Date: Sun, 19 Nov 2000 03:23:45 -0800 From: Kris Kennaway <kris@freebsd.org> To: audit@freebsd.org Subject: bootpd patch Message-ID: <20001119032345.A91835@citusc17.usc.edu>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
The following patches are taken from OpenBSD. Reviews, anyone?
Kris
Index: bootpd.c
===================================================================
RCS file: /mnt/ncvs/src/libexec/bootpd/bootpd.c,v
retrieving revision 1.13
diff -u -r1.13 bootpd.c
--- bootpd.c 1999/08/28 00:09:16 1.13
+++ bootpd.c 2000/11/19 11:19:01
@@ -95,7 +95,7 @@
#define CONFIG_FILE "/etc/bootptab"
#endif
#ifndef DUMPTAB_FILE
-#define DUMPTAB_FILE "/tmp/bootpd.dump"
+#define DUMPTAB_FILE "/var/run/bootpd.dump"
#endif
@@ -633,11 +633,17 @@
int32 bootsize = 0;
unsigned hlen, hashcode;
int32 dest;
- char realpath[1024];
+ char realpath[MAXPATHLEN];
char *clntpath;
char *homedir, *bootfile;
int n;
+ /*
+ * Force C strings in packet to be NUL-terminated.
+ */
+ bp->bp_sname[BP_SNAME_LEN-1] = '\0';
+ bp->bp_file[BP_FILE_LEN-1] = '\0';
+
bp->bp_file[sizeof(bp->bp_file)-1] = '\0';
/* XXX - SLIP init: Set bp_ciaddr = recv_addr here? */
@@ -658,9 +664,18 @@
return;
}
} else {
- strcpy(bp->bp_sname, hostname);
+ strlcpy(bp->bp_sname, hostname, sizeof(bp->bp_sname));
}
+ /* If it uses an unknown network type, ignore the request. */
+ if (bp->bp_htype >= hwinfocnt) {
+ if (debug)
+ report(LOG_INFO,
+ "Request with unknown network type %u",
+ bp->bp_htype);
+ return;
+ }
+
/* Convert the request into a reply. */
bp->bp_op = BOOTREPLY;
if (bp->bp_ciaddr.s_addr == 0) {
@@ -675,7 +690,7 @@
}
hlen = haddrlength(bp->bp_htype);
if (hlen != bp->bp_hlen) {
- report(LOG_NOTICE, "bad addr len from from %s address %s",
+ report(LOG_NOTICE, "bad addr len from %s address %s",
netname(bp->bp_htype),
haddrtoa(bp->bp_chaddr, hlen));
}
@@ -766,11 +781,9 @@
/* Run a program, passing the client name as a parameter. */
if (hp->flags.exec_file) {
char tst[100];
- /* XXX - Check string lengths? -gwr */
- strcpy (tst, hp->exec_file->string);
- strcat (tst, " ");
- strcat (tst, hp->hostname->string);
- strcat (tst, " &");
+
+ snprintf(tst, sizeof(tst), "%s %s &", hp->exec_file->string,
+ hp->hostname->string);
if (debug)
report(LOG_INFO, "executing %s", tst);
system(tst); /* Hope this finishes soon... */
@@ -838,7 +851,7 @@
* daemon chroot directory (i.e. /tftpboot).
*/
if (hp->flags.tftpdir) {
- snprintf(realpath, sizeof(realpath), "%s", hp->tftpdir->string);
+ strlcpy(realpath, hp->tftpdir->string, sizeof(realpath));
clntpath = &realpath[strlen(realpath)];
} else {
realpath[0] = '\0';
@@ -882,14 +895,18 @@
*/
if (homedir) {
if (homedir[0] != '/')
- strcat(clntpath, "/");
- strcat(clntpath, homedir);
+ strlcat(clntpath, "/",
+ sizeof(realpath) - (clntpath - realpath));
+ strlcat(clntpath, homedir,
+ sizeof(realpath) - (clntpath - realpath));
homedir = NULL;
}
if (bootfile) {
if (bootfile[0] != '/')
- strcat(clntpath, "/");
- strcat(clntpath, bootfile);
+ strlcat(clntpath, "/",
+ sizeof(realpath) - (clntpath - realpath));
+ strlcat(clntpath, bootfile,
+ sizeof(realpath) - (clntpath - realpath));
bootfile = NULL;
}
@@ -897,8 +914,9 @@
* First try to find the file with a ".host" suffix
*/
n = strlen(clntpath);
- strcat(clntpath, ".");
- strcat(clntpath, hp->hostname->string);
+ strlcat(clntpath, ".", sizeof(realpath) - (clntpath - realpath));
+ strlcat(clntpath, hp->hostname->string,
+ sizeof(realpath) - (clntpath - realpath));
if (chk_access(realpath, &bootsize) < 0) {
clntpath[n] = 0; /* Try it without the suffix */
if (chk_access(realpath, &bootsize) < 0) {
@@ -933,7 +951,7 @@
#endif /* CHECK_FILE_ACCESS */
}
}
- strncpy(bp->bp_file, clntpath, BP_FILE_LEN);
+ strlcpy(bp->bp_file, clntpath, sizeof(bp->bp_file));
if (debug > 2)
report(LOG_INFO, "bootfile=\"%s\"", clntpath);
@@ -1177,7 +1195,7 @@
* domain name server, ien name server, time server
*/
vendp = (struct cmu_vend *) bp->bp_vend;
- strcpy(vendp->v_magic, (char *)vm_cmu);
+ strlcpy(vendp->v_magic, (char *)vm_cmu, sizeof(vendp->v_magic));
if (hp->flags.subnet_mask) {
(vendp->v_smask).s_addr = hp->subnet_mask.s_addr;
(vendp->v_flags) |= VF_SMASK;
Index: getether.c
===================================================================
RCS file: /mnt/ncvs/src/libexec/bootpd/getether.c,v
retrieving revision 1.9
diff -u -r1.9 getether.c
--- getether.c 1999/08/28 00:09:17 1.9
+++ getether.c 2000/11/19 11:12:46
@@ -80,7 +80,7 @@
int nit;
bzero((char *) &ifrnit, sizeof(ifrnit));
- strncpy(&ifrnit.ifr_name[0], ifname, IFNAMSIZ);
+ strlcpy(&ifrnit.ifr_name[0], ifname, IFNAMSIZ);
nit = open("/dev/nit", 0);
if (nit < 0) {
@@ -136,7 +136,7 @@
ifc.ifc_buf = (caddr_t) ibuf;
if (ioctl(fd, SIOCGIFCONF, (char *) &ifc) < 0 ||
ifc.ifc_len < sizeof(struct ifreq)) {
- report(LOG_ERR, "getether: SIOCGIFCONF: %s", get_errmsg);
+ report(LOG_ERR, "getether: SIOCGIFCONF: %s", get_errmsg());
goto out;
}
/* Search interface configuration list for link layer address. */
Index: hwaddr.c
===================================================================
RCS file: /mnt/ncvs/src/libexec/bootpd/hwaddr.c,v
retrieving revision 1.7
diff -u -r1.7 hwaddr.c
--- hwaddr.c 1999/08/28 00:09:18 1.7
+++ hwaddr.c 2000/11/19 11:14:02
@@ -33,6 +33,7 @@
#endif
#include <stdio.h>
+#include <stdlib.h>
#ifndef NO_UNISTD
#include <unistd.h>
#endif
@@ -201,7 +202,7 @@
snprintf(buf, sizeof(buf), "arp -d %s; arp -s %s %s temp",
a, a, haddrtoa(haddr, halen));
if (debug > 2)
- report(LOG_INFO, buf);
+ report(LOG_INFO, "%s", buf);
status = system(buf);
if (status)
report(LOG_ERR, "arp failed, exit code=0x%x", status);
@@ -227,7 +228,8 @@
bufptr = haddrbuf;
while (hlen > 0) {
- sprintf(bufptr, "%02X:", (unsigned) (*haddr++ & 0xFF));
+ snprintf(bufptr, sizeof(haddrbuf) - (bufptr - haddrbuf),
+ "%02X:", (unsigned) (*haddr++ & 0xFF));
bufptr += 3;
hlen--;
}
Index: readfile.c
===================================================================
RCS file: /mnt/ncvs/src/libexec/bootpd/readfile.c,v
retrieving revision 1.6
diff -u -r1.6 readfile.c
--- readfile.c 1999/08/28 00:09:19 1.6
+++ readfile.c 2000/11/19 11:16:33
@@ -342,7 +342,7 @@
#ifdef DEBUG
if (debug > 3) {
char timestr[28];
- strcpy(timestr, ctime(&(st.st_mtime)));
+ strlcpy(timestr, ctime(&(st.st_mtime)), sizeof(timestr));
/* zap the newline */
timestr[24] = '\0';
report(LOG_INFO, "bootptab mtime: %s",
Index: report.c
===================================================================
RCS file: /mnt/ncvs/src/libexec/bootpd/report.c,v
retrieving revision 1.3
diff -u -r1.3 report.c
--- report.c 2000/09/04 05:48:09 1.3
+++ report.c 2000/11/19 11:16:59
@@ -105,7 +105,7 @@
#endif
{
va_list ap;
- static char buf[128];
+ static char buf[256];
if ((priority < 0) || (priority >= numlevels)) {
priority = numlevels - 1;
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjoXuEEACgkQWry0BWjoQKWupACgrrIVqNPqjF8cL4ll/ZmTt6Xv
EtIAoM4nzepDHKRUMlVgjm2uZcRaIrXm
=Co3H
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001119032345.A91835>