveline;
 			}

Index: im_udp.c
===================================================================
RCS file: /cvsroot/msyslog/syslog/src/modules/im_udp.c,v
retrieving revision 1.79
retrieving revision 1.80
diff -u -d -r1.79 -r1.80
--- im_udp.c	25 Sep 2002 22:50:16 -0000	1.79
+++ im_udp.c	22 Feb 2003 03:40:58 -0000	1.80
@@ -230,7 +230,8 @@
 			ret->im_msg[n1++] = ret->im_msg[n2++];
 		ret->im_msg[n1] = '\0';
 
-		strncat(ret->im_host, host, sizeof(ret->im_host));
+		strncat(ret->im_host, host,
+			sizeof(ret->im_host) - strlen(ret->im_host) - 1);
 		ret->im_host[sizeof (ret->im_host) - 1] = '\0';
 	}
 






[Msyslog-cvs] syslog/src/modules im_bsd.c,1.86,1.87 im_file.c,1.8,1.9 im_serial.c,1.3,1.4 im_tcp.c,1

[Msyslog-cvs] syslog/src/modules im_bsd.c,1.86,1.87 im_file.c,1.8,1.9 im_serial.c,1.3,1.4 im_tcp.c,1.43,1.44 im_udp.c,1.79,1.80