Bugtraq mailing list archives
Re: Patch for 8lgm syslog/sendmail vulnerability, 4.4lite machines
From: gdonl () gv ssi1 com (Don Lewis)
Date: Wed, 30 Aug 1995 18:14:03 -0700
On Aug 30, 2:27am, Don Lewis wrote: } Subject: Re: Patch for 8lgm syslog/sendmail vulnerability, 4.4lite machine } On Aug 29, 10:09pm, Don Lewis wrote: } } Anyway, my submission is attached. It hasn't broken in the modest amount } of testing I've done on it. Well, I've run a across a few minor bugs, the %m stuff still looks like a wart. Here's the NetBSD specific version of my latest patch: *** ORIGsyslog.c Wed Aug 30 18:10:18 1995 --- syslog.c Wed Aug 30 18:09:49 1995 *************** *** 51,56 **** --- 51,57 ---- #include <fcntl.h> #include <paths.h> #include <stdio.h> + #include <stdlib.h> #include <string.h> #include <time.h> #include <unistd.h> *************** *** 69,74 **** --- 70,78 ---- static int LogMask = 0xff; /* mask of priorities to be logged */ extern char *__progname; /* Program name, from crt0. */ + #define TBUF_LEN 2048 + #define FMT_LEN 1024 + /* * syslog, vsyslog -- * print message on log file; output is intended for syslogd(8). *************** *** 100,110 **** register const char *fmt; va_list ap; { register int cnt; register char ch, *p, *t; time_t now; ! int fd, saved_errno; ! char *stdp, tbuf[2048], fmt_cpy[1024]; #define INTERNALLOG LOG_ERR|LOG_CONS|LOG_PERROR|LOG_PID /* Check for invalid bits. */ --- 104,117 ---- register const char *fmt; va_list ap; { + FILE f; register int cnt; register char ch, *p, *t; + register const char *cp; time_t now; ! int fd, saved_errno, m, n, fleft; ! wchar_t wc; ! char *stdp, tbuf[TBUF_LEN], fmt_cpy[FMT_LEN], dbuf[128]; #define INTERNALLOG LOG_ERR|LOG_CONS|LOG_PERROR|LOG_PID /* Check for invalid bits. */ *************** *** 120,125 **** --- 127,137 ---- saved_errno = errno; + f._flags = __SWR | __SSTR; + f._bf._base = f._p = (unsigned char *)tbuf; + /* -2 to allow for trailing "\r\n" if LOG_CONS is set */ + f._bf._size = f._w = TBUF_LEN - 2; + /* Set default facility if none specified. */ if ((pri & LOG_FACMASK) == 0) pri |= LogFacility; *************** *** 126,158 **** /* Build the message. */ (void)time(&now); ! p = tbuf + sprintf(tbuf, "<%d>", pri); ! p += strftime(p, sizeof (tbuf) - (p - tbuf), "%h %e %T ", ! localtime(&now)); ! if (LogStat & LOG_PERROR) ! stdp = p; if (LogTag == NULL) LogTag = __progname; if (LogTag != NULL) ! p += sprintf(p, "%s", LogTag); if (LogStat & LOG_PID) ! p += sprintf(p, "[%d]", getpid()); if (LogTag != NULL) { ! *p++ = ':'; ! *p++ = ' '; } /* Substitute error message for %m. */ ! for (t = fmt_cpy; ch = *fmt; ++fmt) ! if (ch == '%' && fmt[1] == 'm') { ! ++fmt; ! t += sprintf(t, "%s", strerror(saved_errno)); ! } else ! *t++ = ch; *t = '\0'; ! p += vsprintf(p, fmt_cpy, ap); ! cnt = p - tbuf; /* Output to stderr if requested. */ if (LogStat & LOG_PERROR) { --- 138,207 ---- /* Build the message. */ (void)time(&now); ! strftime(dbuf, sizeof(dbuf) - 1, "%h %e %T ", localtime(&now)); ! fprintf(&f, "<%d>%s", pri, dbuf); ! if (LogStat & (LOG_PERROR | LOG_CONS)) ! stdp = strchr(tbuf, '>') + 1; if (LogTag == NULL) LogTag = __progname; if (LogTag != NULL) ! fprintf(&f, "%s", LogTag); if (LogStat & LOG_PID) ! fprintf(&f, "[%d]", getpid()); if (LogTag != NULL) { ! putc(':', &f); ! putc(' ', &f); } /* Substitute error message for %m. */ ! for (t = fmt_cpy, fleft = FMT_LEN - 1; fleft > 0;) { ! cp = fmt; ! /* lifted from vfprintf.c */ ! while ((n = mbtowc(&wc, fmt, MB_CUR_MAX)) > 0) { ! fmt += n; ! if (wc == '%') { ! fmt--; ! break; ! } ! } ! if ((m = fmt - cp) != 0) { ! if (m > fleft) ! m = fleft; ! memcpy(t, cp, m); ! fleft -= m; ! t += m; ! } ! if (n <= 0) ! break; ! fmt++; /* skip over '%' */ ! ! ch = *fmt++; ! if (ch == 'm') { ! cp = strerror(saved_errno); /* better not contain % */ ! m = strlen(cp); ! if (m > fleft) ! m = fleft; ! memcpy(t, cp, m); ! fleft -= m; ! t += m; ! } else { ! if (fleft > 0) { ! *t++ = '%'; ! fleft--; ! } ! if (ch != '\0') { ! if (fleft > 0) { ! *t++ = ch; ! fleft--; ! } ! } ! } ! } *t = '\0'; ! vfprintf(&f, fmt_cpy, ap); ! *f._p = '\0'; ! cnt = f._p - f._bf._base; /* Output to stderr if requested. */ if (LogStat & LOG_PERROR) { *************** *** 182,189 **** (fd = open(_PATH_CONSOLE, O_WRONLY, 0)) >= 0) { (void)strcat(tbuf, "\r\n"); cnt += 2; ! p = strchr(tbuf, '>') + 1; ! (void)write(fd, p, cnt - (p - tbuf)); (void)close(fd); } } --- 231,237 ---- (fd = open(_PATH_CONSOLE, O_WRONLY, 0)) >= 0) { (void)strcat(tbuf, "\r\n"); cnt += 2; ! (void)write(fd, stdp, cnt - (stdp - tbuf)); (void)close(fd); } } --- Truck
Current thread:
- Re: Patch for 8lgm syslog/sendmail vulnerability, 4.4lite machines Don Lewis (Aug 30)