syslog()

[maf () net ohio-state edu (Mark A. Fullmer)]

The syslog() problem is pretty severe since alot more than just sendmail
is involved.


I few months ago my pager software would crash in strange ways, it turned
out

    report (LOG_INFO,
        "%s: from=%s, size=%d, to=%s, status=%x, msg=%s",
        qfname, sender, entry->messagelen, recipient, entry->status, message);

was crashing inside report() -- report() is a little syslog/fprintf front
end I borrowed out of bootpd.

report() basically is

        static char buf[128];
        ...
        vsprintf(buf, fmt, ap);

no bounds checking...

unfortunately syslog() is the same thing.  one snprintf() I found doesn't
actually use the 'n' for bounds checking..ugh.  Another implements it
like:

static char *rcsid = "snprintf.c,v 1.3 1993/08/26 00:47:24 jtc Exp";

        f._flags = __SWR | __SSTR;
        f._bf._base = f._p = (unsigned char *)str;
        f._bf._size = f._w = n - 1;
        ret = vfprintf(&f, fmt, ap);

This is stdio implementation specific code though.

As a quick workaround I ended up doing

report.c:
        static char buf[4096]; /* evil */

and

    report (LOG_INFO,
        "%.512s: from=%.512s, size=%d, to=%.512s, status=%x, msg=%.512s",
        qfname, sender, entry->messagelen, recipient, entry->status, message);

on all calls to report()...This still makes an assumption that buf is 4K
or so, which is not true on all systems.  Grabbing a bunch of syslog.c's
found by archie showed atleast one that had a really small buffer.


Kinda makes you wonder of a really long domain name might just be able
to crash anything that uses syslog(LOG_WHATEVER "hostname:%s", host)..

--
mark
maf+ () osu edu