"Fossies" - the Fresh Open Source Software archive 
Member "slirp-1.0.16/security.patch" of archive slirp-1.0.16.tar.gz:
diff -NurbB slirp-1.0.14pre1/src/debug.c slirp-1.0.14pre1-new/src/debug.c
--- slirp-1.0.14pre1/src/debug.c 2000-09-30 15:23:36.000000000 -0700
+++ slirp-1.0.14pre1-new/src/debug.c 2004-06-19 19:01:38.000000000 -0700
@@ -299,7 +299,8 @@
for (so = tcb.so_next; so != &tcb; so = so->so_next) {
- n = sprintf(buff, "tcp[%s]", so->so_tcpcb?tcpstates[so->so_tcpcb->t_state]:"NONE");
+ n = snprintf(buff, sizeof(buff), "tcp[%s]",
+ so->so_tcpcb?tcpstates[so->so_tcpcb->t_state]:"NONE");
while (n < 17)
buff[n++] = " ";
buff[17] = 0;
@@ -313,7 +314,7 @@
for (so = udb.so_next; so != &udb; so = so->so_next) {
- n = sprintf(buff, "udp[%d sec]", (so->so_expire - curtime) / 1000);
+ n = snprintf(buff, sizeof(buff), "udp[%d sec]", (so->so_expire - curtime) / 1000);
while (n < 17)
buff[n++] = " ";
buff[17] = 0;
diff -NurbB slirp-1.0.14pre1/src/ip_icmp.c slirp-1.0.14pre1-new/src/ip_icmp.c
--- slirp-1.0.14pre1/src/ip_icmp.c 1999-08-14 14:47:23.000000000 -0700
+++ slirp-1.0.14pre1-new/src/ip_icmp.c 2004-06-20 15:25:31.000000000 -0700
@@ -229,8 +229,8 @@
ip = mtod(msrc, struct ip *);
#if DEBUG
{ char bufa[20], bufb[20];
- strcpy(bufa, inet_ntoa(ip->ip_src));
- strcpy(bufb, inet_ntoa(ip->ip_dst));
+ strncpy(bufa, inet_ntoa(ip->ip_src), sizeof(bufa));
+ strncpy(bufb, inet_ntoa(ip->ip_dst), sizeof(bufb));
DEBUG_MISC((dfd, " %.16s to %.16s\n", bufa, bufb));
}
#endif
diff -NurbB slirp-1.0.14pre1/src/main.c slirp-1.0.14pre1-new/src/main.c
--- slirp-1.0.14pre1/src/main.c 2001-03-25 19:38:24.000000000 -0800
+++ slirp-1.0.14pre1-new/src/main.c 2004-06-20 15:09:22.000000000 -0700
@@ -141,14 +141,14 @@
}
}
strcpy(buff, "/tmp/");
- strcat(buff, username);
+ strncat(buff, username, sizeof(buff)-6);
socket_path = strdup(buff);
#else
if ((bptr = (char *)getenv("HOME")) == NULL) {
lprint("Error: can"t find your HOME\n");
slirp_exit(1);
}
- strcpy(buff, bptr);
+ strncpy(buff, bptr, sizeof(buff));
strcat(buff, "/.slirp_socket");
socket_path = strdup(buff);
#endif
@@ -253,6 +253,7 @@
slirp_exit(1);
}
sock_un.sun_family = AF_UNIX;
+ /* TODO: perform length checking here */
strcpy(sock_un.sun_path, socket_path);
ret = connect(s, (struct sockaddr *)&sock_un,
sizeof(sock_un.sun_family) + sizeof(sock_un.sun_path));
@@ -275,11 +276,11 @@
if (slirp_socket_passwd) {
/* Internet connection */
- sprintf(buff, "%d %d %s", unit, 0, slirp_socket_passwd);
+ snprintf(buff, sizeof(buff), "%d %d %s", unit, 0, slirp_socket_passwd);
}
#ifndef NO_UNIX_SOCKETS
else {
- sprintf(buff, "%d %d %s", unit, (int)getpid(), ttyname(0));
+ snprintf(buff, sizeof(buff), "%d %d %s", unit, (int)getpid(), ttyname(0));
}
#endif
write(s, buff, strlen(buff)+1);
@@ -350,16 +351,21 @@
getouraddr();
if ((bptr = (char *)getenv("HOME")) != NULL) {
- strcpy(buff, bptr);
+ strncpy(buff, bptr, sizeof(buff));
#ifdef USE_PPP
path_upap = (char *)malloc(strlen(buff) + 15);
+ /* TODO: perform length checking */
strcpy(path_upap, buff);
+ /* TODO: perform length checking */
strcat(path_upap, "/.pap-secrets");
path_chap = (char *)malloc(strlen(buff) + 15);
+ /* TODO: perform length checking */
strcpy(path_chap, buff);
+ /* TODO: perform length checking */
strcat(path_chap, "/.chap-secrets");
#endif
+ /* TODO: perform length checking */
strcat(buff, "/.slirprc");
config(buff, ttys->unit);
}
@@ -963,11 +969,11 @@
#endif
sprintf(buff2, "SLIP, MTU %d, MRU %d", if_mtu, if_mru);
#ifndef FULL_BOLT
- sprintf(buff,
+ snprintf(buff, sizeof(buff),
"1 Attached as unit %d, device %s\r\n\r\n[talking %s, %d baud]\r\n\r\nSLiRP Ready...",
unit, device?device:"(socket)", buff2, ttyp->baud);
#else
- sprintf(buff,
+ snprintf(buff, sizeof(buff),
"1 Attached as unit %d, device %s\r\n\r\n[talking %s]\r\n\r\nSLiRP Ready ...",
unit, device, buff2);
#endif
diff -NurbB slirp-1.0.14pre1/src/misc.c slirp-1.0.14pre1-new/src/misc.c
--- slirp-1.0.14pre1/src/misc.c 2000-09-09 10:48:43.000000000 -0700
+++ slirp-1.0.14pre1-new/src/misc.c 2004-06-20 15:31:28.000000000 -0700
@@ -359,10 +359,10 @@
if (x_port >= 0) {
#ifdef HAVE_SETENV
- sprintf(buff, "%s:%d.%d", inet_ntoa(our_addr), x_port, x_screen);
+ snprintf(buff, sizeof(buff), "%s:%d.%d", inet_ntoa(our_addr), x_port, x_screen);
setenv("DISPLAY", buff, 1);
#else
- sprintf(buff, "DISPLAY=%s:%d.%d", inet_ntoa(our_addr), x_port, x_screen);
+ snprintf(buff, sizeof(buff), "DISPLAY=%s:%d.%d", inet_ntoa(our_addr), x_port, x_screen);
putenv(buff);
#endif
}
@@ -392,13 +392,14 @@
} while (c);
argv[i] = 0;
+ /* TODO: is this safe? see execlp comment below. */
execvp(argv[0], argv);
/* Ooops, failed, let"s tell the user why */
{
char buff[256];
- sprintf(buff, "Error: execvp of %s failed: %s\n",
+ snprintf(buff, sizeof(buff), "Error: execvp of %s failed: %s\n",
argv[0], strerror(errno));
write(2, buff, strlen(buff)+1);
}
@@ -471,7 +472,7 @@
sock_in.sin_port = htons(slirp_socket_port);
if (connect(s, (struct sockaddr *)&sock_in, sizeof(sock_in)) != 0)
slirp_exit(1); /* just exit...*/
- sprintf(buff, "kill %s:%d", slirp_socket_passwd, slirp_socket_unit);
+ snprintf(buff, sizeof(buff), "kill %s:%d", slirp_socket_passwd, slirp_socket_unit);
write(s, buff, strlen(buff)+1);
}
#ifndef NO_UNIX_SOCKETS
@@ -881,10 +882,10 @@
/* Set the DISPLAY */
if (x_port >= 0) {
#ifdef HAVE_SETENV
- sprintf(buff, "%s:%d.%d", inet_ntoa(our_addr), x_port, x_screen);
+ snprintf(buff, sizeof(buff), "%s:%d.%d", inet_ntoa(our_addr), x_port, x_screen);
setenv("DISPLAY", buff, 1);
#else
- sprintf(buff, "DISPLAY=%s:%d.%d", inet_ntoa(our_addr), x_port, x_screen);
+ snprintf(buff, sizeof(buff), "DISPLAY=%s:%d.%d", inet_ntoa(our_addr), x_port, x_screen);
putenv(buff);
#endif
}
@@ -895,6 +896,10 @@
for (s = 3; s <= 255; s++)
close(s);
+ /* TODO: This type of exec is very dangerous if this process is privileged in any way.
+ * A user could escalate privileges by subverting the $PATH, and having an rsh
+ * binary of their own making get executed.
+ */
execlp("rsh","rsh","-l", user, host, args, NULL);
/* Ooops, failed, let"s tell the user why */
diff -NurbB slirp-1.0.14pre1/src/options.c slirp-1.0.14pre1-new/src/options.c
--- slirp-1.0.14pre1/src/options.c 1998-12-05 19:30:54.000000000 -0800
+++ slirp-1.0.14pre1-new/src/options.c 2004-06-20 15:24:28.000000000 -0700
@@ -635,8 +635,8 @@
if (!buff) {
buff1[0] = 0;
if ((bptr = (char *)getenv("HOME")) != NULL)
- strcpy(buff1, bptr);
- strcat(buff1, "/.slirp_start");
+ strncpy(buff1, bptr, sizeof(buff1));
+ strncat(buff1, "/.slirp_start", sizeof(buff1));
lfd = fopen(buff1, "w");
bptr = buff1;
} else {
@@ -717,7 +717,7 @@
/* Found a match, print the help */
count++;
if (cfg[i].command_line)
- sprintf(str, "Command-line: %s\r\n", cfg[i].command_line);
+ snprintf(str, sizeof(str), "Command-line: %s\r\n", cfg[i].command_line);
else
str[0] = 0;
if (cfg[i].type == CFG_TELNET)
@@ -961,6 +961,7 @@
/* Create a new one */
sock_un.sun_family = AF_UNIX;
+ /* TODO: length check */
strcpy(sock_un.sun_path, socket_path);
if ((bind(s, (struct sockaddr *)&sock_un,
sizeof(sock_un.sun_family) + sizeof(sock_un.sun_path)) < 0) ||
diff -NurbB slirp-1.0.14pre1/src/ppp/auth.c slirp-1.0.14pre1-new/src/ppp/auth.c
--- slirp-1.0.14pre1/src/ppp/auth.c 1999-10-22 18:33:59.000000000 -0700
+++ slirp-1.0.14pre1-new/src/ppp/auth.c 2004-06-20 15:21:37.000000000 -0700
@@ -325,8 +325,10 @@
lcp_options *ao = &lcp_allowoptions[0];
/* Default our_name to hostname, and user to our_name */
+ /* TODO: check lengths */
if (our_name[0] == 0 || usehostname)
strcpy(our_name, hostname);
+ /* TODO: check lengths */
if (user[0] == 0)
strcpy(user, our_name);
@@ -884,6 +886,7 @@
* Special syntax: @filename means read secret from file.
*/
if (word[0] == "@") {
+ /* TODO: check lengths */
strcpy(atfile, word+1);
if ((sf = fopen(atfile, "r")) == NULL) {
do_syslog(LOG_WARNING, "can"t open indirect secret file %s",
@@ -899,6 +902,7 @@
}
fclose(sf);
}
+ /* TODO: check lengths */
if (secret != NULL)
strcpy(secret, word);
@@ -918,6 +922,7 @@
if (ap == NULL)
novm("authorized addresses");
ap->next = NULL;
+ /* TODO: check lengths */
strcpy(ap->word, word);
if (addr_list == NULL)
addr_list = ap;
diff -NurbB slirp-1.0.14pre1/src/ppp/chap.c slirp-1.0.14pre1-new/src/ppp/chap.c
--- slirp-1.0.14pre1/src/ppp/chap.c 1995-09-17 04:26:48.000000000 -0700
+++ slirp-1.0.14pre1-new/src/ppp/chap.c 2004-06-19 19:08:59.000000000 -0700
@@ -653,7 +653,7 @@
char msg[256];
if (code == CHAP_SUCCESS)
- sprintf(msg, "Welcome to %s.", hostname);
+ snprintf(msg, sizeof(msg), "Welcome to %s.", hostname);
else
sprintf(msg, "I don"t like you. Go "way.");
msglen = strlen(msg);
diff -NurbB slirp-1.0.14pre1/src/ppp/ipcp.c slirp-1.0.14pre1-new/src/ppp/ipcp.c
--- slirp-1.0.14pre1/src/ppp/ipcp.c 1995-09-17 04:30:24.000000000 -0700
+++ slirp-1.0.14pre1-new/src/ppp/ipcp.c 2004-06-20 15:22:57.000000000 -0700
@@ -1091,9 +1091,9 @@
char strspeed[32], strlocal[32], strremote[32];
char *argv[8];
- sprintf(strspeed, "%d", baud_rate);
- strcpy(strlocal, ip_ntoa(ipcp_gotoptions[f->unit].ouraddr));
- strcpy(strremote, ip_ntoa(ipcp_hisoptions[f->unit].hisaddr));
+ snprintf(strspeed, sizeof(strspeed), "%d", baud_rate);
+ strncpy(strlocal, ip_ntoa(ipcp_gotoptions[f->unit].ouraddr), sizeof(strlocal));
+ strncpy(strremote, ip_ntoa(ipcp_hisoptions[f->unit].hisaddr), sizeof(strremote));
argv[0] = script;
argv[1] = ifname;
diff -NurbB slirp-1.0.14pre1/src/tcp_subr.c slirp-1.0.14pre1-new/src/tcp_subr.c
--- slirp-1.0.14pre1/src/tcp_subr.c 2000-08-30 17:38:32.000000000 -0700
+++ slirp-1.0.14pre1-new/src/tcp_subr.c 2004-06-20 15:27:29.000000000 -0700
@@ -730,7 +730,7 @@
if (*ptr++ == 0) {
n++;
if (n == 2) {
- sprintf(args, "rlogin -l %s %s",
+ snprintf(args, sizeof(args), "rlogin -l %s %s",
ptr, inet_ntoa(so->so_faddr));
} else if (n == 3) {
i2 = so_rcv->sb_wptr - ptr;
@@ -738,9 +738,9 @@
if (ptr[i] == "/") {
ptr[i] = 0;
#ifdef HAVE_SETENV
- sprintf(term, "%s", ptr);
+ snprintf(term, sizeof(term), "%s", ptr);
#else
- sprintf(term, "TERM=%s", ptr);
+ snprintf(term, sizeof(term), "TERM=%s", ptr);
#endif
ptr[i] = "/";
break;
@@ -1012,6 +1012,7 @@
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
+ /* TODO: length check */
m->m_len += sprintf(bptr,"ORT %d,%d,%d,%d,%d,%d\r\n%s",
n1, n2, n3, n4, n5, n6, x==7?buff:"");
return 1;
@@ -1043,6 +1044,7 @@
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
+ /* TODO: length check */
m->m_len += sprintf(bptr,"27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
n1, n2, n3, n4, n5, n6, x==7?buff:"");
@@ -1084,6 +1086,7 @@
return 1;
m->m_len = bptr - m->m_data; /* Adjust length */
+ /* TODO: length check */
m->m_len += sprintf(bptr, "DCC CHAT chat %lu %u%c\n",
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), 1);
@@ -1092,6 +1095,7 @@
return 1;
m->m_len = bptr - m->m_data; /* Adjust length */
+ /* TODO: length check */
m->m_len += sprintf(bptr, "DCC SEND %s %lu %u %u%c\n",
buff, (unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), n1, 1);
@@ -1100,6 +1104,7 @@
return 1;
m->m_len = bptr - m->m_data; /* Adjust length */
+ /* TODO: length check */
m->m_len += sprintf(bptr, "DCC MOVE %s %lu %u %u%c\n",
buff, (unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), n1, 1);
diff -NurbB slirp-1.0.14pre1/src/ttys.c slirp-1.0.14pre1-new/src/ttys.c
--- slirp-1.0.14pre1/src/ttys.c 2001-03-25 19:40:20.000000000 -0800
+++ slirp