Bugzilla – Attachment 21425 Details for
Bug 56975
VUL-0: CVE-2004-0461: dhcp: remote buffer overfow
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
[patch]
Concise diff between 3.0.1rc13 and proposed 3.0.1 tarball
dhcp-3.0.1rc13-3.0.1.linux.dif (text/plain), 25.86 KB, created by
Peter Poeml
on 2004-06-21 17:32:06 UTC
(
hide
)
Description:
Concise diff between 3.0.1rc13 and proposed 3.0.1 tarball
Filename:
MIME Type:
Creator:
Peter Poeml
Created:
2004-06-21 17:32:06 UTC
Size:
25.86 KB
patch
obsolete
>diff -uNr dhcp-3.0.1rc13/RELNOTES dhcp-3.0.1/RELNOTES >--- dhcp-3.0.1rc13/RELNOTES 2004-02-04 21:18:07.000000000 +0100 >+++ dhcp-3.0.1/RELNOTES 2004-06-15 00:14:01.000000000 +0200 >@@ -43,6 +43,27 @@ > thanks to all of these good people here, both for working on the code > and for prodding me into improving it. > >+ Changes since 3.0.1rc13 >+ >+! CAN-2004-0460 - CERT VU#317350: Five stack overflow exploits were closed >+ in logging messages with excessively long hostnames provided by the >+ clients. It is highly probable that these could have been used by >+ attackers to gain arbitrary root access on systems using ISC DHCP. >+ Special thanks to Gregory Duchemin for both finding and solving the >+ problem. >+ >+! CAN-2004-0461 - CERT VU#654390: Once the above was closed, an opening >+ in log_*() functions was evidented, on some specific platforms where >+ vsnprintf() was not believed to be available and calls were wrapped to >+ sprintf() instead. Again, credit goes to Gregory Duchemin for finding >+ the problem. Calls to snprintf() are now linked to a distribution-local >+ snprintf implementation, only in those cases where the architecture is >+ not known to provide one (see includes/cf/[arch].h). If you experience >+ linking problems with snprintf/vsnprintf or 'isc_print_' functions, this >+ is where to look. >+ >+- 'The cross-compile bug fix' was backed out. >+ > Changes since 3.0.1rc12 > > - Fixed a bug in omapi lease lookup function, to form the hardware >diff -uNr dhcp-3.0.1rc13/common/bpf.c dhcp-3.0.1/common/bpf.c >--- dhcp-3.0.1rc13/common/bpf.c 2002-11-17 03:26:56.000000000 +0100 >+++ dhcp-3.0.1/common/bpf.c 2004-06-14 23:08:42.000000000 +0200 >@@ -103,11 +90,7 @@ > > /* Open a BPF device */ > for (b = 0; 1; b++) { >-#ifndef NO_SNPRINTF > snprintf(filename, sizeof(filename), BPF_FORMAT, b); >-#else >- sprintf(filename, BPF_FORMAT, b); >-#endif > sock = open (filename, O_RDWR, 0); > if (sock < 0) { > if (errno == EBUSY) { >diff -uNr dhcp-3.0.1rc13/common/dns.c dhcp-3.0.1/common/dns.c >--- dhcp-3.0.1rc13/common/dns.c 2002-11-17 03:26:57.000000000 +0100 >+++ dhcp-3.0.1/common/dns.c 2004-06-14 23:08:42.000000000 +0200 >@@ -539,15 +530,10 @@ > > if (ddns_addr.len != 4) > return ISC_R_INVALIDARG; >-#ifndef NO_SNPRINTF >+ > snprintf (ddns_address, 16, "%d.%d.%d.%d", > ddns_addr.iabuf[0], ddns_addr.iabuf[1], > ddns_addr.iabuf[2], ddns_addr.iabuf[3]); >-#else >- sprintf (ddns_address, "%d.%d.%d.%d", >- ddns_addr.iabuf[0], ddns_addr.iabuf[1], >- ddns_addr.iabuf[2], ddns_addr.iabuf[3]); >-#endif > > /* > * When a DHCP client or server intends to update an A RR, it first >@@ -793,16 +779,9 @@ > if (ddns_addr.len != 4) > return ISC_R_INVALIDARG; > >-#ifndef NO_SNPRINTF > snprintf (ddns_address, 16, "%d.%d.%d.%d", > ddns_addr.iabuf[0], ddns_addr.iabuf[1], > ddns_addr.iabuf[2], ddns_addr.iabuf[3]); >-#else >- sprintf (ddns_address, "%d.%d.%d.%d", >- ddns_addr.iabuf[0], ddns_addr.iabuf[1], >- ddns_addr.iabuf[2], ddns_addr.iabuf[3]); >-#endif >- > > /* > * The entity chosen to handle the A record for this client (either the >diff -uNr dhcp-3.0.1rc13/common/iscprint.c dhcp-3.0.1/common/iscprint.c >--- dhcp-3.0.1rc13/common/iscprint.c 1970-01-01 01:00:00.000000000 +0100 >+++ dhcp-3.0.1/common/iscprint.c 2004-06-14 23:09:22.000000000 +0200 >@@ -0,0 +1,539 @@ >+/* >+ * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") >+ * Copyright (C) 1999-2001, 2003 Internet Software Consortium. >+ * >+ * Permission to use, copy, modify, and distribute this software for any >+ * purpose with or without fee is hereby granted, provided that the above >+ * copyright notice and this permission notice appear in all copies. >+ * >+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH >+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY >+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, >+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM >+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE >+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR >+ * PERFORMANCE OF THIS SOFTWARE. >+ */ >+ >+/* $Id: iscprint.c,v 1.1.2.1 2004/06/14 21:09:22 dhankins Exp $ */ >+ >+#include "dhcpd.h" >+ >+#ifdef NO_SNPRINTF >+ >+#ifndef LINT >+static char copyright[] = >+"$Id: iscprint.c,v 1.1.2.1 2004/06/14 21:09:22 dhankins Exp $ Copyright (c) 2004 Internet Systems Consortium, Inc. All rights reserved."; >+#endif >+ >+#define INSIST(cond) REQUIRE(cond) >+#define REQUIRE(cond) if (!(cond)) { return 0; } >+ >+/* >+ * Return length of string that would have been written if not truncated. >+ */ >+ >+int >+isc_print_snprintf(char *str, size_t size, const char *format, ...) { >+ va_list ap; >+ int ret; >+ >+ va_start(ap, format); >+ ret = vsnprintf(str, size, format, ap); >+ va_end(ap); >+ return (ret); >+} >+ >+/* >+ * Return length of string that would have been written if not truncated. >+ */ >+ >+int >+isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { >+ int h; >+ int l; >+ int q; >+ int alt; >+ int zero; >+ int left; >+ int plus; >+ int space; >+ int neg; >+ isc_int64_t tmpi; >+ isc_uint64_t tmpui; >+ unsigned long width; >+ unsigned long precision; >+ unsigned int length; >+ char buf[1024]; >+ char c; >+ void *v; >+ char *save = str; >+ const char *cp; >+ const char *head; >+ int count = 0; >+ int pad; >+ int zeropad; >+ int dot; >+ double dbl; >+#ifdef HAVE_LONG_DOUBLE >+ long double ldbl; >+#endif >+ char fmt[32]; >+ >+ INSIST(str != NULL); >+ INSIST(format != NULL); >+ >+ while (*format != '\0') { >+ if (*format != '%') { >+ if (size > 1) { >+ *str++ = *format; >+ size--; >+ } >+ count++; >+ format++; >+ continue; >+ } >+ format++; >+ >+ /* >+ * Reset flags. >+ */ >+ dot = neg = space = plus = left = zero = alt = h = l = q = 0; >+ width = precision = 0; >+ head = ""; >+ length = pad = zeropad = 0; >+ >+ do { >+ if (*format == '#') { >+ alt = 1; >+ format++; >+ } else if (*format == '-') { >+ left = 1; >+ zero = 0; >+ format++; >+ } else if (*format == ' ') { >+ if (!plus) >+ space = 1; >+ format++; >+ } else if (*format == '+') { >+ plus = 1; >+ space = 0; >+ format++; >+ } else if (*format == '0') { >+ if (!left) >+ zero = 1; >+ format++; >+ } else >+ break; >+ } while (1); >+ >+ /* >+ * Width. >+ */ >+ if (*format == '*') { >+ width = va_arg(ap, int); >+ format++; >+ } else if (isdigit((unsigned char)*format)) { >+ char *e; >+ width = strtoul(format, &e, 10); >+ format = e; >+ } >+ >+ /* >+ * Precision. >+ */ >+ if (*format == '.') { >+ format++; >+ dot = 1; >+ if (*format == '*') { >+ precision = va_arg(ap, int); >+ format++; >+ } else if (isdigit((unsigned char)*format)) { >+ char *e; >+ precision = strtoul(format, &e, 10); >+ format = e; >+ } >+ } >+ >+ switch (*format) { >+ case '\0': >+ continue; >+ case '%': >+ if (size > 1) { >+ *str++ = *format; >+ size--; >+ } >+ count++; >+ break; >+ case 'q': >+ q = 1; >+ format++; >+ goto doint; >+ case 'h': >+ h = 1; >+ format++; >+ goto doint; >+ case 'l': >+ l = 1; >+ format++; >+ if (*format == 'l') { >+ q = 1; >+ format++; >+ } >+ goto doint; >+ case 'n': >+ case 'i': >+ case 'd': >+ case 'o': >+ case 'u': >+ case 'x': >+ case 'X': >+ doint: >+ if (precision != 0) >+ zero = 0; >+ switch (*format) { >+ case 'n': >+ if (h) { >+ short int *p; >+ p = va_arg(ap, short *); >+ REQUIRE(p != NULL); >+ *p = str - save; >+ } else if (l) { >+ long int *p; >+ p = va_arg(ap, long *); >+ REQUIRE(p != NULL); >+ *p = str - save; >+ } else { >+ int *p; >+ p = va_arg(ap, int *); >+ REQUIRE(p != NULL); >+ *p = str - save; >+ } >+ break; >+ case 'i': >+ case 'd': >+ if (q) >+ tmpi = va_arg(ap, isc_int64_t); >+ else if (l) >+ tmpi = va_arg(ap, long int); >+ else >+ tmpi = va_arg(ap, int); >+ if (tmpi < 0) { >+ head = "-"; >+ tmpui = -tmpi; >+ } else { >+ if (plus) >+ head = "+"; >+ else if (space) >+ head = " "; >+ else >+ head = ""; >+ tmpui = tmpi; >+ } >+ sprintf(buf, "%u", tmpui); >+ goto printint; >+ case 'o': >+ if (q) >+ tmpui = va_arg(ap, isc_uint64_t); >+ else if (l) >+ tmpui = va_arg(ap, long int); >+ else >+ tmpui = va_arg(ap, int); >+ sprintf(buf, alt ? "%#o" >+ : "%o", tmpui); >+ goto printint; >+ case 'u': >+ if (q) >+ tmpui = va_arg(ap, isc_uint64_t); >+ else if (l) >+ tmpui = va_arg(ap, unsigned long int); >+ else >+ tmpui = va_arg(ap, unsigned int); >+ sprintf(buf, "%u", tmpui); >+ goto printint; >+ case 'x': >+ if (q) >+ tmpui = va_arg(ap, isc_uint64_t); >+ else if (l) >+ tmpui = va_arg(ap, unsigned long int); >+ else >+ tmpui = va_arg(ap, unsigned int); >+ if (alt) { >+ head = "0x"; >+ if (precision > 2) >+ precision -= 2; >+ } >+ sprintf(buf, "%x", tmpui); >+ goto printint; >+ case 'X': >+ if (q) >+ tmpui = va_arg(ap, isc_uint64_t); >+ else if (l) >+ tmpui = va_arg(ap, unsigned long int); >+ else >+ tmpui = va_arg(ap, unsigned int); >+ if (alt) { >+ head = "0X"; >+ if (precision > 2) >+ precision -= 2; >+ } >+ sprintf(buf, "%X", tmpui); >+ goto printint; >+ printint: >+ if (precision != 0 || width != 0) { >+ length = strlen(buf); >+ if (length < precision) >+ zeropad = precision - length; >+ else if (length < width && zero) >+ zeropad = width - length; >+ if (width != 0) { >+ pad = width - length - >+ zeropad - strlen(head); >+ if (pad < 0) >+ pad = 0; >+ } >+ } >+ count += strlen(head) + strlen(buf) + pad + >+ zeropad; >+ if (!left) { >+ while (pad > 0 && size > 1) { >+ *str++ = ' '; >+ size--; >+ pad--; >+ } >+ } >+ cp = head; >+ while (*cp != '\0' && size > 1) { >+ *str++ = *cp++; >+ size--; >+ } >+ while (zeropad > 0 && size > 1) { >+ *str++ = '0'; >+ size--; >+ zeropad--; >+ } >+ cp = buf; >+ while (*cp != '\0' && size > 1) { >+ *str++ = *cp++; >+ size--; >+ } >+ while (pad > 0 && size > 1) { >+ *str++ = ' '; >+ size--; >+ pad--; >+ } >+ break; >+ default: >+ break; >+ } >+ break; >+ case 's': >+ cp = va_arg(ap, char *); >+ REQUIRE(cp != NULL); >+ >+ if (precision != 0) { >+ /* >+ * cp need not be NULL terminated. >+ */ >+ const char *tp; >+ unsigned long n; >+ >+ n = precision; >+ tp = cp; >+ while (n != 0 && *tp != '\0') >+ n--, tp++; >+ length = precision - n; >+ } else { >+ length = strlen(cp); >+ } >+ if (width != 0) { >+ pad = width - length; >+ if (pad < 0) >+ pad = 0; >+ } >+ count += pad + length; >+ if (!left) >+ while (pad > 0 && size > 1) { >+ *str++ = ' '; >+ size--; >+ pad--; >+ } >+ if (precision != 0) >+ while (precision > 0 && *cp != '\0' && >+ size > 1) { >+ *str++ = *cp++; >+ size--; >+ precision--; >+ } >+ else >+ while (*cp != '\0' && size > 1) { >+ *str++ = *cp++; >+ size--; >+ } >+ while (pad > 0 && size > 1) { >+ *str++ = ' '; >+ size--; >+ pad--; >+ } >+ break; >+ case 'c': >+ c = va_arg(ap, int); >+ if (width > 0) { >+ count += width; >+ width--; >+ if (left) { >+ *str++ = c; >+ size--; >+ } >+ while (width-- > 0 && size > 1) { >+ *str++ = ' '; >+ size--; >+ } >+ if (!left && size > 1) { >+ *str++ = c; >+ size--; >+ } >+ } else { >+ count++; >+ if (size > 1) { >+ *str++ = c; >+ size--; >+ } >+ } >+ break; >+ case 'p': >+ v = va_arg(ap, void *); >+ sprintf(buf, "%p", v); >+ length = strlen(buf); >+ if (precision > length) >+ zeropad = precision - length; >+ if (width > 0) { >+ pad = width - length - zeropad; >+ if (pad < 0) >+ pad = 0; >+ } >+ count += length + pad + zeropad; >+ if (!left) >+ while (pad > 0 && size > 1) { >+ *str++ = ' '; >+ size--; >+ pad--; >+ } >+ cp = buf; >+ if (zeropad > 0 && buf[0] == '0' && >+ (buf[1] == 'x' || buf[1] == 'X')) { >+ if (size > 1) { >+ *str++ = *cp++; >+ size--; >+ } >+ if (size > 1) { >+ *str++ = *cp++; >+ size--; >+ } >+ while (zeropad > 0 && size > 1) { >+ *str++ = '0'; >+ size--; >+ zeropad--; >+ } >+ } >+ while (*cp != '\0' && size > 1) { >+ *str++ = *cp++; >+ size--; >+ } >+ while (pad > 0 && size > 1) { >+ *str++ = ' '; >+ size--; >+ pad--; >+ } >+ break; >+ case 'D': /*deprecated*/ >+ INSIST("use %ld instead of %D" == NULL); >+ case 'O': /*deprecated*/ >+ INSIST("use %lo instead of %O" == NULL); >+ case 'U': /*deprecated*/ >+ INSIST("use %lu instead of %U" == NULL); >+ >+ case 'L': >+#ifdef HAVE_LONG_DOUBLE >+ l = 1; >+#else >+ INSIST("long doubles are not supported" == NULL); >+#endif >+ /*FALLTHROUGH*/ >+ case 'e': >+ case 'E': >+ case 'f': >+ case 'g': >+ case 'G': >+ if (!dot) >+ precision = 6; >+ /* >+ * IEEE floating point. >+ * MIN 2.2250738585072014E-308 >+ * MAX 1.7976931348623157E+308 >+ * VAX floating point has a smaller range than IEEE. >+ * >+ * precisions > 324 don't make much sense. >+ * if we cap the precision at 512 we will not >+ * overflow buf. >+ */ >+ if (precision > 512) >+ precision = 512; >+ sprintf(fmt, "%%%s%s.%lu%s%c", alt ? "#" : "", >+ plus ? "+" : space ? " " : "", >+ precision, l ? "L" : "", *format); >+ switch (*format) { >+ case 'e': >+ case 'E': >+ case 'f': >+ case 'g': >+ case 'G': >+#ifdef HAVE_LONG_DOUBLE >+ if (l) { >+ ldbl = va_arg(ap, long double); >+ sprintf(buf, fmt, ldbl); >+ } else >+#endif >+ { >+ dbl = va_arg(ap, double); >+ sprintf(buf, fmt, dbl); >+ } >+ length = strlen(buf); >+ if (width > 0) { >+ pad = width - length; >+ if (pad < 0) >+ pad = 0; >+ } >+ count += length + pad; >+ if (!left) >+ while (pad > 0 && size > 1) { >+ *str++ = ' '; >+ size--; >+ pad--; >+ } >+ cp = buf; >+ while (*cp != ' ' && size > 1) { >+ *str++ = *cp++; >+ size--; >+ } >+ while (pad > 0 && size > 1) { >+ *str++ = ' '; >+ size--; >+ pad--; >+ } >+ break; >+ default: >+ continue; >+ } >+ break; >+ default: >+ continue; >+ } >+ format++; >+ } >+ if (size > 0) >+ *str = '\0'; >+ return (count); >+} >+ >+#endif >diff -uNr dhcp-3.0.1rc13/omapip/Makefile.dist dhcp-3.0.1/omapip/Makefile.dist >--- dhcp-3.0.1rc13/omapip/Makefile.dist 2001-05-17 22:54:18.000000000 +0200 >+++ dhcp-3.0.1/omapip/Makefile.dist 2004-06-14 23:08:50.000000000 +0200 >@@ -27,7 +32,8 @@ > OBJ = protocol.o buffer.o alloc.o result.o connection.o errwarn.o \ > listener.o dispatch.o generic.o support.o handle.o message.o \ > convert.o hash.o auth.o inet_addr.o array.o trace.o mrtrace.o \ >- toisc.o >+ toisc.o ../common/iscprint.o >+# XXX: iscprint.o above is a kludge. > > MAN = omapi.3 > >diff -uNr dhcp-3.0.1rc13/common/parse.c dhcp-3.0.1/common/parse.c >--- dhcp-3.0.1rc13/common/parse.c 2003-07-25 21:36:11.000000000 +0200 >+++ dhcp-3.0.1/common/parse.c 2004-06-14 23:08:43.000000000 +0200 >@@ -4805,13 +4796,8 @@ > unsigned i, lix; > > do_percentm (mbuf, fmt); >-#ifndef NO_SNPRINTF > snprintf (fbuf, sizeof fbuf, "%s line %d: %s", > cfile -> tlname, cfile -> lexline, mbuf); >-#else >- sprintf (fbuf, "%s line %d: %s", >- cfile -> tlname, cfile -> lexline, mbuf); >-#endif > > va_start (list, fmt); > vsnprintf (mbuf, sizeof mbuf, fbuf, list); >diff -uNr dhcp-3.0.1rc13/common/upf.c dhcp-3.0.1/common/upf.c >--- dhcp-3.0.1rc13/common/upf.c 2002-11-17 03:27:00.000000000 +0100 >+++ dhcp-3.0.1/common/upf.c 2004-06-14 23:08:44.000000000 +0200 >@@ -88,11 +79,7 @@ > > /* Open a UPF device */ > for (b = 0; 1; b++) { >-#ifndef NO_SNPRINTF > snprintf(filename, sizeof(filename), "/dev/pf/pfilt%d", b); >-#else >- sprintf(filename, "/dev/pf/pfilt%d", b); >-#endif > sock = open (filename, O_RDWR, 0); > if (sock < 0) { > if (errno == EBUSY) { >diff -uNr dhcp-3.0.1rc13/includes/cf/linux.h dhcp-3.0.1/includes/cf/linux.h >--- dhcp-3.0.1rc13/includes/cf/linux.h 2002-04-27 01:41:57.000000000 +0200 >+++ dhcp-3.0.1/includes/cf/linux.h 2004-06-14 17:31:03.000000000 +0200 >@@ -105,9 +96,6 @@ > #define VA_start(list, last) va_start (list, last) > #define va_dcl > >-#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) >-#define NO_SNPRINTF >- > #define VOIDPTR void * > > #define EOL '\n' >diff -uNr dhcp-3.0.1rc13/includes/osdep.h dhcp-3.0.1/includes/osdep.h >--- dhcp-3.0.1rc13/includes/osdep.h 2002-11-03 05:33:51.000000000 +0100 >+++ dhcp-3.0.1/includes/osdep.h 2004-06-14 23:08:44.000000000 +0200 >@@ -142,6 +133,14 @@ > # endif > #endif > >+/* snprintf/vsnprintf hacks. for systems with no libc versions only. */ >+#ifdef NO_SNPRINTF >+ extern int isc_print_snprintf(char *, size_t, const char *, ...); >+ extern int isc_print_vsnprintf(char *, size_t, const char *, va_list ap); >+# define snprintf isc_print_snprintf >+# define vsnprintf isc_print_vsnprintf >+#endif >+ > /* Porting:: > > If you add a new network API, and have it set up so that it can be >diff -uNr dhcp-3.0.1rc13/server/bootp.c dhcp-3.0.1/server/bootp.c >--- dhcp-3.0.1rc13/server/bootp.c 2002-11-17 03:29:30.000000000 +0100 >+++ dhcp-3.0.1/server/bootp.c 2004-06-15 18:15:58.000000000 +0200 >@@ -77,7 +68,7 @@ > if (packet -> raw -> op != BOOTREQUEST) > return; > >- sprintf (msgbuf, "BOOTREQUEST from %s via %s", >+ snprintf (msgbuf, sizeof msgbuf, "BOOTREQUEST from %s via %s", > print_hw_addr (packet -> raw -> htype, > packet -> raw -> hlen, > packet -> raw -> chaddr), >diff -uNr dhcp-3.0.1rc13/server/db.c dhcp-3.0.1/server/db.c >--- dhcp-3.0.1rc13/server/db.c 2002-11-03 01:28:44.000000000 +0100 >+++ dhcp-3.0.1/server/db.c 2004-06-15 18:15:58.000000000 +0200 >@@ -782,7 +773,7 @@ > > /* Make a temporary lease file... */ > GET_TIME (&t); >- sprintf (newfname, "%s.%d", path_dhcpd_db, (int)t); >+ snprintf (newfname, sizeof newfname, "%s.%d", path_dhcpd_db, (int)t); > db_fd = open (newfname, O_WRONLY | O_TRUNC | O_CREAT, 0664); > if (db_fd < 0) { > log_error ("Can't create new lease file: %m"); >@@ -833,7 +824,7 @@ > if (!trace_playback ()) { > #endif > /* Get the old database out of the way... */ >- sprintf (backfname, "%s~", path_dhcpd_db); >+ snprintf (backfname, sizeof backfname, "%s~", path_dhcpd_db); > if (unlink (backfname) < 0 && errno != ENOENT) { > log_error ("Can't remove old lease database backup %s: %m", > backfname); >diff -uNr dhcp-3.0.1rc13/server/ddns.c dhcp-3.0.1/server/ddns.c >--- dhcp-3.0.1rc13/server/ddns.c 2002-11-17 03:29:30.000000000 +0100 >+++ dhcp-3.0.1/server/ddns.c 2004-06-14 23:08:50.000000000 +0200 >@@ -345,6 +336,12 @@ > &lease -> scope, oc, MDL); > > if (s1 && s2) { >+ if (ddns_hostname.len + ddns_domainname.len > 253) { >+ log_error ("ddns_update: host.domain name too long"); >+ >+ goto out; >+ } >+ > buffer_allocate (&ddns_fwd_name.buffer, > ddns_hostname.len + ddns_domainname.len + 2, > MDL); >@@ -449,6 +446,11 @@ > if (!ddns_fwd_name.len) > goto out; > >+ if (ddns_fwd_name.len > 255) { >+ log_error ("client provided fqdn: too long"); >+ goto out; >+ } >+ > /* > * Compute the RR TTL. > */ >@@ -479,7 +481,13 @@ > packet -> options, > state -> options, > &lease -> scope, oc, MDL); >- >+ >+ if (d1.len > 238) { >+ log_error ("ddns_update: Calculated rev domain name too long."); >+ s1 = 0; >+ data_string_forget (&d1, MDL); >+ } >+ > if (oc && s1) { > /* Buffer length: > XXX.XXX.XXX.XXX.<ddns-rev-domain-name>\0 */ >@@ -487,21 +495,14 @@ > d1.len + 17, MDL); > if (ddns_rev_name.buffer) { > ddns_rev_name.data = ddns_rev_name.buffer -> data; >-#ifndef NO_SNPRINTF >+ > snprintf ((char *)ddns_rev_name.buffer -> data, 17, > "%d.%d.%d.%d.", > lease -> ip_addr . iabuf[3], > lease -> ip_addr . iabuf[2], > lease -> ip_addr . iabuf[1], > lease -> ip_addr . iabuf[0]); >-#else >- sprintf ((char *)ddns_rev_name.buffer -> data, >- "%d.%d.%d.%d.", >- lease -> ip_addr . iabuf[3], >- lease -> ip_addr . iabuf[2], >- lease -> ip_addr . iabuf[1], >- lease -> ip_addr . iabuf[0]); >-#endif >+ > ddns_rev_name.len = > strlen ((const char *)ddns_rev_name.data); > data_string_append (&ddns_rev_name, &d1); >diff -uNr dhcp-3.0.1rc13/server/dhcp.c dhcp-3.0.1/server/dhcp.c >--- dhcp-3.0.1rc13/server/dhcp.c 2004-01-09 01:41:00.000000000 +0100 >+++ dhcp-3.0.1/server/dhcp.c 2004-06-15 18:15:58.000000000 +0200 >@@ -89,13 +80,8 @@ > packet -> packet_type < dhcp_type_name_max - 1) { > s = dhcp_type_names [packet -> packet_type - 1]; > } else { >-#if defined (HAVE_SNPRINTF) > snprintf (typebuf, sizeof typebuf, > "type %d", packet -> packet_type); >-#else >- sprintf (typebuf, >- "type %d", packet -> packet_type); >-#endif > s = typebuf; > } > >@@ -268,14 +254,17 @@ > find_lease (&lease, packet, packet -> shared_network, > 0, &allocatedp, (struct lease *)0, MDL); > >- if (lease && lease -> client_hostname && >- db_printable (lease -> client_hostname)) >- s = lease -> client_hostname; >- else >+ if (lease && lease -> client_hostname) { >+ if ((strlen (lease -> client_hostname) <= 64) && >+ db_printable (lease -> client_hostname)) >+ s = lease -> client_hostname; >+ else >+ s = "Hostname Unsuitable for Printing"; >+ } else > s = (char *)0; > > /* Say what we're doing... */ >- sprintf (msgbuf, "DHCPDISCOVER from %s %s%s%svia %s", >+ snprintf (msgbuf, sizeof msgbuf, "DHCPDISCOVER from %s %s%s%svia %s", > (packet -> raw -> htype > ? print_hw_addr (packet -> raw -> htype, > packet -> raw -> hlen, >@@ -446,10 +435,13 @@ > /* XXX consider using allocatedp arg to find_lease to see > XXX that this isn't a compliant DHCPREQUEST. */ > >- if (lease && lease -> client_hostname && >- db_printable (lease -> client_hostname)) >- s = lease -> client_hostname; >- else >+ if (lease && lease -> client_hostname) { >+ if ((strlen (lease -> client_hostname) <= 64) && >+ db_printable (lease -> client_hostname)) >+ s = lease -> client_hostname; >+ else >+ s = "Hostname Unsuitable for Printing"; >+ } else > s = (char *)0; > > oc = lookup_option (&dhcp_universe, packet -> options, >@@ -469,7 +461,8 @@ > smbuf [0] = 0; > > /* Say what we're doing... */ >- sprintf (msgbuf, "DHCPREQUEST for %s%s from %s %s%s%svia %s", >+ snprintf (msgbuf, sizeof msgbuf, >+ "DHCPREQUEST for %s%s from %s %s%s%svia %s", > piaddr (cip), smbuf, > (packet -> raw -> htype > ? print_hw_addr (packet -> raw -> htype, >@@ -742,17 +735,20 @@ > packet -> raw -> chaddr, packet -> raw -> hlen))) > lease_dereference (&lease, MDL); > >- if (lease && lease -> client_hostname && >- db_printable (lease -> client_hostname)) >- s = lease -> client_hostname; >- else >+ if (lease && lease -> client_hostname) { >+ if ((strlen (lease -> client_hostname) <= 64) && >+ db_printable (lease -> client_hostname)) >+ s = lease -> client_hostname; >+ else >+ s = "Hostname Unsuitable for Printing"; >+ } else > s = (char *)0; > > strncpy(cstr, inet_ntoa (packet -> raw -> ciaddr), 15); > cstr[15] = '\0'; > > /* Say what we're doing... */ >- sprintf (msgbuf, >+ snprintf (msgbuf, sizeof msgbuf, > "DHCPRELEASE of %s from %s %s%s%svia %s (%sfound)", > cstr, > (packet -> raw -> htype >@@ -830,13 +826,17 @@ > data_string_forget (&data, MDL); > find_lease_by_ip_addr (&lease, cip, MDL); > >- if (lease && lease -> client_hostname && >- db_printable (lease -> client_hostname)) >- s = lease -> client_hostname; >- else >+ if (lease && lease -> client_hostname) { >+ if ((strlen (lease -> client_hostname) <= 64) && >+ db_printable (lease -> client_hostname)) >+ s = lease -> client_hostname; >+ else >+ s = "Hostname Unsuitable for Printing"; >+ } else > s = (char *)0; > >- sprintf (msgbuf, "DHCPDECLINE of %s from %s %s%s%svia %s", >+ snprintf (msgbuf, sizeof msgbuf, >+ "DHCPDECLINE of %s from %s %s%s%svia %s", > piaddr (cip), > (packet -> raw -> htype > ? print_hw_addr (packet -> raw -> htype, >@@ -947,7 +947,7 @@ > memcpy (cip.iabuf, &packet -> raw -> ciaddr, 4); > } > >- sprintf (msgbuf, "DHCPINFORM from %s via %s", >+ snprintf (msgbuf, sizeof msgbuf, "DHCPINFORM from %s via %s", > piaddr (cip), packet -> interface -> name); > > /* If the IP source address is zero, don't respond. */ >@@ -2748,10 +2748,13 @@ > raw.hops = state -> hops; > raw.op = BOOTREPLY; > >- if (lease -> client_hostname && >- db_printable (lease -> client_hostname)) >- s = lease -> client_hostname; >- else >+ if (lease -> client_hostname) { >+ if ((strlen (lease -> client_hostname) <= 64) && >+ db_printable (lease -> client_hostname)) >+ s = lease -> client_hostname; >+ else >+ s = "Hostname Unsuitable for Printing"; >+ } else > s = (char *)0; > > /* Say what we're doing... */ >diff -uNr dhcp-3.0.1rc13/server/failover.c dhcp-3.0.1/server/failover.c >--- dhcp-3.0.1rc13/server/failover.c 2003-04-18 21:55:49.000000000 +0200 >+++ dhcp-3.0.1/server/failover.c 2004-06-15 18:15:59.000000000 +0200 >@@ -3408,13 +3399,7 @@ > char tbuf [256]; > > va_start (va, fmt); >-#if defined (HAVE_SNPRINTF) >- /* Presumably if we have snprintf, we also have >- vsnprintf. */ > vsnprintf (tbuf, sizeof tbuf, fmt, va); >-#else >- vsprintf (tbuf, fmt, va); >-#endif > va_end (va); > > return dhcp_failover_make_option (code, obuf, obufix, obufmax, >@@ -3515,7 +3500,7 @@ > putUShort (&option.data [2], size - 4); > > #if defined (DEBUG_FAILOVER_MESSAGES) >- sprintf (tbuf, " (%s<%d>", info -> name, option.count); >+ snprintf (tbuf, sizeof tbuf, " (%s<%d>", info -> name, option.count); > failover_print (obuf, obufix, obufmax, tbuf); > #endif > >@@ -3586,7 +3571,7 @@ > case FT_TEXT_OR_BYTES: > case FT_TEXT: > #if defined (DEBUG_FAILOVER_MESSAGES) >- sprintf (tbuf, "\"%s\"", txt); >+ snprintf (tbuf, sizeof tbuf, "\"%s\"", txt); > failover_print (obuf, obufix, obufmax, tbuf); > #endif > memcpy (&option.data [4], txt, count); >@@ -4494,19 +4479,13 @@ > } > if (new_binding_state != msg -> binding_status) { > char outbuf [100]; >-#if !defined (NO_SNPRINTF) >+ > snprintf (outbuf, sizeof outbuf, > "%s: invalid state transition: %s to %s", > piaddr (lease -> ip_addr), > binding_state_print (lease -> binding_state), > binding_state_print (msg -> binding_status)); >-#else >- sprintf (outbuf, >- "%s: invalid state transition: %s to %s", >- piaddr (lease -> ip_addr), >- binding_state_print (lease -> binding_state), >- binding_state_print (msg -> binding_status)); >-#endif >+ > dhcp_failover_send_bind_ack (state, msg, > FTR_FATAL_CONFLICT, > outbuf);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=21425">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 56975
:
21118
|
21119
|
21120
|
21122
|
21123
|
21124
|
21126
|
21160
|
21196
|
21254
|
21301
|
21307
|
21354
| 21425 |
21634
|
21635
|
21636