File 0011-check-prevent-various-buffer-overflows.patch of Package sblim-sfcb
From 5bd0849109748dc6cdb4fcf84c2ec8719514158c Mon Sep 17 00:00:00 2001
From: =?utf-8?q?Klaus=20K=C3=A4mpf?= <kkaempf@suse.de>
Date: Wed, 22 Oct 2008 11:47:58 +0200
Subject: [PATCH] check/prevent various buffer overflows
---
msgqueue.c | 3 ++-
providerRegister.c | 4 ++--
support.c | 30 +++++++++++++++++++++++++-----
3 files changed, 29 insertions(+), 8 deletions(-)
diff --git a/msgqueue.c b/msgqueue.c
index 8834052..f08cf13 100644
--- a/msgqueue.c
+++ b/msgqueue.c
@@ -697,6 +697,7 @@ void localConnectServer()
}
/* any other error, just return (should probably be more graceful) */
else {
+ perror("Other accept error");
return;
}
}
diff --git a/providerRegister.c b/providerRegister.c
index 8ad6faf..3671b4c 100644
--- a/providerRegister.c
+++ b/providerRegister.c
@@ -130,7 +130,7 @@ ProviderRegister *newProviderRegister(char *fn)
dir = "/var/lib/sfcb/registration";
}
- strcpy(fin, dir);
+ strncpy(fin, dir, sizeof(fin)-18); /* 18 = strlen("/providerRegister")+1 */
strcat(fin, "/providerRegister");
in = fopen(fin, "r");
if (in == NULL)
@@ -144,7 +144,7 @@ ProviderRegister *newProviderRegister(char *fn)
bb->ht = UtilFactory->newHashTable(61,
UtilHashTable_charKey | UtilHashTable_ignoreKeyCase);
- while (fgets(fin, 1024, in)) {
+ while (fgets(fin, sizeof(fin), in)) {
n++;
if (stmt) free(stmt);
stmt = strdup(fin);
diff --git a/support.c b/support.c
index 2f53812..144b4f7 100644
--- a/support.c
+++ b/support.c
@@ -52,7 +52,11 @@ int localClientMode=0; /**< flag determining whether local client connect
void *loadLibib(const char *libname)
{
char filename[255];
- sprintf(filename, "lib%s.so", libname);
+ if (snprintf(filename, 255, "lib%s.so", libname) >= 255)
+ {
+ mlogf(M_ERROR,M_SHOW,"--- loadLibib: output truncated\n");
+ return NULL;
+ }
return dlopen(filename, RTLD_LAZY);
}
@@ -61,7 +65,11 @@ static void *getGenericEntryPoint(void *library, const char *ptype)
{
char entry_point[255];
void *sym;
- sprintf(entry_point, "_Generic_Create_%sMI", ptype);
+ if (snprintf(entry_point, 255, "_Generic_Create_%sMI", ptype) >= 255)
+ {
+ mlogf(M_ERROR,M_SHOW,"--- getGenericEntryPoint: output truncated\n");
+ return NULL;
+ }
sym = dlsym(library, entry_point);
return sym;
}
@@ -72,7 +80,11 @@ static void *getFixedEntryPoint(const char *provider,
{
char entry_point[255];
void *sym;
- sprintf(entry_point, "%s_Create_%sMI", provider, ptype);
+ if (snprintf(entry_point, 255, "%s_Create_%sMI", provider, ptype) >= 255)
+ {
+ mlogf(M_ERROR,M_SHOW,"--- getFixedEntryPoint: output truncated\n");
+ return NULL;
+ }
sym = dlsym(library, entry_point);
return sym;
}
@@ -366,7 +378,11 @@ int memAdd(void *ptr, int *memId);
void *tool_mm_load_lib(const char *libname)
{
char filename[255];
- sprintf(filename, "lib%s.so", libname);
+ if (snprintf(filename, 255, "lib%s.so", libname) >= 255)
+ {
+ mlogf(M_ERROR,M_SHOW,"--- tool_mm_load_lib: output truncated\n");
+ return NULL;
+ }
return dlopen(filename, RTLD_LAZY);
}
@@ -919,7 +935,11 @@ void dumpTiming(int pid)
if (collectStat==0) return;
- sprintf(buffer,"/proc/%d/stat",pid);
+ if (snprintf(buffer,4096,"/proc/%d/stat",pid) >= 4096)
+ {
+ mlogf(M_ERROR,M_SHOW,"--- dumpTiming: output truncated\n");
+ return;
+ }
f=fopen(buffer,"r");
l=fread(buffer,1,4095,f);
fclose(f);
--
1.6.0.2