Date: Sun, 1 Nov 1998 18:42:13 -0500 (EST) From: "Matthew N. Dodd" <winter@jurai.net> To: freebsd-security@FreeBSD.ORG Subject: SSH vsprintf patch. (You've been warned Mr. Glass) Message-ID: <Pine.BSF.4.02.9811011839140.17054-200000@sasami.jurai.net>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--0-283913581-909963733=:17054
Content-Type: TEXT/PLAIN; charset=US-ASCII
Look for details on this tomorrow but here is a patch that addresses the
vsprintf calls in ssh 1.2.26.
--- log-server.c.orig Sun Nov 1 18:21:57 1998
+++ log-server.c Sun Nov 1 18:20:39 1998
@@ -134,7 +134,7 @@
if (log_quiet)
return;
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
if (log_on_stderr)
fprintf(stderr, "log: %s\n", buf);
@@ -175,7 +175,7 @@
if (log_quiet)
return;
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
if (log_on_stderr)
fprintf(stderr, "log: %s\n", buf);
@@ -191,7 +191,7 @@
if (!log_debug || log_quiet)
return;
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
if (log_on_stderr)
fprintf(stderr, "debug: %s\n", buf);
@@ -207,7 +207,7 @@
if (log_quiet)
return;
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
if (log_on_stderr)
fprintf(stderr, "error: %s\n", buf);
@@ -302,7 +302,7 @@
if (log_quiet)
exit(1);
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
if (log_on_stderr)
fprintf(stderr, "fatal: %s\n", buf);
@@ -321,7 +321,7 @@
if (log_quiet)
exit(1);
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
if (log_on_stderr)
fprintf(stderr, "fatal: %s\n", buf);
--- packet.c.orig Sun Nov 1 18:16:33 1998
+++ packet.c Sun Nov 1 18:25:11 1998
@@ -693,7 +693,7 @@
va_list args;
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
packet_start(SSH_MSG_DEBUG);
@@ -719,7 +719,7 @@
/* Format the message. Note that the caller must make sure the message
is of limited size. */
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
/* Send the disconnect message to the other side, and wait for it to get
--- scp.c.orig Sun Nov 1 18:16:41 1998
+++ scp.c Sun Nov 1 18:25:56 1998
@@ -332,7 +332,7 @@
char buf[1024];
va_start(ap, fmt);
- vsprintf(buf, fmt, ap);
+ vsnprintf(buf, sizeof(buf), fmt, ap);
va_end(ap);
fprintf(stderr, "%s\n", buf);
exit(255);
--
| Matthew N. Dodd | 78 280Z | 75 164E | 84 245DL | FreeBSD/NetBSD/Sprite/VMS |
| winter@jurai.net | This Space For Rent | ix86,sparc,m68k,pmax,vax |
| http://www.jurai.net/~winter | Are you k-rad elite enough for my webpage? |
--0-283913581-909963733=:17054
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="vsprintf.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.BSF.4.02.9811011842130.17054@sasami.jurai.net>
Content-Description:
Content-Disposition: attachment; filename="vsprintf.patch"
LS0tIGxvZy1zZXJ2ZXIuYy5vcmlnCVN1biBOb3YgIDEgMTg6MjE6NTcgMTk5
OA0KKysrIGxvZy1zZXJ2ZXIuYwlTdW4gTm92ICAxIDE4OjIwOjM5IDE5OTgN
CkBAIC0xMzQsNyArMTM0LDcgQEANCiAgIGlmIChsb2dfcXVpZXQpDQogICAg
IHJldHVybjsNCiAgIHZhX3N0YXJ0KGFyZ3MsIGZtdCk7DQotICB2c3ByaW50
ZihidWYsIGZtdCwgYXJncyk7DQorICB2c25wcmludGYoYnVmLCBzaXplb2Yo
YnVmKSwgZm10LCBhcmdzKTsNCiAgIHZhX2VuZChhcmdzKTsNCiAgIGlmIChs
b2dfb25fc3RkZXJyKQ0KICAgICBmcHJpbnRmKHN0ZGVyciwgImxvZzogJXNc
biIsIGJ1Zik7DQpAQCAtMTc1LDcgKzE3NSw3IEBADQogICBpZiAobG9nX3F1
aWV0KQ0KICAgICByZXR1cm47DQogICB2YV9zdGFydChhcmdzLCBmbXQpOw0K
LSAgdnNwcmludGYoYnVmLCBmbXQsIGFyZ3MpOw0KKyAgdnNucHJpbnRmKGJ1
Ziwgc2l6ZW9mKGJ1ZiksIGZtdCwgYXJncyk7DQogICB2YV9lbmQoYXJncyk7
DQogICBpZiAobG9nX29uX3N0ZGVycikNCiAgICAgZnByaW50ZihzdGRlcnIs
ICJsb2c6ICVzXG4iLCBidWYpOw0KQEAgLTE5MSw3ICsxOTEsNyBAQA0KICAg
aWYgKCFsb2dfZGVidWcgfHwgbG9nX3F1aWV0KQ0KICAgICByZXR1cm47DQog
ICB2YV9zdGFydChhcmdzLCBmbXQpOw0KLSAgdnNwcmludGYoYnVmLCBmbXQs
IGFyZ3MpOw0KKyAgdnNucHJpbnRmKGJ1Ziwgc2l6ZW9mKGJ1ZiksIGZtdCwg
YXJncyk7DQogICB2YV9lbmQoYXJncyk7DQogICBpZiAobG9nX29uX3N0ZGVy
cikNCiAgICAgZnByaW50ZihzdGRlcnIsICJkZWJ1ZzogJXNcbiIsIGJ1Zik7
DQpAQCAtMjA3LDcgKzIwNyw3IEBADQogICBpZiAobG9nX3F1aWV0KQ0KICAg
ICByZXR1cm47DQogICB2YV9zdGFydChhcmdzLCBmbXQpOw0KLSAgdnNwcmlu
dGYoYnVmLCBmbXQsIGFyZ3MpOw0KKyAgdnNucHJpbnRmKGJ1Ziwgc2l6ZW9m
KGJ1ZiksIGZtdCwgYXJncyk7DQogICB2YV9lbmQoYXJncyk7DQogICBpZiAo
bG9nX29uX3N0ZGVycikNCiAgICAgZnByaW50ZihzdGRlcnIsICJlcnJvcjog
JXNcbiIsIGJ1Zik7DQpAQCAtMzAyLDcgKzMwMiw3IEBADQogICBpZiAobG9n
X3F1aWV0KQ0KICAgICBleGl0KDEpOw0KICAgdmFfc3RhcnQoYXJncywgZm10
KTsNCi0gIHZzcHJpbnRmKGJ1ZiwgZm10LCBhcmdzKTsNCisgIHZzbnByaW50
ZihidWYsIHNpemVvZihidWYpLCBmbXQsIGFyZ3MpOw0KICAgdmFfZW5kKGFy
Z3MpOw0KICAgaWYgKGxvZ19vbl9zdGRlcnIpDQogICAgIGZwcmludGYoc3Rk
ZXJyLCAiZmF0YWw6ICVzXG4iLCBidWYpOw0KQEAgLTMyMSw3ICszMjEsNyBA
QA0KICAgaWYgKGxvZ19xdWlldCkNCiAgICAgZXhpdCgxKTsNCiAgIHZhX3N0
YXJ0KGFyZ3MsIGZtdCk7DQotICB2c3ByaW50ZihidWYsIGZtdCwgYXJncyk7
DQorICB2c25wcmludGYoYnVmLCBzaXplb2YoYnVmKSwgZm10LCBhcmdzKTsN
CiAgIHZhX2VuZChhcmdzKTsNCiAgIGlmIChsb2dfb25fc3RkZXJyKQ0KICAg
ICBmcHJpbnRmKHN0ZGVyciwgImZhdGFsOiAlc1xuIiwgYnVmKTsNCi0tLSBw
YWNrZXQuYy5vcmlnCVN1biBOb3YgIDEgMTg6MTY6MzMgMTk5OA0KKysrIHBh
Y2tldC5jCVN1biBOb3YgIDEgMTg6MjU6MTEgMTk5OA0KQEAgLTY5Myw3ICs2
OTMsNyBAQA0KICAgdmFfbGlzdCBhcmdzOw0KICAgDQogICB2YV9zdGFydChh
cmdzLCBmbXQpOw0KLSAgdnNwcmludGYoYnVmLCBmbXQsIGFyZ3MpOw0KKyAg
dnNucHJpbnRmKGJ1Ziwgc2l6ZW9mKGJ1ZiksIGZtdCwgYXJncyk7DQogICB2
YV9lbmQoYXJncyk7DQogICANCiAgIHBhY2tldF9zdGFydChTU0hfTVNHX0RF
QlVHKTsNCkBAIC03MTksNyArNzE5LDcgQEANCiAgIC8qIEZvcm1hdCB0aGUg
bWVzc2FnZS4gIE5vdGUgdGhhdCB0aGUgY2FsbGVyIG11c3QgbWFrZSBzdXJl
IHRoZSBtZXNzYWdlDQogICAgICBpcyBvZiBsaW1pdGVkIHNpemUuICovDQog
ICB2YV9zdGFydChhcmdzLCBmbXQpOw0KLSAgdnNwcmludGYoYnVmLCBmbXQs
IGFyZ3MpOw0KKyAgdnNucHJpbnRmKGJ1Ziwgc2l6ZW9mKGJ1ZiksIGZtdCwg
YXJncyk7DQogICB2YV9lbmQoYXJncyk7DQogDQogICAvKiBTZW5kIHRoZSBk
aXNjb25uZWN0IG1lc3NhZ2UgdG8gdGhlIG90aGVyIHNpZGUsIGFuZCB3YWl0
IGZvciBpdCB0byBnZXQgDQotLS0gc2NwLmMub3JpZwlTdW4gTm92ICAxIDE4
OjE2OjQxIDE5OTgNCisrKyBzY3AuYwlTdW4gTm92ICAxIDE4OjI1OjU2IDE5
OTgNCkBAIC0zMzIsNyArMzMyLDcgQEANCiAgIGNoYXIgYnVmWzEwMjRdOw0K
IA0KICAgdmFfc3RhcnQoYXAsIGZtdCk7DQotICB2c3ByaW50ZihidWYsIGZt
dCwgYXApOw0KKyAgdnNucHJpbnRmKGJ1Ziwgc2l6ZW9mKGJ1ZiksIGZtdCwg
YXApOw0KICAgdmFfZW5kKGFwKTsNCiAgIGZwcmludGYoc3RkZXJyLCAiJXNc
biIsIGJ1Zik7DQogICBleGl0KDI1NSk7DQo=
--0-283913581-909963733=:17054--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.02.9811011839140.17054-200000>