[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] bugfix: address that strcat vulnerability in circuit.c



Update of /home/or/cvsroot/src/or
In directory moria.mit.edu:/home2/arma/work/onion/cvs/src/or

Modified Files:
	circuit.c config.c dirserv.c routerlist.c 
Log Message:
bugfix: address that strcat vulnerability in circuit.c


Index: circuit.c
===================================================================
RCS file: /home/or/cvsroot/src/or/circuit.c,v
retrieving revision 1.150
retrieving revision 1.151
diff -u -d -r1.150 -r1.151
--- circuit.c	9 Mar 2004 22:01:16 -0000	1.150
+++ circuit.c	14 Mar 2004 22:47:10 -0000	1.151
@@ -790,29 +790,28 @@
 }
 
 void circuit_log_path(int severity, circuit_t *circ) {
-  static char b[1024];
+  char buf[1024];
+  char *s = buf;
   struct crypt_path_t *hop;
   char *states[] = {"closed", "waiting for keys", "open"};
   routerinfo_t *router;
   assert(circ->cpath);
 
-  sprintf(b,"circ (length %d, exit %s): ",
+  snprintf(s, sizeof(buf)-1, "circ (length %d, exit %s): ",
           circ->build_state->desired_path_len, circ->build_state->chosen_exit);
   hop=circ->cpath;
   do {
+    s = buf + strlen(buf);
     router = router_get_by_addr_port(hop->addr,hop->port);
     if(router) {
-      /* XXX strcat allows buffer overflow */
-      strcat(b,router->nickname);
-      strcat(b,"(");
-      strcat(b,states[hop->state]);
-      strcat(b,"),");
+      snprintf(s, sizeof(buf) - (s - buf), "%s(%s) ",
+               router->nickname, states[hop->state]);
     } else {
-      strcat(b,"UNKNOWN,");
+      snprintf(s, sizeof(buf) - (s - buf), "UNKNOWN ");
     }
     hop=hop->next;
   } while(hop!=circ->cpath);
-  log_fn(severity,"%s",b);
+  log_fn(severity,"%s",buf);
 }
 
 static void

Index: config.c
===================================================================
RCS file: /home/or/cvsroot/src/or/config.c,v
retrieving revision 1.94
retrieving revision 1.95
diff -u -d -r1.94 -r1.95
--- config.c	14 Mar 2004 18:12:59 -0000	1.94
+++ config.c	14 Mar 2004 22:47:11 -0000	1.95
@@ -345,7 +345,7 @@
          );
 }
 
-int resolve_my_address(or_options_t *options) {
+static int resolve_my_address(or_options_t *options) {
   struct in_addr in;
   struct hostent *rent;
   char localhostname[256];
@@ -377,7 +377,7 @@
   assert(rent->h_length == 4);
   memcpy(&in.s_addr, rent->h_addr,rent->h_length);
   if(is_internal_IP(in.s_addr)) {
-    log_fn(LOG_WARN,"Address '%s' resolves to '%s'. "
+    log_fn(LOG_WARN,"Address '%s' resolves to private IP '%s'. "
            "Please set the Address config option to be your public IP.",
            options->Address, inet_ntoa(in));
     return -1;

Index: dirserv.c
===================================================================
RCS file: /home/or/cvsroot/src/or/dirserv.c,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -d -r1.28 -r1.29
--- dirserv.c	12 Mar 2004 12:43:13 -0000	1.28
+++ dirserv.c	14 Mar 2004 22:47:11 -0000	1.29
@@ -341,7 +341,7 @@
   for (i = 0; i<n; ++i) {
     if (i)
       strcat(cp, " ");
-    strcat(cp, nickname_lst[i]);
+    strcat(cp, nickname_lst[i]); /* can't overflow */
     while (*cp)
       ++cp;
   }

Index: routerlist.c
===================================================================
RCS file: /home/or/cvsroot/src/or/routerlist.c,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -d -r1.38 -r1.39
--- routerlist.c	11 Mar 2004 06:22:53 -0000	1.38
+++ routerlist.c	14 Mar 2004 22:47:11 -0000	1.39
@@ -1064,7 +1064,7 @@
     strcpy(newe->string, "accept ");
     newe->policy_type = EXIT_POLICY_ACCEPT;
   }
-  strcat(newe->string, arg);
+  strcat(newe->string, arg); /* can't overflow */
 
   address = arg;
   mask = strchr(arg,'/');