FreeBSD Mail Archives

Date:      Sun, 29 Apr 2001 01:54:48 -0700
From:      Kris Kennaway <kris@obsecurity.org>
To:        audit@FreeBSD.org
Subject:   CTM fixes
Message-ID:  <20010429015448.A76638@xor.obsecurity.org>

next in thread | raw e-mail | index | archive | help


[-- Attachment #1 --]
Please review the following patch.  It contains the following changes:

* fix ctm(8) to use mkstemp() instead of tempnam() for tempfile
  creation.

* Tag the internal err() function with __printflike to allow checking
  for non-constant format string arguments (none exist)

* Use fmtcheck() to sanitize the tar command obtained via -t to make
  sure it doesn't contain extraneous format operators.

Kris

Index: ctm/ctm_pass2.c
===================================================================
RCS file: /mnt/ncvs/src/usr.sbin/ctm/ctm/ctm_pass2.c,v
retrieving revision 1.18
diff -u -r1.18 ctm_pass2.c
--- ctm/ctm_pass2.c	2000/01/15 19:45:18	1.18
+++ ctm/ctm_pass2.c	2001/04/29 08:53:53
@@ -22,7 +22,7 @@
 {
     u_char *p,*q,*md5=0;
     MD5_CTX ctx;
-    int i,j,sep,cnt;
+    int i,j,sep,cnt,fdesc;
     u_char *trash=0,*name=0;
     struct CTM_Syntax *sp;
     struct stat st;
@@ -31,6 +31,7 @@
     char md5_1[33];
     struct CTM_Filter *filter;
     FILE *ed = NULL;
+    static char *template = NULL;
 
     if(Verbose>3)
 	printf("Pass2 -- Checking if CTM-patch will apply\n");
@@ -187,8 +188,37 @@
 		    GETDATA(trash,cnt);
 		    if (!match)
 			break;
+		    if (!template) {
+			if (asprintf(&template, "%s/CTMclientXXXXXX",
+				TmpDir) == -1) {
+			    fprintf(stderr, "  %s: malloc failed.\n",
+				sp->Key);
+			    ret |= Exit_Mess;
+			    return ret;
+		        }
+		    }
 		    if(!strcmp(sp->Key,"FN")) {
-			p = tempnam(TmpDir,"CTMclient");
+			if ((p = strdup(template)) == NULL) {
+			    fprintf(stderr, "  %s: malloc failed.\n",
+				sp->Key);
+			    ret |= Exit_Mess;
+			    return ret;
+			}
+			if ((fdesc = mkstemp(p)) == -1) {
+			    fprintf(stderr, "  %s: mkstemp failed.\n",
+				sp->Key);
+			    ret |= Exit_Mess;
+			    Free(p);
+			    return ret;
+			}
+			if (close(fdesc) == -1) {
+			    fprintf(stderr, "  %s: close failed.\n",
+				sp->Key);
+			    ret |= Exit_Mess;
+			    unlink(p);
+			    Free(p);
+			    return ret;
+			}
 			j = ctm_edit(trash,cnt,name,p);
 			if(j) {
 			    fprintf(stderr,"  %s: %s edit returned %d.\n",
@@ -208,7 +238,27 @@
 		        unlink(p);
 			Free(p);
 		    } else if (!strcmp(sp->Key,"FE")) {
-			p = tempnam(TmpDir,"CTMclient");
+			if ((p = strdup(template)) == NULL) {
+			    fprintf(stderr, "  %s: malloc failed.\n",
+				sp->Key);
+			    ret |= Exit_Mess;
+			    return ret;
+			}
+			if ((fdesc = mkstemp(p)) == -1) {
+			    fprintf(stderr, "  %s: mkstemp failed.\n",
+				sp->Key);
+			    ret |= Exit_Mess;
+			    Free(p);
+			    return ret;
+			}
+			if (close(fdesc) == -1) {
+			    fprintf(stderr, "  %s: close failed.\n",
+				sp->Key);
+			    ret |= Exit_Mess;
+			    unlink(p);
+			    Free(p);
+			    return ret;
+			}
 			ed = popen("ed","w");
 			if (!ed) {
 			    WRONG
Index: ctm/ctm_passb.c
===================================================================
RCS file: /mnt/ncvs/src/usr.sbin/ctm/ctm/ctm_passb.c,v
retrieving revision 1.5
diff -u -r1.5 ctm_passb.c
--- ctm/ctm_passb.c	1999/08/28 01:16:00	1.5
+++ ctm/ctm_passb.c	2001/04/29 08:47:31
@@ -36,7 +36,7 @@
 	printf("PassB -- Backing up files which would be changed.\n");
 
     MD5Init (&ctx);
-    sprintf(buf, TarCmd, BackupFile);
+    snprintf(buf, sizeof(buf), fmtcheck(TarCmd, TARCMD), BackupFile);
     b=popen(buf, "w");
     if(!b) { warn("%s", buf); return Exit_Garbage; }
 
Index: ctm_rmail/error.c
===================================================================
RCS file: /mnt/ncvs/src/usr.sbin/ctm/ctm_rmail/error.c,v
retrieving revision 1.2
diff -u -r1.2 error.c
--- ctm_rmail/error.c	1995/02/25 05:10:18	1.2
+++ ctm_rmail/error.c	2001/04/29 08:48:56
@@ -58,7 +58,7 @@
  * decoded and appended.
  */
 void
-err(char *fmt, ...)
+err(const char *fmt, ...)
     {
     va_list ap;
     time_t now;
Index: ctm_rmail/error.h
===================================================================
RCS file: /mnt/ncvs/src/usr.sbin/ctm/ctm_rmail/error.h,v
retrieving revision 1.1
diff -u -r1.1 error.h
--- ctm_rmail/error.h	1995/01/31 19:12:41	1.1
+++ ctm_rmail/error.h	2001/04/29 08:49:05
@@ -1,3 +1,3 @@
 extern	void	err_set_log(char *log_file);
 extern	void	err_prog_name(char *name);
-extern	void	err(char *fmt, ...);
+extern	void	err(const char *fmt, ...) __printflike(1, 2);


[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE669bYWry0BWjoQKURAnYmAKDiOJKXlWHAKDECTz+Nl7NLVEP/BACdGzdW
qCx0kd7roJGXYozVF78DWwM=
=TtaU
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010429015448.A76638>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation