diff options
author | obrien <obrien@FreeBSD.org> | 2000-08-29 00:49:08 +0000 |
---|---|---|
committer | obrien <obrien@FreeBSD.org> | 2000-08-29 00:49:08 +0000 |
commit | a7b7484cd2ac61a33ae66c970bd1a508307d3b4f (patch) | |
tree | c9565e000b041bac439f0498ffeaa4f98ccdcee3 /net/mopd/files | |
parent | ecd41e3a9b4fbda0fae253f65337a966abd98001 (diff) | |
download | FreeBSD-ports-a7b7484cd2ac61a33ae66c970bd1a508307d3b4f.zip FreeBSD-ports-a7b7484cd2ac61a33ae66c970bd1a508307d3b4f.tar.gz |
String paranoia and security fixes from OpenBSD: prevent a remote buffer
overflow and remote syslog() exploits.
Obtained from: OpenBSD
Diffstat (limited to 'net/mopd/files')
-rw-r--r-- | net/mopd/files/patch-device.c | 38 | ||||
-rw-r--r-- | net/mopd/files/patch-pf-snit.c | 22 | ||||
-rw-r--r-- | net/mopd/files/patch-pf.c | 22 | ||||
-rw-r--r-- | net/mopd/files/patch-process.c | 81 |
4 files changed, 163 insertions, 0 deletions
diff --git a/net/mopd/files/patch-device.c b/net/mopd/files/patch-device.c new file mode 100644 index 0000000..e6ffd6c --- /dev/null +++ b/net/mopd/files/patch-device.c @@ -0,0 +1,38 @@ +--- common/device.c 1996/09/21 13:49:16 1.1 ++++ common/device.c 2000/02/20 17:45:33 1.4 +@@ -111,7 +113,8 @@ + { + struct if_info *p, tmp; + +- strcpy(tmp.if_name,ifname); ++ strncpy(tmp.if_name,ifname,sizeof(tmp.if_name) - 1); ++ tmp.if_name[sizeof(tmp.if_name) - 1] = 0; + tmp.iopen = pfInit; + + switch (proto) { +@@ -138,7 +141,8 @@ + p->next = iflist; + iflist = p; + +- strcpy(p->if_name,tmp.if_name); ++ strncpy(p->if_name,tmp.if_name, IFNAME_SIZE -1); ++ p->if_name[IFNAME_SIZE -1] = 0; + p->iopen = tmp.iopen; + p->write = pfWrite; + p->read = tmp.read; +@@ -185,12 +199,12 @@ + if ((strlen(dev) == 2) && + (dev[0] == 'e') && + ((dev[1] == 'n') || (dev[1] == 't'))) { +- sprintf(interface,"ent%d\0",unit); ++ snprintf(interface,sizeof(interface),"ent%d\0",unit); + } else { +- sprintf(interface,"%s%d\0",dev,unit); ++ snprintf(interface,sizeof(interface),"%s%d\0",dev,unit); + } + #else +- sprintf(interface,"%s",ifname); ++ snprintf(interface,sizeof(interface),"%s",ifname); + #endif /* _AIX */ + + /* Ok, init it just once */ diff --git a/net/mopd/files/patch-pf-snit.c b/net/mopd/files/patch-pf-snit.c new file mode 100644 index 0000000..b2b329f --- /dev/null +++ b/net/mopd/files/patch-pf-snit.c @@ -0,0 +1,22 @@ +--- otherOS/pf-snit.c 1996/09/21 19:12:50 1.2 ++++ otherOS/pf-snit.c 2000/02/20 17:45:34 1.3 +@@ -239,7 +239,8 @@ + struct ifreq ifr; + int fd; + +- strcpy(ifr.ifr_name, interface); ++ strncpy(ifr.ifr_name, interface, sizeof (ifr.ifr_name) -1); ++ ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = 0; + + ifr.ifr_addr.sa_family = AF_UNSPEC; + bcopy(addr, ifr.ifr_addr.sa_data, 6); +@@ -274,7 +275,8 @@ + struct ifreq ifr; + int fd; + +- strcpy(ifr.ifr_name, interface); ++ strncpy(ifr.ifr_name, interface, sizeof (ifr.ifr_name) -1); ++ ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = 0; + + ifr.ifr_addr.sa_family = AF_UNSPEC; + bcopy(addr, ifr.ifr_addr.sa_data, 6); diff --git a/net/mopd/files/patch-pf.c b/net/mopd/files/patch-pf.c new file mode 100644 index 0000000..c3efafb --- /dev/null +++ b/net/mopd/files/patch-pf.c @@ -0,0 +1,22 @@ +--- common/pf.c 1997/08/18 03:11:31 1.3 ++++ common/pf.c 2000/02/20 17:45:33 1.4 +@@ -176,7 +176,8 @@ + struct ifreq ifr; + int fd; + +- strcpy(ifr.ifr_name, interface); ++ strncpy(ifr.ifr_name, interface,sizeof(ifr.ifr_name) - 1); ++ ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = 0; + + ifr.ifr_addr.sa_family = AF_UNSPEC; + bcopy(addr, ifr.ifr_addr.sa_data, 6); +@@ -211,7 +212,8 @@ + struct ifreq ifr; + int fd; + +- strcpy(ifr.ifr_name, interface); ++ strncpy(ifr.ifr_name, interface, sizeof (ifr.ifr_name) - 1); ++ ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = 0; + + ifr.ifr_addr.sa_family = AF_UNSPEC; + bcopy(addr, ifr.ifr_addr.sa_data, 6); diff --git a/net/mopd/files/patch-process.c b/net/mopd/files/patch-process.c new file mode 100644 index 0000000..c173382 --- /dev/null +++ b/net/mopd/files/patch-process.c @@ -0,0 +1,81 @@ +--- mopd/process.c 1996/09/21 19:12:26 1.2 ++++ mopd/process.c 2000/07/04 23:46:23 1.8 +@@ -267,7 +267,7 @@ + dllist[slot].a_lseek = 0; + + dllist[slot].count = 0; +- if (dllist[slot].dl_bsz >= 1492) ++ if ((dllist[slot].dl_bsz >= 1492) || (dllist[slot].dl_bsz == 0)) + dllist[slot].dl_bsz = 1492; + if (dllist[slot].dl_bsz == 1030) /* VS/uVAX 2000 needs this */ + dllist[slot].dl_bsz = 1000; +@@ -350,10 +350,10 @@ + close(dllist[slot].ldfd); + dllist[slot].ldfd = 0; + dllist[slot].status = DL_STATUS_FREE; +- sprintf(line, ++ snprintf(line,sizeof(line), + "%x:%x:%x:%x:%x:%x Load completed", + dst[0],dst[1],dst[2],dst[3],dst[4],dst[5]); +- syslog(LOG_INFO, line); ++ syslog(LOG_INFO, "%s", line); + return; + } + +@@ -438,7 +438,7 @@ + { + u_char tmpc; + u_short moplen; +- u_char pfile[17], mopcode; ++ u_char pfile[129], mopcode; + char filename[FILENAME_MAX]; + char line[100]; + int i,nfd,iindex; +@@ -487,6 +487,8 @@ + rpr_pgty = mopGetChar(pkt,index); /* Program Type */ + + tmpc = mopGetChar(pkt,index); /* Software ID Len */ ++ if (tmpc > sizeof(pfile) - 1) ++ return; + for (i = 0; i < tmpc; i++) { + pfile[i] = mopGetChar(pkt,index); + pfile[i+1] = '\0'; +@@ -513,31 +515,32 @@ + bcopy((char *)src, (char *)(dl_rpr->eaddr), 6); + mopProcessInfo(pkt,index,moplen,dl_rpr,trans); + +- sprintf(filename,"%s/%s.SYS", MOP_FILE_PATH, pfile); ++ snprintf(filename,sizeof(filename), ++ "%s/%s.SYS", MOP_FILE_PATH, pfile); + if ((mopCmpEAddr(dst,dl_mcst) == 0)) { + if ((nfd = open(filename, O_RDONLY, 0)) != -1) { + close(nfd); + mopSendASV(src, ii->eaddr, ii, trans); +- sprintf(line, ++ snprintf(line,sizeof(line), + "%x:%x:%x:%x:%x:%x (%d) Do you have %s? (Yes)", + src[0],src[1],src[2], + src[3],src[4],src[5],trans,pfile); + } else { +- sprintf(line, ++ snprintf(line,sizeof(line), + "%x:%x:%x:%x:%x:%x (%d) Do you have %s? (No)", + src[0],src[1],src[2], + src[3],src[4],src[5],trans,pfile); + } +- syslog(LOG_INFO, line); ++ syslog(LOG_INFO, "%s", line); + } else { + if ((mopCmpEAddr(dst,ii->eaddr) == 0)) { + dl_rpr->ldfd = open(filename, O_RDONLY, 0); + mopStartLoad(src, ii->eaddr, dl_rpr, trans); +- sprintf(line, ++ snprintf(line,sizeof(line), + "%x:%x:%x:%x:%x:%x Send me %s", + src[0],src[1],src[2], + src[3],src[4],src[5],pfile); +- syslog(LOG_INFO, line); ++ syslog(LOG_INFO, "%s", line); + } + } + |