[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] bugfix: address that strcat vulnerability in circuit.c
Update of /home/or/cvsroot/src/or
In directory moria.mit.edu:/home2/arma/work/onion/cvs/src/or
Modified Files:
circuit.c config.c dirserv.c routerlist.c
Log Message:
bugfix: address that strcat vulnerability in circuit.c
Index: circuit.c
===================================================================
RCS file: /home/or/cvsroot/src/or/circuit.c,v
retrieving revision 1.150
retrieving revision 1.151
diff -u -d -r1.150 -r1.151
--- circuit.c 9 Mar 2004 22:01:16 -0000 1.150
+++ circuit.c 14 Mar 2004 22:47:10 -0000 1.151
@@ -790,29 +790,28 @@
}
void circuit_log_path(int severity, circuit_t *circ) {
- static char b[1024];
+ char buf[1024];
+ char *s = buf;
struct crypt_path_t *hop;
char *states[] = {"closed", "waiting for keys", "open"};
routerinfo_t *router;
assert(circ->cpath);
- sprintf(b,"circ (length %d, exit %s): ",
+ snprintf(s, sizeof(buf)-1, "circ (length %d, exit %s): ",
circ->build_state->desired_path_len, circ->build_state->chosen_exit);
hop=circ->cpath;
do {
+ s = buf + strlen(buf);
router = router_get_by_addr_port(hop->addr,hop->port);
if(router) {
- /* XXX strcat allows buffer overflow */
- strcat(b,router->nickname);
- strcat(b,"(");
- strcat(b,states[hop->state]);
- strcat(b,"),");
+ snprintf(s, sizeof(buf) - (s - buf), "%s(%s) ",
+ router->nickname, states[hop->state]);
} else {
- strcat(b,"UNKNOWN,");
+ snprintf(s, sizeof(buf) - (s - buf), "UNKNOWN ");
}
hop=hop->next;
} while(hop!=circ->cpath);
- log_fn(severity,"%s",b);
+ log_fn(severity,"%s",buf);
}
static void
Index: config.c
===================================================================
RCS file: /home/or/cvsroot/src/or/config.c,v
retrieving revision 1.94
retrieving revision 1.95
diff -u -d -r1.94 -r1.95
--- config.c 14 Mar 2004 18:12:59 -0000 1.94
+++ config.c 14 Mar 2004 22:47:11 -0000 1.95
@@ -345,7 +345,7 @@
);
}
-int resolve_my_address(or_options_t *options) {
+static int resolve_my_address(or_options_t *options) {
struct in_addr in;
struct hostent *rent;
char localhostname[256];
@@ -377,7 +377,7 @@
assert(rent->h_length == 4);
memcpy(&in.s_addr, rent->h_addr,rent->h_length);
if(is_internal_IP(in.s_addr)) {
- log_fn(LOG_WARN,"Address '%s' resolves to '%s'. "
+ log_fn(LOG_WARN,"Address '%s' resolves to private IP '%s'. "
"Please set the Address config option to be your public IP.",
options->Address, inet_ntoa(in));
return -1;
Index: dirserv.c
===================================================================
RCS file: /home/or/cvsroot/src/or/dirserv.c,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -d -r1.28 -r1.29
--- dirserv.c 12 Mar 2004 12:43:13 -0000 1.28
+++ dirserv.c 14 Mar 2004 22:47:11 -0000 1.29
@@ -341,7 +341,7 @@
for (i = 0; i<n; ++i) {
if (i)
strcat(cp, " ");
- strcat(cp, nickname_lst[i]);
+ strcat(cp, nickname_lst[i]); /* can't overflow */
while (*cp)
++cp;
}
Index: routerlist.c
===================================================================
RCS file: /home/or/cvsroot/src/or/routerlist.c,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -d -r1.38 -r1.39
--- routerlist.c 11 Mar 2004 06:22:53 -0000 1.38
+++ routerlist.c 14 Mar 2004 22:47:11 -0000 1.39
@@ -1064,7 +1064,7 @@
strcpy(newe->string, "accept ");
newe->policy_type = EXIT_POLICY_ACCEPT;
}
- strcat(newe->string, arg);
+ strcat(newe->string, arg); /* can't overflow */
address = arg;
mask = strchr(arg,'/');