Attachment #21425 for bug #56975

View | Details | Raw Unified | Return to bug 56975
Collapse All | Expand All




thanks to all of these good people here, both for working on the code
and for prodding me into improving it.

			Changes since 3.0.1rc13

! CAN-2004-0460 - CERT VU#317350: Five stack overflow exploits were closed
  in logging messages with excessively long hostnames provided by the
  clients.  It is highly probable that these could have been used by
  attackers to gain arbitrary root access on systems using ISC DHCP.
  Special thanks to Gregory Duchemin for both finding and solving the
  problem.

! CAN-2004-0461 - CERT VU#654390: Once the above was closed, an opening
  in log_*() functions was evidented, on some specific platforms where
  vsnprintf() was not believed to be available and calls were wrapped to
  sprintf() instead.  Again, credit goes to Gregory Duchemin for finding
  the problem.  Calls to snprintf() are now linked to a distribution-local
  snprintf implementation, only in those cases where the architecture is
  not known to provide one (see includes/cf/[arch].h).  If you experience
  linking problems with snprintf/vsnprintf or 'isc_print_' functions, this
  is where to look.

- 'The cross-compile bug fix' was backed out.

			Changes since 3.0.1rc12

- Fixed a bug in omapi lease lookup function, to form the hardware

Lines 103-113 Link Here

(-)dhcp-3.0.1rc13/common/bpf.c (-4 lines)
103		90
104	/* Open a BPF device */	91	/* Open a BPF device */
105	for (b = 0; 1; b++) {	92	for (b = 0; 1; b++) {
106	#ifndef NO_SNPRINTF
107	snprintf(filename, sizeof(filename), BPF_FORMAT, b);	93	snprintf(filename, sizeof(filename), BPF_FORMAT, b);
108	#else
109	sprintf(filename, BPF_FORMAT, b);
110	#endif
111	sock = open (filename, O_RDWR, 0);	94	sock = open (filename, O_RDWR, 0);
112	if (sock < 0) {	95	if (sock < 0) {
113	if (errno == EBUSY) {	96	if (errno == EBUSY) {





	if (ddns_addr.len != 4)
		return ISC_R_INVALIDARG;

	snprintf (ddns_address, 16, "%d.%d.%d.%d",
		  ddns_addr.iabuf[0], ddns_addr.iabuf[1],
		  ddns_addr.iabuf[2], ddns_addr.iabuf[3]);
#else
	sprintf (ddns_address, "%d.%d.%d.%d",
		 ddns_addr.iabuf[0], ddns_addr.iabuf[1],
		 ddns_addr.iabuf[2], ddns_addr.iabuf[3]);
#endif

	/*
	 * When a DHCP client or server intends to update an A RR, it first

	if (ddns_addr.len != 4)
		return ISC_R_INVALIDARG;

#ifndef NO_SNPRINTF
	snprintf (ddns_address, 16, "%d.%d.%d.%d",
		  ddns_addr.iabuf[0], ddns_addr.iabuf[1],
		  ddns_addr.iabuf[2], ddns_addr.iabuf[3]);
#else
	sprintf (ddns_address, "%d.%d.%d.%d",
		 ddns_addr.iabuf[0], ddns_addr.iabuf[1],
		 ddns_addr.iabuf[2], ddns_addr.iabuf[3]);
#endif


	/*
	 * The entity chosen to handle the A record for this client (either the




/*
 * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 * PERFORMANCE OF THIS SOFTWARE.
 */

/* $Id: iscprint.c,v 1.1.2.1 2004/06/14 21:09:22 dhankins Exp $ */

#include "dhcpd.h"

#ifdef NO_SNPRINTF

#ifndef LINT
static char copyright[] =
"$Id: iscprint.c,v 1.1.2.1 2004/06/14 21:09:22 dhankins Exp $ Copyright (c) 2004 Internet Systems Consortium, Inc.  All rights reserved.";
#endif

#define INSIST(cond)	REQUIRE(cond)
#define REQUIRE(cond)	if (!(cond)) { return 0; }

/*
 * Return length of string that would have been written if not truncated.
 */

int
isc_print_snprintf(char *str, size_t size, const char *format, ...) {
	va_list ap;
	int ret;

	va_start(ap, format);
	ret = vsnprintf(str, size, format, ap);
	va_end(ap);
	return (ret);
}

/*
 * Return length of string that would have been written if not truncated.
 */

int
isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
	int h;
	int l;
	int q;
	int alt;
	int zero;
	int left;
	int plus;
	int space;
	int neg;
	isc_int64_t tmpi;
	isc_uint64_t tmpui;
	unsigned long width;
	unsigned long precision;
	unsigned int length;
	char buf[1024];
	char c;
	void *v;
	char *save = str;
	const char *cp;
	const char *head;
	int count = 0;
	int pad;
	int zeropad;
	int dot;
	double dbl;
#ifdef HAVE_LONG_DOUBLE
	long double ldbl;
#endif
	char fmt[32];

	INSIST(str != NULL);
	INSIST(format != NULL);

	while (*format != '\0') {
		if (*format != '%') {
			if (size > 1) {
				*str++ = *format;
				size--;
			}
			count++;
			format++;
			continue;
		}
		format++;

		/*
		 * Reset flags.
		 */
		dot = neg = space = plus = left = zero = alt = h = l = q = 0;
		width = precision = 0;
		head = "";
		length = pad = zeropad = 0;

		do {
			if (*format == '#') {
				alt = 1;
				format++;
			} else if (*format == '-') {
				left = 1;
				zero = 0;
				format++;
			} else if (*format == ' ') {
				if (!plus)
					space = 1;
				format++;
			} else if (*format == '+') {
				plus = 1;
				space = 0;
				format++;
			} else if (*format == '0') {
				if (!left)
					zero = 1;
				format++;
			} else
				break;
		} while (1);

		/*
		 * Width.
		 */
		if (*format == '*') {
			width = va_arg(ap, int);
			format++;
		} else if (isdigit((unsigned char)*format)) {
			char *e;
			width = strtoul(format, &e, 10);
			format = e;
		}

		/*
		 * Precision.
		 */
		if (*format == '.') {
			format++;
			dot = 1;
			if (*format == '*') {
				precision = va_arg(ap, int);
				format++;
			} else if (isdigit((unsigned char)*format)) {
				char *e;
				precision = strtoul(format, &e, 10);
				format = e;
			}
		}

		switch (*format) {
		case '\0':
			continue;
		case '%':
			if (size > 1) {
				*str++ = *format;
				size--;
			}
			count++;
			break;
		case 'q':
			q = 1;
			format++;
			goto doint;
		case 'h':
			h = 1;
			format++;
			goto doint;
		case 'l':
			l = 1;
			format++;
			if (*format == 'l') {
				q = 1;
				format++;
			}
			goto doint;
		case 'n':
		case 'i':
		case 'd':
		case 'o':
		case 'u':
		case 'x':
		case 'X':
		doint:
			if (precision != 0)
				zero = 0;
			switch (*format) {
			case 'n':
				if (h) {
					short int *p;
					p = va_arg(ap, short *);
					REQUIRE(p != NULL);
					*p = str - save;
				} else if (l) {
					long int *p;
					p = va_arg(ap, long *);
					REQUIRE(p != NULL);
					*p = str - save;
				} else {
					int *p;
					p = va_arg(ap, int *);
					REQUIRE(p != NULL);
					*p = str - save;
				}
				break;
			case 'i':
			case 'd':
				if (q)
					tmpi = va_arg(ap, isc_int64_t);
				else if (l)
					tmpi = va_arg(ap, long int);
				else
					tmpi = va_arg(ap, int);
				if (tmpi < 0) {
					head = "-";
					tmpui = -tmpi;
				} else {
					if (plus)
						head = "+";
					else if (space)
						head = " ";
					else
						head = "";
					tmpui = tmpi;
				}
				sprintf(buf, "%u", tmpui);
				goto printint;
			case 'o':
				if (q)
					tmpui = va_arg(ap, isc_uint64_t);
				else if (l)
					tmpui = va_arg(ap, long int);
				else
					tmpui = va_arg(ap, int);
				sprintf(buf, alt ? "%#o"
						 : "%o", tmpui);
				goto printint;
			case 'u':
				if (q)
					tmpui = va_arg(ap, isc_uint64_t);
				else if (l)
					tmpui = va_arg(ap, unsigned long int);
				else
					tmpui = va_arg(ap, unsigned int);
				sprintf(buf, "%u", tmpui);
				goto printint;
			case 'x':
				if (q)
					tmpui = va_arg(ap, isc_uint64_t);
				else if (l)
					tmpui = va_arg(ap, unsigned long int);
				else
					tmpui = va_arg(ap, unsigned int);
				if (alt) {
					head = "0x";
					if (precision > 2)
						precision -= 2;
				}
				sprintf(buf, "%x", tmpui);
				goto printint;
			case 'X':
				if (q)
					tmpui = va_arg(ap, isc_uint64_t);
				else if (l)
					tmpui = va_arg(ap, unsigned long int);
				else
					tmpui = va_arg(ap, unsigned int);
				if (alt) {
					head = "0X";
					if (precision > 2)
						precision -= 2;
				}
				sprintf(buf, "%X", tmpui);
				goto printint;
			printint:
				if (precision != 0 || width != 0) {
					length = strlen(buf);
					if (length < precision)
						zeropad = precision - length;
					else if (length < width && zero)
						zeropad = width - length;
					if (width != 0) {
						pad = width - length -
						      zeropad - strlen(head);
						if (pad < 0)
							pad = 0;
					}
				}
				count += strlen(head) + strlen(buf) + pad +
					 zeropad;
				if (!left) {
					while (pad > 0 && size > 1) {
						*str++ = ' ';
						size--;
						pad--;
					}
				}
				cp = head;
				while (*cp != '\0' && size > 1) {
					*str++ = *cp++;
					size--;
				}
				while (zeropad > 0 && size > 1) {
					*str++ = '0';
					size--;
					zeropad--;
				}
				cp = buf;
				while (*cp != '\0' && size > 1) {
					*str++ = *cp++;
					size--;
				}
				while (pad > 0 && size > 1) {
					*str++ = ' ';
					size--;
					pad--;
				}
				break;
			default:
				break;
			}
			break;
		case 's':
			cp = va_arg(ap, char *);
			REQUIRE(cp != NULL);

			if (precision != 0) {
				/*
				 * cp need not be NULL terminated.
				 */
				const char *tp;
				unsigned long n;

				n = precision;
				tp = cp;
				while (n != 0 && *tp != '\0')
					n--, tp++;
				length = precision - n;
			} else {
				length = strlen(cp);
			}
			if (width != 0) {
				pad = width - length;
				if (pad < 0)
					pad = 0;
			}
			count += pad + length;
			if (!left)
				while (pad > 0 && size > 1) {
					*str++ = ' ';
					size--;
					pad--;
				}
			if (precision != 0)
				while (precision > 0 && *cp != '\0' &&
				       size > 1) {
					*str++ = *cp++;
					size--;
					precision--;
				}
			else
				while (*cp != '\0' && size > 1) {
					*str++ = *cp++;
					size--;
				}
			while (pad > 0 && size > 1) {
				*str++ = ' ';
				size--;
				pad--;
			}
			break;
		case 'c':
			c = va_arg(ap, int);
			if (width > 0) {
				count += width;
				width--;
				if (left) {
					*str++ = c;
					size--;
				}
				while (width-- > 0 && size > 1) {
					*str++ = ' ';
					size--;
				}
				if (!left && size > 1) {
					*str++ = c;
					size--;
				}
			} else {
				count++;
				if (size > 1) {
					*str++ = c;
					size--;
				}
			}
			break;
		case 'p':
			v = va_arg(ap, void *);
			sprintf(buf, "%p", v);
			length = strlen(buf);
			if (precision > length)
				zeropad = precision - length;
			if (width > 0) {
				pad = width - length - zeropad;
				if (pad < 0)
					pad = 0;
			}
			count += length + pad + zeropad;
			if (!left)
				while (pad > 0 && size > 1) {
					*str++ = ' ';
					size--;
					pad--;
				}
			cp = buf;
			if (zeropad > 0 && buf[0] == '0' &&
			    (buf[1] == 'x' || buf[1] == 'X')) {
				if (size > 1) {
					*str++ = *cp++;
					size--;
				}
				if (size > 1) {
					*str++ = *cp++;
					size--;
				}
				while (zeropad > 0 && size > 1) {
					*str++ = '0';
					size--;
					zeropad--;
				}
			}
			while (*cp != '\0' && size > 1) {
				*str++ = *cp++;
				size--;
			}
			while (pad > 0 && size > 1) {
				*str++ = ' ';
				size--;
				pad--;
			}
			break;
		case 'D':	/*deprecated*/
			INSIST("use %ld instead of %D" == NULL);
		case 'O':	/*deprecated*/
			INSIST("use %lo instead of %O" == NULL);
		case 'U':	/*deprecated*/
			INSIST("use %lu instead of %U" == NULL);

		case 'L':
#ifdef HAVE_LONG_DOUBLE
			l = 1;
#else
			INSIST("long doubles are not supported" == NULL);
#endif
			/*FALLTHROUGH*/
		case 'e':
		case 'E':
		case 'f':
		case 'g':
		case 'G':
			if (!dot)
				precision = 6;
			/*
			 * IEEE floating point.
			 * MIN 2.2250738585072014E-308
			 * MAX 1.7976931348623157E+308
			 * VAX floating point has a smaller range than IEEE.
			 *
			 * precisions > 324 don't make much sense.
			 * if we cap the precision at 512 we will not
			 * overflow buf.
			 */
			if (precision > 512)
				precision = 512;
			sprintf(fmt, "%%%s%s.%lu%s%c", alt ? "#" : "",
				plus ? "+" : space ? " " : "",
				precision, l ? "L" : "", *format);
			switch (*format) {
			case 'e':
			case 'E':
			case 'f':
			case 'g':
			case 'G':
#ifdef HAVE_LONG_DOUBLE
				if (l) {
					ldbl = va_arg(ap, long double);
					sprintf(buf, fmt, ldbl);
				} else
#endif
				{
					dbl = va_arg(ap, double);
					sprintf(buf, fmt, dbl);
				}
				length = strlen(buf);
				if (width > 0) {
					pad = width - length;
					if (pad < 0)
						pad = 0;
				}
				count += length + pad;
				if (!left)
					while (pad > 0 && size > 1) {
						*str++ = ' ';
						size--;
						pad--;
					}
				cp = buf;
				while (*cp != ' ' && size > 1) {
					*str++ = *cp++;
					size--;
				}
				while (pad > 0 && size > 1) {
					*str++ = ' ';
					size--;
					pad--;
				}
				break;
			default:
				continue;
			}
			break;
		default:
			continue;
		}
		format++;
	}
	if (size > 0)
		*str = '\0';
	return (count);
}

#endif

Lines 27-33 Link Here

(-)dhcp-3.0.1rc13/omapip/Makefile.dist (-1 / +2 lines)
27	OBJ = protocol.o buffer.o alloc.o result.o connection.o errwarn.o \	32	OBJ = protocol.o buffer.o alloc.o result.o connection.o errwarn.o \
28	listener.o dispatch.o generic.o support.o handle.o message.o \	33	listener.o dispatch.o generic.o support.o handle.o message.o \
29	convert.o hash.o auth.o inet_addr.o array.o trace.o mrtrace.o \	34	convert.o hash.o auth.o inet_addr.o array.o trace.o mrtrace.o \
30	toisc.o	35	toisc.o ../common/iscprint.o
		36	# XXX: iscprint.o above is a kludge.
31		37
32	MAN = omapi.3	38	MAN = omapi.3
33		39




	unsigned i, lix;
	
	do_percentm (mbuf, fmt);
#ifndef NO_SNPRINTF
	snprintf (fbuf, sizeof fbuf, "%s line %d: %s",
		  cfile -> tlname, cfile -> lexline, mbuf);
#else
	sprintf (fbuf, "%s line %d: %s",
		 cfile -> tlname, cfile -> lexline, mbuf);
#endif
	
	va_start (list, fmt);
	vsnprintf (mbuf, sizeof mbuf, fbuf, list);

Lines 88-98 Link Here

(-)dhcp-3.0.1rc13/common/upf.c (-4 lines)
88		79
89	/* Open a UPF device */	80	/* Open a UPF device */
90	for (b = 0; 1; b++) {	81	for (b = 0; 1; b++) {
91	#ifndef NO_SNPRINTF
92	snprintf(filename, sizeof(filename), "/dev/pf/pfilt%d", b);	82	snprintf(filename, sizeof(filename), "/dev/pf/pfilt%d", b);
93	#else
94	sprintf(filename, "/dev/pf/pfilt%d", b);
95	#endif
96	sock = open (filename, O_RDWR, 0);	83	sock = open (filename, O_RDWR, 0);
97	if (sock < 0) {	84	if (sock < 0) {
98	if (errno == EBUSY) {	85	if (errno == EBUSY) {

Lines 105-113 Link Here

(-)dhcp-3.0.1rc13/includes/cf/linux.h (-3 lines)
105	#define VA_start(list, last) va_start (list, last)	96	#define VA_start(list, last) va_start (list, last)
106	#define va_dcl	97	#define va_dcl
107		98
108	#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
109	#define NO_SNPRINTF
110
111	#define VOIDPTR void *	99	#define VOIDPTR void *
112		100
113	#define EOL '\n'	101	#define EOL '\n'

Lines 142-147 Link Here

(-)dhcp-3.0.1rc13/includes/osdep.h (+8 lines)
142	# endif	133	# endif
143	#endif	134	#endif
144		135
		136	/* snprintf/vsnprintf hacks. for systems with no libc versions only. */
		137	#ifdef NO_SNPRINTF
		138	extern int isc_print_snprintf(char , size_t, const char , ...);
		139	extern int isc_print_vsnprintf(char , size_t, const char , va_list ap);
		140	# define snprintf isc_print_snprintf
		141	# define vsnprintf isc_print_vsnprintf
		142	#endif
		143
145	/* Porting::	144	/* Porting::
146		145
147	If you add a new network API, and have it set up so that it can be	146	If you add a new network API, and have it set up so that it can be

Lines 77-83 Link Here

(-)dhcp-3.0.1rc13/server/bootp.c (-1 / +1 lines)
77	if (packet -> raw -> op != BOOTREQUEST)	68	if (packet -> raw -> op != BOOTREQUEST)
78	return;	69	return;
79		70
80	sprintf (msgbuf, "BOOTREQUEST from %s via %s",	71	snprintf (msgbuf, sizeof msgbuf, "BOOTREQUEST from %s via %s",
81	print_hw_addr (packet -> raw -> htype,	72	print_hw_addr (packet -> raw -> htype,
82	packet -> raw -> hlen,	73	packet -> raw -> hlen,
83	packet -> raw -> chaddr),	74	packet -> raw -> chaddr),

Lines 782-788 Link Here

(-)dhcp-3.0.1rc13/server/db.c (-2 / +2 lines)
782		773
783	/* Make a temporary lease file... */	774	/* Make a temporary lease file... */
784	GET_TIME (&t);	775	GET_TIME (&t);
785	sprintf (newfname, "%s.%d", path_dhcpd_db, (int)t);	776	snprintf (newfname, sizeof newfname, "%s.%d", path_dhcpd_db, (int)t);
786	db_fd = open (newfname, O_WRONLY \| O_TRUNC \| O_CREAT, 0664);	777	db_fd = open (newfname, O_WRONLY \| O_TRUNC \| O_CREAT, 0664);
787	if (db_fd < 0) {	778	if (db_fd < 0) {
788	log_error ("Can't create new lease file: %m");	779	log_error ("Can't create new lease file: %m");
Lines 833-839 Link Here
833	if (!trace_playback ()) {	824	if (!trace_playback ()) {
834	#endif	825	#endif
835	/* Get the old database out of the way... */	826	/* Get the old database out of the way... */
836	sprintf (backfname, "%s~", path_dhcpd_db);	827	snprintf (backfname, sizeof backfname, "%s~", path_dhcpd_db);
837	if (unlink (backfname) < 0 && errno != ENOENT) {	828	if (unlink (backfname) < 0 && errno != ENOENT) {
838	log_error ("Can't remove old lease database backup %s: %m",	829	log_error ("Can't remove old lease database backup %s: %m",
839	backfname);	830	backfname);

Lines 345-350 Link Here

(-)dhcp-3.0.1rc13/server/ddns.c (-10 / +20 lines)
345	&lease -> scope, oc, MDL);	336	&lease -> scope, oc, MDL);
346		337
347	if (s1 && s2) {	338	if (s1 && s2) {
		339	if (ddns_hostname.len + ddns_domainname.len > 253) {
		340	log_error ("ddns_update: host.domain name too long");
		341
		342	goto out;
		343	}
		344
348	buffer_allocate (&ddns_fwd_name.buffer,	345	buffer_allocate (&ddns_fwd_name.buffer,
349	ddns_hostname.len + ddns_domainname.len + 2,	346	ddns_hostname.len + ddns_domainname.len + 2,
350	MDL);	347	MDL);
Lines 449-454 Link Here
449	if (!ddns_fwd_name.len)	446	if (!ddns_fwd_name.len)
450	goto out;	447	goto out;
451		448
		449	if (ddns_fwd_name.len > 255) {
		450	log_error ("client provided fqdn: too long");
		451	goto out;
		452	}
		453
452	/*	454	/*
453	* Compute the RR TTL.	455	* Compute the RR TTL.
454	*/	456	*/
Lines 479-485 Link Here
479	packet -> options,	481	packet -> options,
480	state -> options,	482	state -> options,
481	&lease -> scope, oc, MDL);	483	&lease -> scope, oc, MDL);
482		484
		485	if (d1.len > 238) {
		486	log_error ("ddns_update: Calculated rev domain name too long.");
		487	s1 = 0;
		488	data_string_forget (&d1, MDL);
		489	}
		490
483	if (oc && s1) {	491	if (oc && s1) {
484	/* Buffer length:	492	/* Buffer length:
485	XXX.XXX.XXX.XXX.<ddns-rev-domain-name>\0 */	493	XXX.XXX.XXX.XXX.<ddns-rev-domain-name>\0 */
Lines 487-507 Link Here
487	d1.len + 17, MDL);	495	d1.len + 17, MDL);
488	if (ddns_rev_name.buffer) {	496	if (ddns_rev_name.buffer) {
489	ddns_rev_name.data = ddns_rev_name.buffer -> data;	497	ddns_rev_name.data = ddns_rev_name.buffer -> data;
490	#ifndef NO_SNPRINTF	498
491	snprintf ((char *)ddns_rev_name.buffer -> data, 17,	499	snprintf ((char *)ddns_rev_name.buffer -> data, 17,
492	"%d.%d.%d.%d.",	500	"%d.%d.%d.%d.",
493	lease -> ip_addr . iabuf[3],	501	lease -> ip_addr . iabuf[3],
494	lease -> ip_addr . iabuf[2],	502	lease -> ip_addr . iabuf[2],
495	lease -> ip_addr . iabuf[1],	503	lease -> ip_addr . iabuf[1],
496	lease -> ip_addr . iabuf[0]);	504	lease -> ip_addr . iabuf[0]);
497	#else	505
498	sprintf ((char *)ddns_rev_name.buffer -> data,
499	"%d.%d.%d.%d.",
500	lease -> ip_addr . iabuf[3],
501	lease -> ip_addr . iabuf[2],
502	lease -> ip_addr . iabuf[1],
503	lease -> ip_addr . iabuf[0]);
504	#endif
505	ddns_rev_name.len =	506	ddns_rev_name.len =
506	strlen ((const char *)ddns_rev_name.data);	507	strlen ((const char *)ddns_rev_name.data);
507	data_string_append (&ddns_rev_name, &d1);	508	data_string_append (&ddns_rev_name, &d1);




		    packet -> packet_type < dhcp_type_name_max - 1) {
			s = dhcp_type_names [packet -> packet_type - 1];
		} else {
#if defined (HAVE_SNPRINTF)
			snprintf (typebuf, sizeof typebuf,
				  "type %d", packet -> packet_type);
#else
			sprintf (typebuf, 
				  "type %d", packet -> packet_type);
#endif
			s = typebuf;
		}
		

	find_lease (&lease, packet, packet -> shared_network,
		    0, &allocatedp, (struct lease *)0, MDL);

	if (lease && lease -> client_hostname) {
		if ((strlen (lease -> client_hostname) <= 64) &&
		    db_printable (lease -> client_hostname))
			s = lease -> client_hostname;
		else
			s = "Hostname Unsuitable for Printing";
	} else
		s = (char *)0;

	/* Say what we're doing... */
	snprintf (msgbuf, sizeof msgbuf, "DHCPDISCOVER from %s %s%s%svia %s",
		 (packet -> raw -> htype
		  ? print_hw_addr (packet -> raw -> htype,
				   packet -> raw -> hlen,

	/* XXX consider using allocatedp arg to find_lease to see
	   XXX that this isn't a compliant DHCPREQUEST. */

	if (lease && lease -> client_hostname) {
		if ((strlen (lease -> client_hostname) <= 64) &&
		    db_printable (lease -> client_hostname))
			s = lease -> client_hostname;
		else
			s = "Hostname Unsuitable for Printing";
	} else
		s = (char *)0;

	oc = lookup_option (&dhcp_universe, packet -> options,

		smbuf [0] = 0;

	/* Say what we're doing... */
	snprintf (msgbuf, sizeof msgbuf,
		 "DHCPREQUEST for %s%s from %s %s%s%svia %s",
		 piaddr (cip), smbuf,
		 (packet -> raw -> htype
		  ? print_hw_addr (packet -> raw -> htype,

		     packet -> raw -> chaddr, packet -> raw -> hlen)))
		lease_dereference (&lease, MDL);

	if (lease && lease -> client_hostname) {
		if ((strlen (lease -> client_hostname) <= 64) &&
		    db_printable (lease -> client_hostname))
			s = lease -> client_hostname;
		else
			s = "Hostname Unsuitable for Printing";
	} else
		s = (char *)0;

	strncpy(cstr, inet_ntoa (packet -> raw -> ciaddr), 15);
	cstr[15] = '\0';

	/* Say what we're doing... */
	snprintf (msgbuf, sizeof msgbuf,
		 "DHCPRELEASE of %s from %s %s%s%svia %s (%sfound)",
		 cstr,
		 (packet -> raw -> htype

	data_string_forget (&data, MDL);
	find_lease_by_ip_addr (&lease, cip, MDL);

	if (lease && lease -> client_hostname) {
		if ((strlen (lease -> client_hostname) <= 64) &&
		    db_printable (lease -> client_hostname))
			s = lease -> client_hostname;
		else
			s = "Hostname Unsuitable for Printing";
	} else
		s = (char *)0;

	snprintf (msgbuf, sizeof msgbuf,
		 "DHCPDECLINE of %s from %s %s%s%svia %s",
		 piaddr (cip),
		 (packet -> raw -> htype
		  ? print_hw_addr (packet -> raw -> htype,

		memcpy (cip.iabuf, &packet -> raw -> ciaddr, 4);
	}

	snprintf (msgbuf, sizeof msgbuf, "DHCPINFORM from %s via %s",
		 piaddr (cip), packet -> interface -> name);

	/* If the IP source address is zero, don't respond. */

	raw.hops = state -> hops;
	raw.op = BOOTREPLY;

	if (lease -> client_hostname) {
		if ((strlen (lease -> client_hostname) <= 64) &&
		    db_printable (lease -> client_hostname))
			s = lease -> client_hostname;
		else
			s = "Hostname Unsuitable for Printing";
	} else
		s = (char *)0;

	/* Say what we're doing... */




	char tbuf [256];

	va_start (va, fmt);
#if defined (HAVE_SNPRINTF)
	/* Presumably if we have snprintf, we also have
	   vsnprintf. */
	vsnprintf (tbuf, sizeof tbuf, fmt, va);
#else
	vsprintf (tbuf, fmt, va);
#endif
	va_end (va);

	return dhcp_failover_make_option (code, obuf, obufix, obufmax,

	putUShort (&option.data [2], size - 4);

#if defined (DEBUG_FAILOVER_MESSAGES)	
	snprintf (tbuf, sizeof tbuf, " (%s<%d>", info -> name, option.count);
	failover_print (obuf, obufix, obufmax, tbuf);
#endif


	      case FT_TEXT_OR_BYTES:
	      case FT_TEXT:
#if defined (DEBUG_FAILOVER_MESSAGES)
		snprintf (tbuf, sizeof tbuf, "\"%s\"", txt);
		failover_print (obuf, obufix, obufmax, tbuf);
#endif
		memcpy (&option.data [4], txt, count);

		}
		if (new_binding_state != msg -> binding_status) {
			char outbuf [100];

			snprintf (outbuf, sizeof outbuf,
				  "%s: invalid state transition: %s to %s",
				  piaddr (lease -> ip_addr),
				  binding_state_print (lease -> binding_state),
				  binding_state_print (msg -> binding_status));

			sprintf (outbuf,
				 "%s: invalid state transition: %s to %s",
				 piaddr (lease -> ip_addr),
				 binding_state_print (lease -> binding_state),
				 binding_state_print (msg -> binding_status));
#endif
			dhcp_failover_send_bind_ack (state, msg,
						     FTR_FATAL_CONFLICT,
						     outbuf);

Return to bug 56975

Lines 4805-4817 Link Here

(-)dhcp-3.0.1rc13/common/parse.c (-5 lines)
4805	unsigned i, lix;	4796	unsigned i, lix;
4806		4797
4807	do_percentm (mbuf, fmt);	4798	do_percentm (mbuf, fmt);
4808	#ifndef NO_SNPRINTF
4809	snprintf (fbuf, sizeof fbuf, "%s line %d: %s",	4799	snprintf (fbuf, sizeof fbuf, "%s line %d: %s",
4810	cfile -> tlname, cfile -> lexline, mbuf);	4800	cfile -> tlname, cfile -> lexline, mbuf);
4811	#else
4812	sprintf (fbuf, "%s line %d: %s",
4813	cfile -> tlname, cfile -> lexline, mbuf);
4814	#endif
4815		4801
4816	va_start (list, fmt);	4802	va_start (list, fmt);
4817	vsnprintf (mbuf, sizeof mbuf, fbuf, list);	4803	vsnprintf (mbuf, sizeof mbuf, fbuf, list);

Lines 3408-3420 Link Here

(-)dhcp-3.0.1rc13/server/failover.c (-16 / +4 lines)
3408	char tbuf [256];	3399	char tbuf [256];
3409		3400
3410	va_start (va, fmt);	3401	va_start (va, fmt);
3411	#if defined (HAVE_SNPRINTF)
3412	/* Presumably if we have snprintf, we also have
3413	vsnprintf. */
3414	vsnprintf (tbuf, sizeof tbuf, fmt, va);	3402	vsnprintf (tbuf, sizeof tbuf, fmt, va);
3415	#else
3416	vsprintf (tbuf, fmt, va);
3417	#endif
3418	va_end (va);	3403	va_end (va);
3419		3404
3420	return dhcp_failover_make_option (code, obuf, obufix, obufmax,	3405	return dhcp_failover_make_option (code, obuf, obufix, obufmax,
Lines 3515-3521 Link Here
3515	putUShort (&option.data [2], size - 4);	3500	putUShort (&option.data [2], size - 4);
3516		3501
3517	#if defined (DEBUG_FAILOVER_MESSAGES)	3502	#if defined (DEBUG_FAILOVER_MESSAGES)
3518	sprintf (tbuf, " (%s<%d>", info -> name, option.count);	3503	snprintf (tbuf, sizeof tbuf, " (%s<%d>", info -> name, option.count);
3519	failover_print (obuf, obufix, obufmax, tbuf);	3504	failover_print (obuf, obufix, obufmax, tbuf);
3520	#endif	3505	#endif
3521		3506
Lines 3586-3592 Link Here
3586	case FT_TEXT_OR_BYTES:	3571	case FT_TEXT_OR_BYTES:
3587	case FT_TEXT:	3572	case FT_TEXT:
3588	#if defined (DEBUG_FAILOVER_MESSAGES)	3573	#if defined (DEBUG_FAILOVER_MESSAGES)
3589	sprintf (tbuf, "\"%s\"", txt);	3574	snprintf (tbuf, sizeof tbuf, "\"%s\"", txt);
3590	failover_print (obuf, obufix, obufmax, tbuf);	3575	failover_print (obuf, obufix, obufmax, tbuf);
3591	#endif	3576	#endif
3592	memcpy (&option.data [4], txt, count);	3577	memcpy (&option.data [4], txt, count);
Lines 4494-4512 Link Here
4494	}	4479	}
4495	if (new_binding_state != msg -> binding_status) {	4480	if (new_binding_state != msg -> binding_status) {
4496	char outbuf [100];	4481	char outbuf [100];
4497	#if !defined (NO_SNPRINTF)	4482
4498	snprintf (outbuf, sizeof outbuf,	4483	snprintf (outbuf, sizeof outbuf,
4499	"%s: invalid state transition: %s to %s",	4484	"%s: invalid state transition: %s to %s",
4500	piaddr (lease -> ip_addr),	4485	piaddr (lease -> ip_addr),
4501	binding_state_print (lease -> binding_state),	4486	binding_state_print (lease -> binding_state),
4502	binding_state_print (msg -> binding_status));	4487	binding_state_print (msg -> binding_status));
4503	#else	4488
4504	sprintf (outbuf,
4505	"%s: invalid state transition: %s to %s",
4506	piaddr (lease -> ip_addr),
4507	binding_state_print (lease -> binding_state),
4508	binding_state_print (msg -> binding_status));
4509	#endif
4510	dhcp_failover_send_bind_ack (state, msg,	4489	dhcp_failover_send_bind_ack (state, msg,
4511	FTR_FATAL_CONFLICT,	4490	FTR_FATAL_CONFLICT,
4512	outbuf);	4491	outbuf);

Lines 43-48 Link Here

(-)dhcp-3.0.1rc13/RELNOTES (+21 lines)
43	thanks to all of these good people here, both for working on the code	43	thanks to all of these good people here, both for working on the code
44	and for prodding me into improving it.	44	and for prodding me into improving it.
45		45
		46	Changes since 3.0.1rc13
		47
		48	! CAN-2004-0460 - CERT VU#317350: Five stack overflow exploits were closed
		49	in logging messages with excessively long hostnames provided by the
		50	clients. It is highly probable that these could have been used by
		51	attackers to gain arbitrary root access on systems using ISC DHCP.
		52	Special thanks to Gregory Duchemin for both finding and solving the
		53	problem.
		54
		55	! CAN-2004-0461 - CERT VU#654390: Once the above was closed, an opening
		56	in log_*() functions was evidented, on some specific platforms where
		57	vsnprintf() was not believed to be available and calls were wrapped to
		58	sprintf() instead. Again, credit goes to Gregory Duchemin for finding
		59	the problem. Calls to snprintf() are now linked to a distribution-local
		60	snprintf implementation, only in those cases where the architecture is
		61	not known to provide one (see includes/cf/[arch].h). If you experience
		62	linking problems with snprintf/vsnprintf or 'isc_print_' functions, this
		63	is where to look.
		64
		65	- 'The cross-compile bug fix' was backed out.
		66
46	Changes since 3.0.1rc12	67	Changes since 3.0.1rc12
47		68
48	- Fixed a bug in omapi lease lookup function, to form the hardware	69	- Fixed a bug in omapi lease lookup function, to form the hardware

Lines 539-553 Link Here

(-)dhcp-3.0.1rc13/common/dns.c (-13 / +1 lines)
539		530
540	if (ddns_addr.len != 4)	531	if (ddns_addr.len != 4)
541	return ISC_R_INVALIDARG;	532	return ISC_R_INVALIDARG;
542	#ifndef NO_SNPRINTF	533
543	snprintf (ddns_address, 16, "%d.%d.%d.%d",	534	snprintf (ddns_address, 16, "%d.%d.%d.%d",
544	ddns_addr.iabuf[0], ddns_addr.iabuf[1],	535	ddns_addr.iabuf[0], ddns_addr.iabuf[1],
545	ddns_addr.iabuf[2], ddns_addr.iabuf[3]);	536	ddns_addr.iabuf[2], ddns_addr.iabuf[3]);
546	#else
547	sprintf (ddns_address, "%d.%d.%d.%d",
548	ddns_addr.iabuf[0], ddns_addr.iabuf[1],
549	ddns_addr.iabuf[2], ddns_addr.iabuf[3]);
550	#endif
551		537
552	/*	538	/*
553	* When a DHCP client or server intends to update an A RR, it first	539	* When a DHCP client or server intends to update an A RR, it first
Lines 793-808 Link Here
793	if (ddns_addr.len != 4)	779	if (ddns_addr.len != 4)
794	return ISC_R_INVALIDARG;	780	return ISC_R_INVALIDARG;
795		781
796	#ifndef NO_SNPRINTF
797	snprintf (ddns_address, 16, "%d.%d.%d.%d",	782	snprintf (ddns_address, 16, "%d.%d.%d.%d",
798	ddns_addr.iabuf[0], ddns_addr.iabuf[1],	783	ddns_addr.iabuf[0], ddns_addr.iabuf[1],
799	ddns_addr.iabuf[2], ddns_addr.iabuf[3]);	784	ddns_addr.iabuf[2], ddns_addr.iabuf[3]);
800	#else
801	sprintf (ddns_address, "%d.%d.%d.%d",
802	ddns_addr.iabuf[0], ddns_addr.iabuf[1],
803	ddns_addr.iabuf[2], ddns_addr.iabuf[3]);
804	#endif
805
806		785
807	/*	786	/*
808	* The entity chosen to handle the A record for this client (either the	787	* The entity chosen to handle the A record for this client (either the

Line 0 Link Here

(-)dhcp-3.0.1rc13/common/iscprint.c (+539 lines)
		1	/*
		2	* Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
		3	* Copyright (C) 1999-2001, 2003 Internet Software Consortium.
		4	*
		5	* Permission to use, copy, modify, and distribute this software for any
		6	* purpose with or without fee is hereby granted, provided that the above
		7	* copyright notice and this permission notice appear in all copies.
		8	*
		9	* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
		10	* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
		11	* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
		12	* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
		13	* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
		14	* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
		15	* PERFORMANCE OF THIS SOFTWARE.
		16	*/
		17
		18	/* $Id: iscprint.c,v 1.1.2.1 2004/06/14 21:09:22 dhankins Exp $ */
		19
		20	#include "dhcpd.h"
		21
		22	#ifdef NO_SNPRINTF
		23
		24	#ifndef LINT
		25	static char copyright[] =
		26	"$Id: iscprint.c,v 1.1.2.1 2004/06/14 21:09:22 dhankins Exp $ Copyright (c) 2004 Internet Systems Consortium, Inc. All rights reserved.";
		27	#endif
		28
		29	#define INSIST(cond) REQUIRE(cond)
		30	#define REQUIRE(cond) if (!(cond)) { return 0; }
		31
		32	/*
		33	* Return length of string that would have been written if not truncated.
		34	*/
		35
		36	int
		37	isc_print_snprintf(char str, size_t size, const char format, ...) {
		38	va_list ap;
		39	int ret;
		40
		41	va_start(ap, format);
		42	ret = vsnprintf(str, size, format, ap);
		43	va_end(ap);
		44	return (ret);
		45	}
		46
		47	/*
		48	* Return length of string that would have been written if not truncated.
		49	*/
		50
		51	int
		52	isc_print_vsnprintf(char str, size_t size, const char format, va_list ap) {
		53	int h;
		54	int l;
		55	int q;
		56	int alt;
		57	int zero;
		58	int left;
		59	int plus;
		60	int space;
		61	int neg;
		62	isc_int64_t tmpi;
		63	isc_uint64_t tmpui;
		64	unsigned long width;
65	unsigned long precision;
66	unsigned int length;
67	char buf[1024];
68	char c;
69	void *v;
70	char *save = str;
71	const char *cp;
72	const char *head;
73	int count = 0;
74	int pad;
75	int zeropad;
76	int dot;
77	double dbl;
78	#ifdef HAVE_LONG_DOUBLE
79	long double ldbl;
80	#endif
81	char fmt[32];
82
83	INSIST(str != NULL);
84	INSIST(format != NULL);
85
86	while (*format != '\0') {
87	if (*format != '%') {
88	if (size > 1) {
89	str++ = format;
90	size--;
91	}
92	count++;
93	format++;
94	continue;
95	}
96	format++;
97
98	/*
99	* Reset flags.
100	*/
101	dot = neg = space = plus = left = zero = alt = h = l = q = 0;
102	width = precision = 0;
103	head = "";
104	length = pad = zeropad = 0;
105
106	do {
107	if (*format == '#') {
108	alt = 1;
109	format++;
110	} else if (*format == '-') {
111	left = 1;
112	zero = 0;
113	format++;
114	} else if (*format == ' ') {
115	if (!plus)
116	space = 1;
117	format++;
118	} else if (*format == '+') {
119	plus = 1;
120	space = 0;
121	format++;
122	} else if (*format == '0') {
123	if (!left)
124	zero = 1;
125	format++;
126	} else
127	break;
128	} while (1);
129
130	/*
131	* Width.
132	*/
133	if (format == '') {
134	width = va_arg(ap, int);
135	format++;
136	} else if (isdigit((unsigned char)*format)) {
137	char *e;
138	width = strtoul(format, &e, 10);
139	format = e;
140	}
141
142	/*
143	* Precision.
144	*/
145	if (*format == '.') {
146	format++;
147	dot = 1;
148	if (format == '') {
149	precision = va_arg(ap, int);
150	format++;
151	} else if (isdigit((unsigned char)*format)) {
152	char *e;
153	precision = strtoul(format, &e, 10);
154	format = e;
155	}
156	}
157
158	switch (*format) {
159	case '\0':
160	continue;
161	case '%':
162	if (size > 1) {
163	str++ = format;
164	size--;
165	}
166	count++;
167	break;
168	case 'q':
169	q = 1;
170	format++;
171	goto doint;
172	case 'h':
173	h = 1;
174	format++;
175	goto doint;
176	case 'l':
177	l = 1;
178	format++;
179	if (*format == 'l') {
180	q = 1;
181	format++;
182	}
183	goto doint;
184	case 'n':
185	case 'i':
186	case 'd':
187	case 'o':
188	case 'u':
189	case 'x':
190	case 'X':
191	doint:
192	if (precision != 0)
193	zero = 0;
194	switch (*format) {
195	case 'n':
196	if (h) {
197	short int *p;
198	p = va_arg(ap, short *);
199	REQUIRE(p != NULL);
200	*p = str - save;
201	} else if (l) {
202	long int *p;
203	p = va_arg(ap, long *);
204	REQUIRE(p != NULL);
205	*p = str - save;
206	} else {
207	int *p;
208	p = va_arg(ap, int *);
209	REQUIRE(p != NULL);
210	*p = str - save;
211	}
212	break;
213	case 'i':
214	case 'd':
215	if (q)
216	tmpi = va_arg(ap, isc_int64_t);
217	else if (l)
218	tmpi = va_arg(ap, long int);
219	else
220	tmpi = va_arg(ap, int);
221	if (tmpi < 0) {
222	head = "-";
223	tmpui = -tmpi;
224	} else {
225	if (plus)
226	head = "+";
227	else if (space)
228	head = " ";
229	else
230	head = "";
231	tmpui = tmpi;
232	}
233	sprintf(buf, "%u", tmpui);
234	goto printint;
235	case 'o':
236	if (q)
237	tmpui = va_arg(ap, isc_uint64_t);
238	else if (l)
239	tmpui = va_arg(ap, long int);
240	else
241	tmpui = va_arg(ap, int);
242	sprintf(buf, alt ? "%#o"
243	: "%o", tmpui);
244	goto printint;
245	case 'u':
246	if (q)
247	tmpui = va_arg(ap, isc_uint64_t);
248	else if (l)
249	tmpui = va_arg(ap, unsigned long int);
250	else
251	tmpui = va_arg(ap, unsigned int);
252	sprintf(buf, "%u", tmpui);
253	goto printint;
254	case 'x':
255	if (q)
256	tmpui = va_arg(ap, isc_uint64_t);
257	else if (l)
258	tmpui = va_arg(ap, unsigned long int);
259	else
260	tmpui = va_arg(ap, unsigned int);
261	if (alt) {
262	head = "0x";
263	if (precision > 2)
264	precision -= 2;
265	}
266	sprintf(buf, "%x", tmpui);
267	goto printint;
268	case 'X':
269	if (q)
270	tmpui = va_arg(ap, isc_uint64_t);
271	else if (l)
272	tmpui = va_arg(ap, unsigned long int);
273	else
274	tmpui = va_arg(ap, unsigned int);
275	if (alt) {
276	head = "0X";
277	if (precision > 2)
278	precision -= 2;
279	}
280	sprintf(buf, "%X", tmpui);
281	goto printint;
282	printint:
283	if (precision != 0 \|\| width != 0) {
284	length = strlen(buf);
285	if (length < precision)
286	zeropad = precision - length;
287	else if (length < width && zero)
288	zeropad = width - length;
289	if (width != 0) {
290	pad = width - length -
291	zeropad - strlen(head);
292	if (pad < 0)
293	pad = 0;
294	}
295	}
296	count += strlen(head) + strlen(buf) + pad +
297	zeropad;
298	if (!left) {
299	while (pad > 0 && size > 1) {
300	*str++ = ' ';
301	size--;
302	pad--;
303	}
304	}
305	cp = head;
306	while (*cp != '\0' && size > 1) {
307	str++ = cp++;
308	size--;
309	}
310	while (zeropad > 0 && size > 1) {
311	*str++ = '0';
312	size--;
313	zeropad--;
314	}
315	cp = buf;
316	while (*cp != '\0' && size > 1) {
317	str++ = cp++;
318	size--;
319	}
320	while (pad > 0 && size > 1) {
321	*str++ = ' ';
322	size--;
323	pad--;
324	}
325	break;
326	default:
327	break;
328	}
329	break;
330	case 's':
331	cp = va_arg(ap, char *);
332	REQUIRE(cp != NULL);
333
334	if (precision != 0) {
335	/*
336	* cp need not be NULL terminated.
337	*/
338	const char *tp;
339	unsigned long n;
340
341	n = precision;
342	tp = cp;
343	while (n != 0 && *tp != '\0')
344	n--, tp++;
345	length = precision - n;
346	} else {
347	length = strlen(cp);
348	}
349	if (width != 0) {
350	pad = width - length;
351	if (pad < 0)
352	pad = 0;
353	}
354	count += pad + length;
355	if (!left)
356	while (pad > 0 && size > 1) {
357	*str++ = ' ';
358	size--;
359	pad--;
360	}
361	if (precision != 0)
362	while (precision > 0 && *cp != '\0' &&
363	size > 1) {
364	str++ = cp++;
365	size--;
366	precision--;
367	}
368	else
369	while (*cp != '\0' && size > 1) {
370	str++ = cp++;
371	size--;
372	}
373	while (pad > 0 && size > 1) {
374	*str++ = ' ';
375	size--;
376	pad--;
377	}
378	break;
379	case 'c':
380	c = va_arg(ap, int);
381	if (width > 0) {
382	count += width;
383	width--;
384	if (left) {
385	*str++ = c;
386	size--;
387	}
388	while (width-- > 0 && size > 1) {
389	*str++ = ' ';
390	size--;
391	}
392	if (!left && size > 1) {
393	*str++ = c;
394	size--;
395	}
396	} else {
397	count++;
398	if (size > 1) {
399	*str++ = c;
400	size--;
401	}
402	}
403	break;
404	case 'p':
405	v = va_arg(ap, void *);
406	sprintf(buf, "%p", v);
407	length = strlen(buf);
408	if (precision > length)
409	zeropad = precision - length;
410	if (width > 0) {
411	pad = width - length - zeropad;
412	if (pad < 0)
413	pad = 0;
414	}
415	count += length + pad + zeropad;
416	if (!left)
417	while (pad > 0 && size > 1) {
418	*str++ = ' ';
419	size--;
420	pad--;
421	}
422	cp = buf;
423	if (zeropad > 0 && buf[0] == '0' &&
424	(buf[1] == 'x' \|\| buf[1] == 'X')) {
425	if (size > 1) {
426	str++ = cp++;
427	size--;
428	}
429	if (size > 1) {
430	str++ = cp++;
431	size--;
432	}
433	while (zeropad > 0 && size > 1) {
434	*str++ = '0';
435	size--;
436	zeropad--;
437	}
438	}
439	while (*cp != '\0' && size > 1) {
440	str++ = cp++;
441	size--;
442	}
443	while (pad > 0 && size > 1) {
444	*str++ = ' ';
445	size--;
446	pad--;
447	}
448	break;
449	case 'D': /deprecated/
450	INSIST("use %ld instead of %D" == NULL);
451	case 'O': /deprecated/
452	INSIST("use %lo instead of %O" == NULL);
453	case 'U': /deprecated/
454	INSIST("use %lu instead of %U" == NULL);
455
456	case 'L':
457	#ifdef HAVE_LONG_DOUBLE
458	l = 1;
459	#else
460	INSIST("long doubles are not supported" == NULL);
461	#endif
462	/FALLTHROUGH/
463	case 'e':
464	case 'E':
465	case 'f':
466	case 'g':
467	case 'G':
468	if (!dot)
469	precision = 6;
470	/*
471	* IEEE floating point.
472	* MIN 2.2250738585072014E-308
473	* MAX 1.7976931348623157E+308
474	* VAX floating point has a smaller range than IEEE.
475	*
476	* precisions > 324 don't make much sense.
477	* if we cap the precision at 512 we will not
478	* overflow buf.
479	*/
480	if (precision > 512)
481	precision = 512;
482	sprintf(fmt, "%%%s%s.%lu%s%c", alt ? "#" : "",
483	plus ? "+" : space ? " " : "",
484	precision, l ? "L" : "", *format);
485	switch (*format) {
486	case 'e':
487	case 'E':
488	case 'f':
489	case 'g':
490	case 'G':
491	#ifdef HAVE_LONG_DOUBLE
492	if (l) {
493	ldbl = va_arg(ap, long double);
494	sprintf(buf, fmt, ldbl);
495	} else
496	#endif
497	{
498	dbl = va_arg(ap, double);
499	sprintf(buf, fmt, dbl);
500	}
501	length = strlen(buf);
502	if (width > 0) {
503	pad = width - length;
504	if (pad < 0)
505	pad = 0;
506	}
507	count += length + pad;
508	if (!left)
509	while (pad > 0 && size > 1) {
510	*str++ = ' ';
511	size--;
512	pad--;
513	}
514	cp = buf;
515	while (*cp != ' ' && size > 1) {
516	str++ = cp++;
517	size--;
518	}
519	while (pad > 0 && size > 1) {
520	*str++ = ' ';
521	size--;
522	pad--;
523	}
524	break;
525	default:
526	continue;
527	}
528	break;
529	default:
530	continue;
531	}
532	format++;
533	}
534	if (size > 0)
535	*str = '\0';
536	return (count);
537	}
538
539	#endif

Lines 89-101 Link Here

(-)dhcp-3.0.1rc13/server/dhcp.c (-30 / +42 lines)
89	packet -> packet_type < dhcp_type_name_max - 1) {	80	packet -> packet_type < dhcp_type_name_max - 1) {
90	s = dhcp_type_names [packet -> packet_type - 1];	81	s = dhcp_type_names [packet -> packet_type - 1];
91	} else {	82	} else {
92	#if defined (HAVE_SNPRINTF)
93	snprintf (typebuf, sizeof typebuf,	83	snprintf (typebuf, sizeof typebuf,
94	"type %d", packet -> packet_type);	84	"type %d", packet -> packet_type);
95	#else
96	sprintf (typebuf,
97	"type %d", packet -> packet_type);
98	#endif
99	s = typebuf;	85	s = typebuf;
100	}	86	}
101		87
Lines 268-281 Link Here
268	find_lease (&lease, packet, packet -> shared_network,	254	find_lease (&lease, packet, packet -> shared_network,
269	0, &allocatedp, (struct lease *)0, MDL);	255	0, &allocatedp, (struct lease *)0, MDL);
270		256
271	if (lease && lease -> client_hostname &&	257	if (lease && lease -> client_hostname) {
272	db_printable (lease -> client_hostname))	258	if ((strlen (lease -> client_hostname) <= 64) &&
273	s = lease -> client_hostname;	259	db_printable (lease -> client_hostname))
274	else	260	s = lease -> client_hostname;
		261	else
		262	s = "Hostname Unsuitable for Printing";
		263	} else
275	s = (char *)0;	264	s = (char *)0;
276		265
277	/* Say what we're doing... */	266	/* Say what we're doing... */
278	sprintf (msgbuf, "DHCPDISCOVER from %s %s%s%svia %s",	267	snprintf (msgbuf, sizeof msgbuf, "DHCPDISCOVER from %s %s%s%svia %s",
279	(packet -> raw -> htype	268	(packet -> raw -> htype
280	? print_hw_addr (packet -> raw -> htype,	269	? print_hw_addr (packet -> raw -> htype,
281	packet -> raw -> hlen,	270	packet -> raw -> hlen,
Lines 446-455 Link Here
446	/* XXX consider using allocatedp arg to find_lease to see	435	/* XXX consider using allocatedp arg to find_lease to see
447	XXX that this isn't a compliant DHCPREQUEST. */	436	XXX that this isn't a compliant DHCPREQUEST. */
448		437
449	if (lease && lease -> client_hostname &&	438	if (lease && lease -> client_hostname) {
450	db_printable (lease -> client_hostname))	439	if ((strlen (lease -> client_hostname) <= 64) &&
451	s = lease -> client_hostname;	440	db_printable (lease -> client_hostname))
452	else	441	s = lease -> client_hostname;
		442	else
		443	s = "Hostname Unsuitable for Printing";
		444	} else
453	s = (char *)0;	445	s = (char *)0;
454		446
455	oc = lookup_option (&dhcp_universe, packet -> options,	447	oc = lookup_option (&dhcp_universe, packet -> options,
Lines 469-475 Link Here
469	smbuf [0] = 0;	461	smbuf [0] = 0;
470		462
471	/* Say what we're doing... */	463	/* Say what we're doing... */
472	sprintf (msgbuf, "DHCPREQUEST for %s%s from %s %s%s%svia %s",	464	snprintf (msgbuf, sizeof msgbuf,
		465	"DHCPREQUEST for %s%s from %s %s%s%svia %s",
473	piaddr (cip), smbuf,	466	piaddr (cip), smbuf,
474	(packet -> raw -> htype	467	(packet -> raw -> htype
475	? print_hw_addr (packet -> raw -> htype,	468	? print_hw_addr (packet -> raw -> htype,
Lines 742-758 Link Here
742	packet -> raw -> chaddr, packet -> raw -> hlen)))	735	packet -> raw -> chaddr, packet -> raw -> hlen)))
743	lease_dereference (&lease, MDL);	736	lease_dereference (&lease, MDL);
744		737
745	if (lease && lease -> client_hostname &&	738	if (lease && lease -> client_hostname) {
746	db_printable (lease -> client_hostname))	739	if ((strlen (lease -> client_hostname) <= 64) &&
747	s = lease -> client_hostname;	740	db_printable (lease -> client_hostname))
748	else	741	s = lease -> client_hostname;
		742	else
		743	s = "Hostname Unsuitable for Printing";
		744	} else
749	s = (char *)0;	745	s = (char *)0;
750		746
751	strncpy(cstr, inet_ntoa (packet -> raw -> ciaddr), 15);	747	strncpy(cstr, inet_ntoa (packet -> raw -> ciaddr), 15);
752	cstr[15] = '\0';	748	cstr[15] = '\0';
753		749
754	/* Say what we're doing... */	750	/* Say what we're doing... */
755	sprintf (msgbuf,	751	snprintf (msgbuf, sizeof msgbuf,
756	"DHCPRELEASE of %s from %s %s%s%svia %s (%sfound)",	752	"DHCPRELEASE of %s from %s %s%s%svia %s (%sfound)",
757	cstr,	753	cstr,
758	(packet -> raw -> htype	754	(packet -> raw -> htype
Lines 830-842 Link Here
830	data_string_forget (&data, MDL);	826	data_string_forget (&data, MDL);
831	find_lease_by_ip_addr (&lease, cip, MDL);	827	find_lease_by_ip_addr (&lease, cip, MDL);
832		828
833	if (lease && lease -> client_hostname &&	829	if (lease && lease -> client_hostname) {
834	db_printable (lease -> client_hostname))	830	if ((strlen (lease -> client_hostname) <= 64) &&
835	s = lease -> client_hostname;	831	db_printable (lease -> client_hostname))
836	else	832	s = lease -> client_hostname;
		833	else
		834	s = "Hostname Unsuitable for Printing";
		835	} else
837	s = (char *)0;	836	s = (char *)0;
838		837
839	sprintf (msgbuf, "DHCPDECLINE of %s from %s %s%s%svia %s",	838	snprintf (msgbuf, sizeof msgbuf,
		839	"DHCPDECLINE of %s from %s %s%s%svia %s",
840	piaddr (cip),	840	piaddr (cip),
841	(packet -> raw -> htype	841	(packet -> raw -> htype
842	? print_hw_addr (packet -> raw -> htype,	842	? print_hw_addr (packet -> raw -> htype,
Lines 947-953 Link Here
947	memcpy (cip.iabuf, &packet -> raw -> ciaddr, 4);	947	memcpy (cip.iabuf, &packet -> raw -> ciaddr, 4);
948	}	948	}
949		949
950	sprintf (msgbuf, "DHCPINFORM from %s via %s",	950	snprintf (msgbuf, sizeof msgbuf, "DHCPINFORM from %s via %s",
951	piaddr (cip), packet -> interface -> name);	951	piaddr (cip), packet -> interface -> name);
952		952
953	/* If the IP source address is zero, don't respond. */	953	/* If the IP source address is zero, don't respond. */
Lines 2748-2757 Link Here
2748	raw.hops = state -> hops;	2748	raw.hops = state -> hops;
2749	raw.op = BOOTREPLY;	2749	raw.op = BOOTREPLY;
2750		2750
2751	if (lease -> client_hostname &&	2751	if (lease -> client_hostname) {
2752	db_printable (lease -> client_hostname))	2752	if ((strlen (lease -> client_hostname) <= 64) &&
2753	s = lease -> client_hostname;	2753	db_printable (lease -> client_hostname))
2754	else	2754	s = lease -> client_hostname;
		2755	else
		2756	s = "Hostname Unsuitable for Printing";
		2757	} else
2755	s = (char *)0;	2758	s = (char *)0;
2756		2759
2757	/* Say what we're doing... */	2760	/* Say what we're doing... */