From owner-freebsd-audit Sun Sep 30 23:58:57 2001 Delivered-To: freebsd-audit@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id BE95837B40D; Sun, 30 Sep 2001 23:58:44 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id f916wUx91922; Mon, 1 Oct 2001 09:58:30 +0300 (EEST) (envelope-from ru) Date: Mon, 1 Oct 2001 09:58:30 +0300 From: Ruslan Ermilov To: Mike Barcroft Cc: "Sergey A. Osokin" , audit@FreeBSD.ORG Subject: Re: iostat(8) WARNS=2 cleanup Message-ID: <20011001095830.B91045@sunbay.com> References: <20010927225814.A46080@freebsd.org.ru> <20010928124147.E12254@coffee.q9media.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010928124147.E12254@coffee.q9media.com>; from mike@FreeBSD.ORG on Fri, Sep 28, 2001 at 12:41:47PM -0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Sep 28, 2001 at 12:41:47PM -0400, Mike Barcroft wrote: > Ruslan identified all of the problems, expect this one: > > Sergey A. Osokin writes: > > diff -ruN iostat.orig/Makefile iostat/Makefile > > --- iostat.orig/Makefile Mon Sep 24 13:20:34 2001 > > +++ iostat/Makefile Mon Sep 24 12:58:56 2001 > > @@ -8,4 +8,6 @@ > > LDADD= -lkvm -ldevstat -lm > > MAN= iostat.8 > > > > +WARNS?= 2 > > + > > .include > > WARNS?= belongs directly below PROG= in this case. > That's because with my comments applied the WARNS part shouldn't be committed at all. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Oct 1 4:34: 8 2001 Delivered-To: freebsd-audit@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id D9CF037B401; Mon, 1 Oct 2001 04:27:15 -0700 (PDT) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id NAA35078; Mon, 1 Oct 2001 13:27:14 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: audit@FreeBSD.org Cc: Robert Watson , Jordan Hubbard , Kris Kennaway Subject: Re: cvs commit: src/sys/fs/pseudofs pseudofs.c pseudofs.h pseudofs_vnops.c References: <20010930203751.A52548@xor.obsecurity.org> From: Dag-Erling Smorgrav Date: 01 Oct 2001 13:27:13 +0200 In-Reply-To: <20010930203751.A52548@xor.obsecurity.org> Message-ID: Lines: 44 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Kris Kennaway writes: > [...] If your > changes bring about increased code transparency and simplicity, then > it will probably result in a net security improvement, but any change > to procfs has the potential to bring with it security vulnerabilities; > hence the request for a code audit. Well, pseudofs is in the tree, and linprocfs is using it, so audit away. I don't think there will be any more earth-shattering commits to pseudofs; all of the infrastructure I need to finish converting procfs is now in place, so from now on it'll be bug fixes and performance improvements (e.g. in the vnode cache). One API change I may still make is the way process-dependent nodes are defined. You can currently only have process-dependent directories, but it may make sense in some applications to have process-dependent files or symlinks that are not contained in a procdir. It's not a major change, and should only affect pfs_lookup() and pfs_readdir(). I think pseudofs has all the p_canxxx() calls it needs, though it's hard to tell as there's no documentation for p_canxxx(). There are some edge cases where one might want to add checks, but they're only reachable through application bugs (such as adding a process-dependent and forgetting to mark it as such - its visibility callback won't get called because pseudofs doesn't have a target process to check against). If there are any serious privilege checks missing, they're special-case checks that belong in the application code (linprocfs, procfs) and not in pseudofs itself. I've verified empirically that jailed processes only see procfs nodes for processes within the same jail, and that file descriptors are revoked as they should when the process they're associated with dies. I'm also quite certain pseudofs is not vulnerable to the kind of attacks described in SA-00:55 and SA-01:77. I'd welcome any proof to the contrary. I'll submit patches for the procfs conversion to -audit when I'm done, but unless Kris or Robert is willing to do the job, I doubt anyone will bother reviewing them, and I'm not going to sit and wait forever. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Oct 1 22:17:28 2001 Delivered-To: freebsd-audit@freebsd.org Received: from beppo.feral.com (beppo.feral.com [192.67.166.79]) by hub.freebsd.org (Postfix) with ESMTP id E9DDC37B40B; Mon, 1 Oct 2001 22:17:25 -0700 (PDT) Received: from mailhost.feral.com (mjacob@mailhost.feral.com [192.67.166.1]) by beppo.feral.com (8.11.3/8.11.3) with ESMTP id f925HPH88664; Mon, 1 Oct 2001 22:17:25 -0700 (PDT) (envelope-from mjacob@feral.com) Date: Mon, 1 Oct 2001 22:17:25 -0700 (PDT) From: Matthew Jacob X-Sender: mjacob@beppo Reply-To: mjacob@feral.com To: audit@freebsd.org Cc: dillon@freebsd.org Subject: review of Tor Egge's changes (PR 29194) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG The changes that Tor Egge proposes to fix 29194 look pretty reasonable to me- can anyone see a reason to *not* check them in? -matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Oct 2 10:54:57 2001 Delivered-To: freebsd-audit@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id AFAFF37B409 for ; Tue, 2 Oct 2001 10:54:54 -0700 (PDT) Received: (from dillon@localhost) by earth.backplane.com (8.11.6/8.11.2) id f92HsJa58805; Tue, 2 Oct 2001 10:54:19 -0700 (PDT) (envelope-from dillon) Date: Tue, 2 Oct 2001 10:54:19 -0700 (PDT) From: Matt Dillon Message-Id: <200110021754.f92HsJa58805@earth.backplane.com> To: Matthew Jacob , Tor.Egge@fast.no Cc: audit@FreeBSD.ORG Subject: Re: review of Tor Egge's changes (PR 29194) References: Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG : : :The changes that Tor Egge proposes to fix 29194 :look pretty reasonable to me- can anyone see :a reason to *not* check them in? : :-matt Oh man, this fell through the cracks! Tor sent me an email on this one months ago. Lets see... yes, b_data can be unaligned. It should go in. Sorry about that Tor! -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Oct 3 22:13:33 2001 Delivered-To: freebsd-audit@freebsd.org Received: from falcon.mail.pas.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id B532A37B408 for ; Wed, 3 Oct 2001 22:13:23 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.247.140.64.Dial1.SanJose1.Level3.net [209.247.140.64]) by falcon.mail.pas.earthlink.net (8.11.5/8.9.3) with ESMTP id f945DC603743 for ; Wed, 3 Oct 2001 22:13:13 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f945DBZ13360 for freebsd-audit@freebsd.org; Wed, 3 Oct 2001 22:13:11 -0700 (PDT) (envelope-from cjc) Date: Wed, 3 Oct 2001 22:13:10 -0700 From: "Crist J. Clark" To: freebsd-audit@freebsd.org Subject: dmesg.boot Gets Overwritten without Reboot Message-ID: <20011003221310.Q8391@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a potential fix for bin/24592. The problem is that the file /var/run/dmesg.boot is overwritten unconditionally in /etc/rc. This occurs whether we are really freshly booting the kernel or coming up from single-user mode. I do not believe that the dmesg.boot file should be overwritten if we are coming up from single-user mode. There is a very good chance the boot messages have fallen out of the dmesg(8) buffer by now and we are overwriting the file with whatever happens to be in the buffer. This is not what we want to have in the dmesg.boot file. The basic fix for this is to only write dmesg(8) to the /var/run/dmesg.boot file if we are in an "autoboot." However, there is some ugliness in actually getting this done since we have to temporarily store dmesg.boot elsewhere when /var/run is purged. There is one basic problem with this approach. If we freshly boot the system and go to sigle user before going to multi-user mode, we will not get a new dmesg.boot. When coming from single-user mode to multi-user mode, I do not know of a way to tell how we got into that single-user mode whether from a fresh boot or down from multi-user. But I would rather miss saving the dmesg(8) in this case rather than overwrite it with gibberish in the second. Others may disagree. Any comments on the patch or the concept? Index: rc =================================================================== RCS file: /export/ncvs/src/etc/rc,v retrieving revision 1.283 diff -u -r1.283 rc --- rc 2001/10/02 12:00:39 1.283 +++ rc 2001/10/04 05:07:44 @@ -339,10 +339,19 @@ clean_var() { if [ ! -f /var/run/clean_var ]; then + # We may wish to save the boot messages + if [ -f /var/run/dmesg.boot ]; then + mv -f /var/run/dmesg.boot /tmp/dmesg.boot + fi purgedir /var/run /var/spool/lock rm -rf /var/spool/uucp/.Temp/* # Keep a copy of the boot messages around - dmesg >/var/run/dmesg.boot + if [ X"$bootmode" = X"autoboot" -o ! -f /tmp/dmesg.boot ]; then + dmesg >/var/run/dmesg.boot + else + mv -f /tmp/dmesg.boot /var/run/dmesg.boot + rm -f /tmp/dmesg.boot + fi # And an initial utmp file (cd /var/run && cp /dev/null utmp && chmod 644 utmp;) >/var/run/clean_var -- Crist J. Clark cjclark@alum.mit.edu cjclark@jhu.edu cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Oct 4 2:17:51 2001 Delivered-To: freebsd-audit@freebsd.org Received: from ringworld.nanolink.com (straylight.ringlet.net [217.75.134.254]) by hub.freebsd.org (Postfix) with SMTP id 95C1937B403 for ; Thu, 4 Oct 2001 02:17:36 -0700 (PDT) Received: (qmail 7829 invoked by uid 1000); 4 Oct 2001 09:16:40 -0000 Date: Thu, 4 Oct 2001 12:16:40 +0300 From: Peter Pentchev To: freebsd-net@FreeBSD.org Cc: freebsd-audit@FreeBSD.org Subject: [CFR] whois(1) out-of-bound access patch Message-ID: <20011004121640.C1959@ringworld.oblivion.bg> Mail-Followup-To: freebsd-net@FreeBSD.org, freebsd-audit@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, As described in PR bin/30968, whois(1) may access invalid data when the whois server returns a non-newline-terminated string. While it is true that the whois server maintainers should do a better job of following standards and such, still the 'be liberal in what you accept' mindset might be applied in this case, to fix what is ultimately a subtle fgetln(3) use bug :) Any harm in committing the attached patch? And this - or something like this - should be done soon; all FreeBSD whois clients currently display weird behavior when querying .biz domains :\ G'luck, Peter -- because I didn't think of a good beginning of it. Index: src/usr.bin/whois/whois.c =================================================================== RCS file: /home/ncvs/src/usr.bin/whois/whois.c,v retrieving revision 1.24 diff -u -r1.24 whois.c --- src/usr.bin/whois/whois.c 2001/08/05 19:37:12 1.24 +++ src/usr.bin/whois/whois.c 2001/10/04 14:03:33 @@ -51,6 +51,7 @@ #include #include #include +#include #include #include #include @@ -251,7 +252,7 @@ { FILE *sfi, *sfo; struct addrinfo *res2; - char *buf, *nhost, *p; + char *abuf, *buf, *nhost, *p; int i, nomatch, s; size_t len; @@ -275,6 +276,16 @@ nhost = NULL; nomatch = 0; while ((buf = fgetln(sfi, &len)) != NULL) { + abuf = NULL; + if ((len == 0) || !isspace(buf[len - 1])) { + abuf = calloc(1, len + 1); + if (abuf == NULL) { + errno = ENOMEM; + err(1, "reallocating"); + } + memcpy(abuf, buf, len); + buf = abuf; + } while (len && isspace(buf[len - 1])) buf[--len] = '\0'; @@ -304,6 +315,7 @@ nomatch = 1; } printf("%s\n", buf); + free(abuf); } /* Do second lookup as needed. */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Oct 4 2:28:27 2001 Delivered-To: freebsd-audit@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id E27BF37B406; Thu, 4 Oct 2001 02:28:21 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f949S4165066; Thu, 4 Oct 2001 13:28:05 +0400 (MSD) (envelope-from ache) Date: Thu, 4 Oct 2001 13:28:02 +0400 From: "Andrey A. Chernov" To: Peter Pentchev Cc: freebsd-net@FreeBSD.ORG, freebsd-audit@FreeBSD.ORG Subject: Re: [CFR] whois(1) out-of-bound access patch Message-ID: <20011004132801.A64960@nagual.pp.ru> References: <20011004121640.C1959@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011004121640.C1959@ringworld.oblivion.bg> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Oct 04, 2001 at 12:16:40 +0300, Peter Pentchev wrote: > + if ((len == 0) || !isspace(buf[len - 1])) { Must be isspace((unsigned char)....) -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Oct 4 2:30:53 2001 Delivered-To: freebsd-audit@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 9B00C37B401; Thu, 4 Oct 2001 02:30:48 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f949UiG65117; Thu, 4 Oct 2001 13:30:44 +0400 (MSD) (envelope-from ache) Date: Thu, 4 Oct 2001 13:30:42 +0400 From: "Andrey A. Chernov" To: Peter Pentchev Cc: freebsd-net@FreeBSD.ORG, freebsd-audit@FreeBSD.ORG Subject: Re: [CFR] whois(1) out-of-bound access patch Message-ID: <20011004133041.B64960@nagual.pp.ru> References: <20011004121640.C1959@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011004121640.C1959@ringworld.oblivion.bg> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Oct 04, 2001 at 12:16:40 +0300, Peter Pentchev wrote: > + abuf = calloc(1, len + 1); > + if (abuf == NULL) { > + errno = ENOMEM; > + err(1, "reallocating"); > + } To overwrite errno set by calloc() is wrong. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Oct 4 2:44:15 2001 Delivered-To: freebsd-audit@freebsd.org Received: from ringworld.nanolink.com (straylight.ringlet.net [217.75.134.254]) by hub.freebsd.org (Postfix) with SMTP id BB28D37B406 for ; Thu, 4 Oct 2001 02:44:04 -0700 (PDT) Received: (qmail 8110 invoked by uid 1000); 4 Oct 2001 09:43:07 -0000 Date: Thu, 4 Oct 2001 12:43:07 +0300 From: Peter Pentchev To: "Andrey A. Chernov" Cc: freebsd-net@FreeBSD.ORG, freebsd-audit@FreeBSD.ORG Subject: Re: [CFR] whois(1) out-of-bound access patch Message-ID: <20011004124307.D1959@ringworld.oblivion.bg> Mail-Followup-To: "Andrey A. Chernov" , freebsd-net@FreeBSD.ORG, freebsd-audit@FreeBSD.ORG References: <20011004121640.C1959@ringworld.oblivion.bg> <20011004133041.B64960@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011004133041.B64960@nagual.pp.ru>; from ache@nagual.pp.ru on Thu, Oct 04, 2001 at 01:30:42PM +0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Oct 04, 2001 at 01:28:02PM +0400, Andrey A. Chernov wrote: > On Thu, Oct 04, 2001 at 12:16:40 +0300, Peter Pentchev wrote: > > + if ((len == 0) || !isspace(buf[len - 1])) { > > Must be isspace((unsigned char)....) On Thu, Oct 04, 2001 at 01:30:42PM +0400, Andrey A. Chernov wrote: > On Thu, Oct 04, 2001 at 12:16:40 +0300, Peter Pentchev wrote: > > + abuf = calloc(1, len + 1); > > + if (abuf == NULL) { > > + errno = ENOMEM; > > + err(1, "reallocating"); > > + } > > To overwrite errno set by calloc() is wrong. Oops to both :\ OK, here's an updated patch. G'luck, Peter -- If the meanings of 'true' and 'false' were switched, then this sentence wouldn't be false. Index: src/usr.bin/whois/whois.c =================================================================== RCS file: /home/ncvs/src/usr.bin/whois/whois.c,v retrieving revision 1.24 diff -u -r1.24 whois.c --- src/usr.bin/whois/whois.c 2001/08/05 19:37:12 1.24 +++ src/usr.bin/whois/whois.c 2001/10/04 14:39:24 @@ -251,7 +251,7 @@ { FILE *sfi, *sfo; struct addrinfo *res2; - char *buf, *nhost, *p; + char *abuf, *buf, *nhost, *p; int i, nomatch, s; size_t len; @@ -275,7 +275,15 @@ nhost = NULL; nomatch = 0; while ((buf = fgetln(sfi, &len)) != NULL) { - while (len && isspace(buf[len - 1])) + abuf = NULL; + if ((len == 0) || !isspace((unsigned char)buf[len - 1])) { + abuf = calloc(1, len + 1); + if (abuf == NULL) + err(1, "reallocating"); + memcpy(abuf, buf, len); + buf = abuf; + } + while (len && isspace((unsigned char)buf[len - 1])) buf[--len] = '\0'; if ((flags & WHOIS_RECURSE) && nhost == NULL) { @@ -304,6 +312,7 @@ nomatch = 1; } printf("%s\n", buf); + free(abuf); } /* Do second lookup as needed. */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Oct 4 5: 0:30 2001 Delivered-To: freebsd-audit@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 44E6D37B406 for ; Thu, 4 Oct 2001 05:00:27 -0700 (PDT) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id OAA51670; Thu, 4 Oct 2001 14:00:24 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: cjclark@alum.mit.edu Cc: freebsd-audit@FreeBSD.ORG Subject: Re: dmesg.boot Gets Overwritten without Reboot References: <20011003221310.Q8391@blossom.cjclark.org> From: Dag-Erling Smorgrav Date: 04 Oct 2001 14:00:23 +0200 In-Reply-To: <20011003221310.Q8391@blossom.cjclark.org> Message-ID: Lines: 11 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG "Crist J. Clark" writes: > Any comments on the patch or the concept? Is there any way you can compare the timestamp on /var/run/dmesg.boot with `sysctl -n kern.boottime`? This would DTRT in almost all cases (the exception being the case where you set the clock back before returning from single-user mode) DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Oct 4 9:19:37 2001 Delivered-To: freebsd-audit@freebsd.org Received: from coffee.q9media.com (coffee.q9media.com [216.94.229.19]) by hub.freebsd.org (Postfix) with ESMTP id A163137B403; Thu, 4 Oct 2001 09:19:29 -0700 (PDT) Received: (from mike@localhost) by coffee.q9media.com (8.11.6/8.11.6) id f94GJXm33690; Thu, 4 Oct 2001 12:19:33 -0400 (EDT) (envelope-from mike) Date: Thu, 4 Oct 2001 12:19:33 -0400 From: Mike Barcroft To: Peter Pentchev Cc: freebsd-net@FreeBSD.ORG, freebsd-audit@FreeBSD.ORG Subject: Re: [CFR] whois(1) out-of-bound access patch Message-ID: <20011004121933.B31795@coffee.q9media.com> References: <20011004121640.C1959@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="mP3DRpeJDSE+ciuQ" Content-Disposition: inline In-Reply-To: <20011004121640.C1959@ringworld.oblivion.bg>; from roam@ringlet.net on Thu, Oct 04, 2001 at 12:16:40PM +0300 Organization: The FreeBSD Project Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Peter Pentchev writes: > As described in PR bin/30968, whois(1) may access invalid data when > the whois server returns a non-newline-terminated string. > While it is true that the whois server maintainers should do a better > job of following standards and such, still the 'be liberal in what > you accept' mindset might be applied in this case, to fix what is > ultimately a subtle fgetln(3) use bug :) > > Any harm in committing the attached patch? And this - or something > like this - should be done soon; all FreeBSD whois clients currently > display weird behavior when querying .biz domains :\ Evil! :) You may want to notify the server administrator, as I tried using a variety of different whois clients and most of them have problems with it. [Over-engineered patch removed.] Would you please test the attached patch and confirm that it solves the problem? If it does, I'll commit it today. Best regards, Mike Barcroft --mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="whois.20011004.diff" whois.20011004.diff A whois server may return a final line without a new line character. PR: 30968 Index: whois.c =================================================================== RCS file: /cvs/src/usr.bin/whois/whois.c,v retrieving revision 1.24 diff -u -r1.24 whois.c --- whois.c 5 Aug 2001 19:37:12 -0000 1.24 +++ whois.c 4 Oct 2001 15:57:56 -0000 @@ -303,7 +303,7 @@ strchr(name, '.') == NULL) nomatch = 1; } - printf("%s\n", buf); + printf("%.*s\n", (int)len, buf); } /* Do second lookup as needed. */ --mP3DRpeJDSE+ciuQ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Oct 4 9:50:37 2001 Delivered-To: freebsd-audit@freebsd.org Received: from xerxes.courtesan.com (sdsl-64-32-146-211.dsl.lax.megapath.net [64.32.146.211]) by hub.freebsd.org (Postfix) with ESMTP id 5355937B403; Thu, 4 Oct 2001 09:50:33 -0700 (PDT) Received: from xerxes.courtesan.com (localhost.courtesan.com [IPv6:::1]) by xerxes.courtesan.com (8.12.1/8.12.1) with ESMTP id f94GoL4W028703; Thu, 4 Oct 2001 10:50:21 -0600 (MDT) Received: from xerxes.courtesan.com (millert@localhost) by xerxes.courtesan.com (8.12.1/8.12.0/Submit) with ESMTP id f94GoL10010161; Thu, 4 Oct 2001 10:50:21 -0600 (MDT) Message-Id: <200110041650.f94GoL10010161@xerxes.courtesan.com> To: Mike Barcroft Cc: Peter Pentchev , freebsd-net@FreeBSD.ORG, freebsd-audit@FreeBSD.ORG Subject: Re: [CFR] whois(1) out-of-bound access patch In-reply-to: Your message of "Thu, 04 Oct 2001 12:19:33 EDT." <20011004121933.B31795@coffee.q9media.com> References: <20011004121640.C1959@ringworld.oblivion.bg> <20011004121933.B31795@coffee.q9media.com> Date: Thu, 04 Oct 2001 10:50:20 -0600 From: "Todd C. Miller" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In message <20011004121933.B31795@coffee.q9media.com> so spake Mike Barcroft (mike): > Would you please test the attached patch and confirm that it solves > the problem? If it does, I'll commit it today. I doubt that is sufficient as "buf" is treated as a NUL terminated string in the calls to strstr(). Also note that it is not necessary to copy the buffer each time as in the original patch. You can only get a line w/o a newline as the last line before EOF. - todd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Oct 4 10: 3: 1 2001 Delivered-To: freebsd-audit@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id AA96337B406; Thu, 4 Oct 2001 10:02:57 -0700 (PDT) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id f94H2uQ08169; Thu, 4 Oct 2001 13:02:56 -0400 (EDT) (envelope-from wollman) Date: Thu, 4 Oct 2001 13:02:56 -0400 (EDT) From: Garrett Wollman Message-Id: <200110041702.f94H2uQ08169@khavrinen.lcs.mit.edu> To: Mike Barcroft Cc: freebsd-net@FreeBSD.ORG, freebsd-audit@FreeBSD.ORG Subject: Re: [CFR] whois(1) out-of-bound access patch In-Reply-To: <20011004121933.B31795@coffee.q9media.com> References: <20011004121640.C1959@ringworld.oblivion.bg> <20011004121933.B31795@coffee.q9media.com> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG < said: > - printf("%s\n", buf); > + printf("%.*s\n", (int)len, buf); This is a *much* better patch. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Oct 4 10:47:14 2001 Delivered-To: freebsd-audit@freebsd.org Received: from coffee.q9media.com (coffee.q9media.com [216.94.229.19]) by hub.freebsd.org (Postfix) with ESMTP id 00F3537B405; Thu, 4 Oct 2001 10:47:10 -0700 (PDT) Received: (from mike@localhost) by coffee.q9media.com (8.11.6/8.11.6) id f94HlBV33920; Thu, 4 Oct 2001 13:47:11 -0400 (EDT) (envelope-from mike) Date: Thu, 4 Oct 2001 13:47:10 -0400 From: Mike Barcroft To: "Todd C. Miller" Cc: Peter Pentchev , freebsd-net@FreeBSD.ORG, freebsd-audit@FreeBSD.ORG Subject: Re: [CFR] whois(1) out-of-bound access patch Message-ID: <20011004134710.C31795@coffee.q9media.com> References: <20011004121640.C1959@ringworld.oblivion.bg> <20011004121933.B31795@coffee.q9media.com> <200110041650.f94GoL10010161@xerxes.courtesan.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200110041650.f94GoL10010161@xerxes.courtesan.com>; from Todd.Miller@courtesan.com on Thu, Oct 04, 2001 at 10:50:20AM -0600 Organization: The FreeBSD Project Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Todd C. Miller writes: > In message <20011004121933.B31795@coffee.q9media.com> > so spake Mike Barcroft (mike): > > > Would you please test the attached patch and confirm that it solves > > the problem? If it does, I'll commit it today. > > I doubt that is sufficient as "buf" is treated as a NUL terminated > string in the calls to strstr(). Also note that it is not necessary > to copy the buffer each time as in the original patch. You can > only get a line w/o a newline as the last line before EOF. We could always implement strnstr(). I think I prefer it to the malloc(3) the final line kludge. BTW, are you interested in syncing OpenBSD's whois(1) with FreeBSD's at some point? I've added some really useful features, particularly the -c option and recursive IP lookups. Best regards, Mike Barcroft To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Oct 4 15:25:53 2001 Delivered-To: freebsd-audit@freebsd.org Received: from robin.mail.pas.earthlink.net (robin.mail.pas.earthlink.net [207.217.120.65]) by hub.freebsd.org (Postfix) with ESMTP id 7CD2B37B405 for ; Thu, 4 Oct 2001 15:25:49 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.245.132.25.Dial1.SanJose1.Level3.net [209.245.132.25]) by robin.mail.pas.earthlink.net (8.11.5/8.9.3) with ESMTP id f94MPk911140; Thu, 4 Oct 2001 15:25:46 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f94MPhH02084; Thu, 4 Oct 2001 15:25:43 -0700 (PDT) (envelope-from cjc) Date: Thu, 4 Oct 2001 15:25:41 -0700 From: "Crist J. Clark" To: Dag-Erling Smorgrav Cc: freebsd-audit@FreeBSD.ORG Subject: Re: dmesg.boot Gets Overwritten without Reboot Message-ID: <20011004152541.I297@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011003221310.Q8391@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Thu, Oct 04, 2001 at 02:00:23PM +0200 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Oct 04, 2001 at 02:00:23PM +0200, Dag-Erling Smorgrav wrote: > "Crist J. Clark" writes: > > Any comments on the patch or the concept? > > Is there any way you can compare the timestamp on /var/run/dmesg.boot > with `sysctl -n kern.boottime`? This would DTRT in almost all cases > (the exception being the case where you set the clock back before > returning from single-user mode) Right, but is there a more graceful way than, # Not too bad LASTBOOT=`sysctl -n kern.boottime | sed 's/^{ sec = \([0-9]*\), .*/\1/'` # Gack! LASTDMESG=`ls -lT /var/run/dmesg.boot | awk '{ print $6 " " $7 " " $8 " " $9; }'` LASTDMESG=`date -j -f "%Ef %T %Y" "$LASTDMESG" +%s` To get those two secs numbers to compare. I've looked for a utility that will return the [acm]time of a file in UNIX Epoch seconds before, but I don't think I've ever found one in the base system. Here's the rc(8) patch, Index: src/etc/rc =================================================================== RCS file: /export/ncvs/src/etc/rc,v retrieving revision 1.283 diff -u -r1.283 rc --- src/etc/rc 2001/10/02 12:00:39 1.283 +++ src/etc/rc 2001/10/04 22:23:18 @@ -339,10 +339,28 @@ clean_var() { if [ ! -f /var/run/clean_var ]; then + # We may wish to save the boot messages. + if [ -f /var/run/dmesg.boot ]; then + mv -f /var/run/dmesg.boot /tmp/dmesg.boot + fi purgedir /var/run /var/spool/lock rm -rf /var/spool/uucp/.Temp/* - # Keep a copy of the boot messages around - dmesg >/var/run/dmesg.boot + # Check if the dmesg.boot is from (younger than) + # the most recent reboot. + if [ -f /tmp/dmesg.boot ]; then + LASTBOOT=`sysctl -n kern.boottime | \ + sed 's/^{ sec = \([0-9]*\), .*/\1/'` + LASTDMESG=`ls -lT /tmp/dmesg.boot | \ + awk '{ print $6 " " $7 " " $8 " " $9; }'` + LASTDMESG=`date -j -f "%Ef %T %Y" "$LASTDMESG" +%s` + if [ $LASTBOOT -lt $LASTDMESG ]; then + mv -f /tmp/dmesg.boot /var/run/dmesg.boot + fi + rm -f /tmp/dmesg.boot + fi + if [ ! -f /var/run/dmesg.boot ]; then + dmesg >/var/run/dmesg.boot + fi # And an initial utmp file (cd /var/run && cp /dev/null utmp && chmod 644 utmp;) >/var/run/clean_var -- Crist J. Clark cjclark@alum.mit.edu cjclark@jhu.edu cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Oct 4 15:43:54 2001 Delivered-To: freebsd-audit@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 1AA4437B406 for ; Thu, 4 Oct 2001 15:43:51 -0700 (PDT) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id AAA54267; Fri, 5 Oct 2001 00:43:48 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: cjclark@alum.mit.edu Cc: freebsd-audit@FreeBSD.ORG Subject: Re: dmesg.boot Gets Overwritten without Reboot References: <20011003221310.Q8391@blossom.cjclark.org> <20011004152541.I297@blossom.cjclark.org> From: Dag-Erling Smorgrav Date: 05 Oct 2001 00:43:47 +0200 In-Reply-To: <20011004152541.I297@blossom.cjclark.org> Message-ID: Lines: 20 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG "Crist J. Clark" writes: > On Thu, Oct 04, 2001 at 02:00:23PM +0200, Dag-Erling Smorgrav wrote: > > Is there any way you can compare the timestamp on /var/run/dmesg.boot > > with `sysctl -n kern.boottime`? This would DTRT in almost all cases > > (the exception being the case where you set the clock back before > > returning from single-user mode) > Right, but is there a more graceful way than [...] Recent FreeBSD versions of find(1) have a -newerXY operator that will DTRT if X=m and Y=t: $ find /var/run -type f -name dmesg.boot -newermt "$(sysctl -n kern.boottime | sed 's/.*}//')" /var/run/dmesg.boot If find(1) outputs "/var/run/dmesg.boot", do nothing - otherwise, create the file. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Oct 4 16: 0:38 2001 Delivered-To: freebsd-audit@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3F55C37B401 for ; Thu, 4 Oct 2001 16:00:35 -0700 (PDT) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id BAA54342; Fri, 5 Oct 2001 01:00:32 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: cjclark@alum.mit.edu Cc: freebsd-audit@FreeBSD.ORG Subject: Re: dmesg.boot Gets Overwritten without Reboot References: <20011003221310.Q8391@blossom.cjclark.org> <20011004152541.I297@blossom.cjclark.org> From: Dag-Erling Smorgrav Date: 05 Oct 2001 01:00:31 +0200 In-Reply-To: Message-ID: Lines: 15 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Dag-Erling Smorgrav writes: > $ find /var/run -type f -name dmesg.boot -newermt "$(sysctl -n kern.boottime | sed 's/.*}//')" > /var/run/dmesg.boot Sorry, I forgot you don't have sed(1) available. Use this: boottime="$(sysctl -n kern.boottime)" foo="$(find /var/run -type f -name dmesg.boot -newermt "${boottime#*\}}")" if [ "${foo}" != "/var/run/dmesg.boot] ; then echo 'Spank me!' fi DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Oct 4 18:57: 6 2001 Delivered-To: freebsd-audit@freebsd.org Received: from coffee.q9media.com (coffee.q9media.com [216.94.229.19]) by hub.freebsd.org (Postfix) with ESMTP id C16CF37B401; Thu, 4 Oct 2001 18:56:48 -0700 (PDT) Received: (from mike@localhost) by coffee.q9media.com (8.11.6/8.11.6) id f951v6K34846; Thu, 4 Oct 2001 21:57:06 -0400 (EDT) (envelope-from mike) Date: Thu, 4 Oct 2001 21:57:06 -0400 From: Mike Barcroft To: audit@FreeBSD.org Subject: strnstr(3) - New libc function for review Message-ID: <20011004215706.B34530@coffee.q9media.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="HcAYCG3uE/tztfnV" Content-Disposition: inline Organization: The FreeBSD Project Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline [BCC'd to -hackers for additional comments.] Hello, I would appreciate comments/reviews of the following new addition to libc. It is largely based off the current strstr(3) implementation. Patch attached and also available at: http://people.FreeBSD.org/~mike/patches/strnstr.diff Best regards, Mike Barcroft --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="strnstr.diff" strnstr.diff Add a new libc function, strnstr(3), which allows one to limit the number of characters that are searched. This is especially useful with file operations and non-NUL terminated strings. Index: lib/libc/string/Makefile.inc =================================================================== RCS file: /cvs/src/lib/libc/string/Makefile.inc,v retrieving revision 1.23 diff -u -r1.23 Makefile.inc --- lib/libc/string/Makefile.inc 31 Jul 2001 16:34:52 -0000 1.23 +++ lib/libc/string/Makefile.inc 5 Oct 2001 00:30:43 -0000 @@ -10,6 +10,7 @@ memcpy.c memmove.c memset.c rindex.c strcasecmp.c strcat.c strchr.c \ strcmp.c strcoll.c strcpy.c strcspn.c strdup.c strerror.c \ strlcat.c strlcpy.c strlen.c strmode.c strncat.c strncmp.c strncpy.c \ + strnstr.c \ strpbrk.c strrchr.c strsep.c strsignal.c strspn.c strstr.c strtok.c \ strxfrm.c swab.c wcscat.c wcschr.c wcscmp.c wcscpy.c wcscspn.c \ wcslcat.c wcslcpy.c wcslen.c wcsncat.c wcsncmp.c wcsncpy.c wcspbrk.c \ @@ -36,6 +37,7 @@ MLINKS+=strerror.3 perror.3 strerror.3 sys_errlist.3 strerror.3 sys_nerr.3 MLINKS+=strlcpy.3 strlcat.3 MLINKS+=strtok.3 strtok_r.3 +MLINKS+=strstr.3 strnstr.3 MLINKS+=wmemchr.3 wmemcmp.3 wmemchr.3 wmemcpy.3 \ wmemchr.3 wmemmove.3 wmemchr.3 wmemset.3 \ wmemchr.3 wcscat.3 wmemchr.3 wcschr.3 \ --- /dev/null Thu Oct 4 21:11:00 2001 +++ lib/libc/string/strnstr.c Thu Oct 4 20:37:01 2001 @@ -0,0 +1,70 @@ +/*- + * Copyright (c) 2001 Mike Barcroft + * Copyright (c) 1990, 1993 + * The Regents of the University of California. All rights reserved. + * + * This code is derived from software contributed to Berkeley by + * Chris Torek. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include +__RCSID("@(#)strstr.c 8.1 (Berkeley) 6/4/93"); +__FBSDID("$FreeBSD$"); + +#include + +/* + * Find the first occurrence of find in s, where the search is limited to the + * first slen characters of s. + */ +char * +strnstr(s, find, slen) + const char *s; + const char *find; + size_t slen; +{ + char c, sc; + size_t len; + + if ((c = *find++) != '\0') { + len = strlen(find); + do { + do { + if ((sc = *s++) == '\0' || slen-- < 1) + return (NULL); + } while (sc != c); + if (len > slen) + return (NULL); + } while (strncmp(s, find, len) != 0); + s--; + } + return ((char *)s); +} Index: lib/libc/string/strstr.3 =================================================================== RCS file: /cvs/src/lib/libc/string/strstr.3,v retrieving revision 1.7 diff -u -r1.7 strstr.3 --- lib/libc/string/strstr.3 1 Oct 2001 16:09:00 -0000 1.7 +++ lib/libc/string/strstr.3 5 Oct 2001 01:18:13 -0000 @@ -1,3 +1,4 @@ +.\" Copyright (c) 2001 Mike Barcroft .\" Copyright (c) 1990, 1991, 1993 .\" The Regents of the University of California. All rights reserved. .\" @@ -40,7 +41,7 @@ .Dt STRSTR 3 .Os .Sh NAME -.Nm strstr +.Nm strstr , strnstr .Nd locate a substring in a string .Sh LIBRARY .Lb libc @@ -48,6 +49,8 @@ .In string.h .Ft char * .Fn strstr "const char *big" "const char *little" +.Ft char * +.Fn strnstr "const char *big" "const char *little" "size_t len" .Sh DESCRIPTION The .Fn strstr @@ -56,22 +59,58 @@ .Fa little in the null-terminated string .Fa big . +.Pp +The +.Fn strnstr +function +locates the first occurrence of the null-terminated string +.Fa little +in the string +.Fa big , +where only the first number of characters, identified by +.Fa len , +are searched. +.Sh RETURN VALUES If .Fa little -is the empty string, -.Fn strstr -returns -.Fa big ; +is an empty string, +.Fa big +is returned; if .Fa little occurs nowhere in .Fa big , -.Fn strstr -returns NULL; -otherwise -.Fn strstr -returns a pointer to the first character of the first occurrence of -.Fa little . +NULL is returned; +otherwise a pointer to the first character of the first occurrence of +.Fa little +is returned. +.Sh EXAMPLES +The following sets the pointer +.Va ptr +to the +.Dq Li Bar Baz +portion of +.Va largestring : +.Bd -literal -offset indent +const char *largestring = "Foo Bar Baz"; +const char *smallstring = "Bar"; +char *ptr; + +ptr = strstr(largestring, smallstring); +.Ed +.Pp +The following sets the pointer +.Va ptr +to NULL, because only the first 4 characters of +.Va largestring +are searched: +.Bd -literal -offset indent +const char *largestring = "Foo Bar Baz"; +const char *smallstring = "Bar"; +char *ptr; + +ptr = strnstr(largestring, smallstring, 4); +.Ed .Sh SEE ALSO .Xr memchr 3 , .Xr strchr 3 , Index: include/string.h =================================================================== RCS file: /cvs/src/include/string.h,v retrieving revision 1.6 diff -u -r1.6 string.h --- include/string.h 16 Aug 1999 06:53:13 -0000 1.6 +++ include/string.h 5 Oct 2001 00:34:03 -0000 @@ -87,6 +87,7 @@ size_t strlcpy __P((char *, const char *, size_t)); void strmode __P((int, char *)); int strncasecmp __P((const char *, const char *, size_t)); +char *strnstr __P((const char *, const char *, size_t)); char *strsep __P((char **, const char *)); char *strsignal __P((int)); char *strtok_r __P((char *, const char *, char **)); --HcAYCG3uE/tztfnV-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Oct 4 23: 8:52 2001 Delivered-To: freebsd-audit@freebsd.org Received: from ringworld.nanolink.com (straylight.ringlet.net [217.75.134.254]) by hub.freebsd.org (Postfix) with SMTP id 694E037B419 for ; Thu, 4 Oct 2001 23:08:35 -0700 (PDT) Received: (qmail 3120 invoked by uid 1000); 5 Oct 2001 06:07:28 -0000 Date: Fri, 5 Oct 2001 09:07:27 +0300 From: Peter Pentchev To: Mike Barcroft Cc: "Todd C. Miller" , freebsd-net@FreeBSD.ORG, freebsd-audit@FreeBSD.ORG Subject: Re: [CFR] whois(1) out-of-bound access patch Message-ID: <20011005090727.A650@ringworld.oblivion.bg> Mail-Followup-To: Mike Barcroft , "Todd C. Miller" , freebsd-net@FreeBSD.ORG, freebsd-audit@FreeBSD.ORG References: <20011004121640.C1959@ringworld.oblivion.bg> <20011004121933.B31795@coffee.q9media.com> <200110041650.f94GoL10010161@xerxes.courtesan.com> <20011004134710.C31795@coffee.q9media.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011004134710.C31795@coffee.q9media.com>; from mike@FreeBSD.ORG on Thu, Oct 04, 2001 at 01:47:10PM -0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Oct 04, 2001 at 01:47:10PM -0400, Mike Barcroft wrote: > Todd C. Miller writes: > > In message <20011004121933.B31795@coffee.q9media.com> > > so spake Mike Barcroft (mike): > > > > > Would you please test the attached patch and confirm that it solves > > > the problem? If it does, I'll commit it today. > > > > I doubt that is sufficient as "buf" is treated as a NUL terminated > > string in the calls to strstr(). Also note that it is not necessary > > to copy the buffer each time as in the original patch. You can > > only get a line w/o a newline as the last line before EOF. The buffer is not copied each time, but only when a line w/o a newline is found. In all other cases, we deal directly with what fgetln(3) returns. > We could always implement strnstr(). I think I prefer it to the > malloc(3) the final line kludge. strnstr() would not be enough; there are calls to strcspn(), strchr() and s_asprintf() too, which treat buf as a null-terminated string. I see no reason to introduce additional processing for *each* input string, when all we need is to special-case the case of no newline. The "kludge" is only invoked when a newline-less line is received, which, as Todd Miller points out, is usually only the last single line. In all other cases, there is no performance overhead. On a side note, as Garrett Wollman kindly pointed out in a private message, the calloc(3) call should probably be replaced by a malloc(3) and zeroing only the last byte. See the attached revised patch. G'luck, Peter -- You have, of course, just begun reading the sentence that you have just finished reading. Index: src/usr.bin/whois/whois.c =================================================================== RCS file: /home/ncvs/src/usr.bin/whois/whois.c,v retrieving revision 1.24 diff -u -r1.24 whois.c --- src/usr.bin/whois/whois.c 2001/08/05 19:37:12 1.24 +++ src/usr.bin/whois/whois.c 2001/10/05 11:07:46 @@ -251,7 +251,7 @@ { FILE *sfi, *sfo; struct addrinfo *res2; - char *buf, *nhost, *p; + char *abuf, *buf, *nhost, *p; int i, nomatch, s; size_t len; @@ -275,7 +275,16 @@ nhost = NULL; nomatch = 0; while ((buf = fgetln(sfi, &len)) != NULL) { - while (len && isspace(buf[len - 1])) + abuf = NULL; + if ((len == 0) || !isspace((unsigned char)buf[len - 1])) { + abuf = malloc(len + 1); + if (abuf == NULL) + err(1, "reallocating"); + memcpy(abuf, buf, len); + abuf[len] = '\0'; + buf = abuf; + } + while (len && isspace((unsigned char)buf[len - 1])) buf[--len] = '\0'; if ((flags & WHOIS_RECURSE) && nhost == NULL) { @@ -304,6 +313,7 @@ nomatch = 1; } printf("%s\n", buf); + free(abuf); } /* Do second lookup as needed. */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Oct 4 23:16:34 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-227.dsl.lsan03.pacbell.net [64.165.226.227]) by hub.freebsd.org (Postfix) with ESMTP id 7E48237B40D for ; Thu, 4 Oct 2001 23:16:21 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0192A66E30; Thu, 4 Oct 2001 23:16:20 -0700 (PDT) Date: Thu, 4 Oct 2001 23:16:20 -0700 From: Kris Kennaway To: cjclark@alum.mit.edu Cc: freebsd-audit@freebsd.org Subject: Re: Misuse of 'nobody' user for locate(1) Message-ID: <20011004231620.A59589@xor.obsecurity.org> References: <20010920205706.A3050@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010920205706.A3050@blossom.cjclark.org>; from cristjc@earthlink.net on Thu, Sep 20, 2001 at 08:57:07PM -0700 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Sep 20, 2001 at 08:57:07PM -0700, Crist J. Clark wrote: > The original purpose of the 'nobody' user was for "anonymous" NFS > access. This is the account to which the superuser on a remote system > is mapped. The idea is to have a user that owns no files on the > system nor is a member of a group that has group ownership of a > file. File acesss for this user is always determined by the world > permission bits. Excellent, thanks! Kris --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7vVA0Wry0BWjoQKURAi0xAKCdEgQz2pw2m6W5tKUT5I15r7quzgCeJ7qh VA/vHx0crLknHiVGoPrzobM= =lAOo -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Oct 4 23:38:54 2001 Delivered-To: freebsd-audit@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id F220C37B409 for ; Thu, 4 Oct 2001 23:38:46 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.245.134.128.Dial1.SanJose1.Level3.net [209.245.134.128]) by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id XAA24892; Thu, 4 Oct 2001 23:38:44 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f956YxS03055; Thu, 4 Oct 2001 23:34:59 -0700 (PDT) (envelope-from cjc) Date: Thu, 4 Oct 2001 23:34:59 -0700 From: "Crist J. Clark" To: Dag-Erling Smorgrav Cc: freebsd-audit@FreeBSD.ORG Subject: Re: dmesg.boot Gets Overwritten without Reboot Message-ID: <20011004233459.M297@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011003221310.Q8391@blossom.cjclark.org> <20011004152541.I297@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Fri, Oct 05, 2001 at 01:00:31AM +0200 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Oct 05, 2001 at 01:00:31AM +0200, Dag-Erling Smorgrav wrote: > Dag-Erling Smorgrav writes: > > $ find /var/run -type f -name dmesg.boot -newermt "$(sysctl -n kern.boottime | sed 's/.*}//')" > > /var/run/dmesg.boot > > Sorry, I forgot you don't have sed(1) available. Use this: Actually, we do. If we're playing in /var... > boottime="$(sysctl -n kern.boottime)" > foo="$(find /var/run -type f -name dmesg.boot -newermt "${boottime#*\}}")" > if [ "${foo}" != "/var/run/dmesg.boot] ; then > echo 'Spank me!' > fi But more intereting, does this tickle a sh(1) bug? I've reproduced this on several FreeBSD machines (-STABLE and -CURRENT), #!/bin/sh boottime="$(sysctl -n kern.boottime)" echo "Without quotes: " ${boottime#*\}} echo "With quotes: " "${boottime#*\}}" Produces, Without quotes: Thu Oct 4 11:44:35 2001 With quotes: { sec = 1002221075, usec = 383948 } Thu Oct 4 11:44:35 2001 I'm not sure what is going on in the second one. I've tried to do some metacharacter escapes, but no luck. bash produces, Without quotes: Thu Oct 4 11:44:35 2001 With quotes: Thu Oct 4 11:44:35 2001 Which is more like what I expect. -- Crist J. Clark cjclark@alum.mit.edu cjclark@jhu.edu cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Oct 4 23:46:54 2001 Delivered-To: freebsd-audit@freebsd.org Received: from ringworld.nanolink.com (straylight.ringlet.net [217.75.134.254]) by hub.freebsd.org (Postfix) with SMTP id D135637B409 for ; Thu, 4 Oct 2001 23:46:47 -0700 (PDT) Received: (qmail 3514 invoked by uid 1000); 5 Oct 2001 06:45:39 -0000 Date: Fri, 5 Oct 2001 09:45:39 +0300 From: Peter Pentchev To: Garrett Wollman Cc: Mike Barcroft , freebsd-net@FreeBSD.ORG, freebsd-audit@FreeBSD.ORG Subject: Re: [CFR] whois(1) out-of-bound access patch Message-ID: <20011005094539.B650@ringworld.oblivion.bg> Mail-Followup-To: Garrett Wollman , Mike Barcroft , freebsd-net@FreeBSD.ORG, freebsd-audit@FreeBSD.ORG References: <20011004121640.C1959@ringworld.oblivion.bg> <20011004121933.B31795@coffee.q9media.com> <200110041702.f94H2uQ08169@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200110041702.f94H2uQ08169@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Thu, Oct 04, 2001 at 01:02:56PM -0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Oct 04, 2001 at 01:02:56PM -0400, Garrett Wollman wrote: > < said: > > > - printf("%s\n", buf); > > + printf("%.*s\n", (int)len, buf); > > This is a *much* better patch. ..yet it needs more work: strstr() and strcspn() are used on a non-null-terminated string. And even if those are fixed, additional work is done for each input line, instead of only for the lines that actually need it (at most one per session). G'luck, Peter -- This sentence contains exactly threee erors. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message