Date: Wed, 25 Apr 2001 03:32:07 -0700 From: Kris Kennaway <kris@obsecurity.org> To: dhcp-client@isc.org Cc: audit@FreeBSD.org Subject: Format string security patches Message-ID: <20010425033207.A68532@xor.obsecurity.org>
next in thread | raw e-mail | index | archive | help
--4Ckj6UjgE2iN1+kY
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi there,
The following patches are against the DHCP 2.0pl5 code, and include a
number of format string errors which may be exploitable under the
right (wrong) circumstances (I didn't check too closely yet), as well
as a number which are trivial and just silence compiler warnings.
There are also several bugs due to missing format string arguments
which I came across and fixed -- one or two I had to guess from
context.
Please send me back a copy of the version of this patch which you
eventually apply to your CVS repository so I can import the same patch
into FreeBSD -- thanks.
Kris
P.S. I couldn't find a contact address on the ISC website for
security issues, so I hope this list is acceptible. The website
contains a PGP key presumably for use in security matters, but doesn't
give a contact address with which to use it to contact ISC developers
directly.
Index: client/clparse.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/contrib/isc-dhcp/client/clparse.c,v
retrieving revision 1.6
diff -u -r1.6 clparse.c
--- client/clparse.c 2000/07/20 09:56:18 1.6
+++ client/clparse.c 2001/04/25 10:09:46
@@ -389,7 +389,7 @@
break;
}
if (i =3D=3D 256) {
- parse_warn ("%s: expected option name.");
+ parse_warn ("%s: expected option name.", val);
skip_to_semi (cfile);
return 0;
}
Index: client/dhclient.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/contrib/isc-dhcp/client/dhclient.c,v
retrieving revision 1.18
diff -u -r1.18 dhclient.c
--- client/dhclient.c 2000/11/04 19:59:11 1.18
+++ client/dhclient.c 2001/04/25 10:10:44
@@ -178,11 +178,11 @@
=20
if (!quiet) {
note ("%s %s", message, DHCP_VERSION);
- note (copyright);
- note (arr);
+ note ("%s", copyright);
+ note ("%s", arr);
note ("");
- note (contrib);
- note (url);
+ note ("%s", contrib);
+ note ("%s", url);
note ("");
} else
log_perror =3D 0;
@@ -293,12 +293,12 @@
static void usage (appname)
char *appname;
{
- note (message);
- note (copyright);
- note (arr);
+ note ("%s", message);
+ note ("%s", copyright);
+ note ("%s", arr);
note ("");
- note (contrib);
- note (url);
+ note ("%s", contrib);
+ note ("%s", url);
note ("");
=20
warn ("Usage: %s [-D] [-d] [-p <port>] [-cf conf-file]", appname);
Index: common/bpf.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/contrib/isc-dhcp/common/bpf.c,v
retrieving revision 1.1.1.5
diff -u -r1.1.1.5 bpf.c
--- common/bpf.c 1999/06/23 23:39:42 1.1.1.5
+++ common/bpf.c 2001/04/25 10:12:06
@@ -249,7 +249,7 @@
error ("Can't get bpf buffer length: %m");
info -> rbuf =3D malloc (info -> rbuf_max);
if (!info -> rbuf)
- error ("Can't allocate %d bytes for bpf input buffer.");
+ error ("Can't allocate %d bytes for bpf input buffer.", info -> rbuf_max=
);
info -> rbuf_offset =3D 0;
info -> rbuf_len =3D 0;
=20
Index: common/errwarn.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/contrib/isc-dhcp/common/errwarn.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 errwarn.c
--- common/errwarn.c 1999/02/10 09:10:13 1.1.1.1
+++ common/errwarn.c 2001/04/25 10:08:43
@@ -71,7 +71,7 @@
va_end (list);
=20
#ifndef DEBUG
- syslog (log_priority | LOG_ERR, mbuf);
+ syslog (log_priority | LOG_ERR, "%s", mbuf);
#endif
=20
/* Also log it to stderr? */
@@ -104,7 +104,7 @@
va_end (list);
=20
#ifndef DEBUG
- syslog (log_priority | LOG_ERR, mbuf);
+ syslog (log_priority | LOG_ERR, "%s", mbuf);
#endif
=20
if (log_perror) {
@@ -130,7 +130,7 @@
va_end (list);
=20
#ifndef DEBUG
- syslog (log_priority | LOG_INFO, mbuf);
+ syslog (log_priority | LOG_INFO, "%s", mbuf);
#endif
=20
if (log_perror) {
@@ -156,7 +156,7 @@
va_end (list);
=20
#ifndef DEBUG
- syslog (log_priority | LOG_DEBUG, mbuf);
+ syslog (log_priority | LOG_DEBUG, "%s", mbuf);
#endif
=20
if (log_perror) {
@@ -231,8 +231,8 @@
va_end (list);
=20
#ifndef DEBUG
- syslog (log_priority | LOG_ERR, mbuf);
- syslog (log_priority | LOG_ERR, token_line);
+ syslog (log_priority | LOG_ERR, "%s", mbuf);
+ syslog (log_priority | LOG_ERR, "%s", token_line);
if (lexline < 81)
syslog (log_priority | LOG_ERR,
"%s^", &spaces [sizeof spaces - lexchar]);
Index: common/print.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/contrib/isc-dhcp/common/print.c,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 print.c
--- common/print.c 1999/02/28 20:34:39 1.1.1.3
+++ common/print.c 2001/04/25 10:13:19
@@ -150,7 +150,7 @@
for (i =3D 0; i < len; i++) {
if ((i & 15) =3D=3D 0) {
if (lbix)
- note (lbuf);
+ note ("%s", lbuf);
sprintf (lbuf, "%03x:", i);
lbix =3D 4;
} else if ((i & 7) =3D=3D 0)
@@ -158,7 +158,7 @@
sprintf (&lbuf [lbix], " %02x", buf [i]);
lbix +=3D 3;
}
- note (lbuf);
+ note ("%s", lbuf);
}
=20
void hash_dump (table)
@@ -178,7 +178,7 @@
if (bp -> len)
dump_raw (bp -> name, bp -> len);
else
- note ((char *)bp -> name);
+ note ("%s", (char *)bp -> name);
}
}
}
Index: common/tree.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/contrib/isc-dhcp/common/tree.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 tree.c
--- common/tree.c 1999/02/10 09:10:13 1.1.1.1
+++ common/tree.c 2001/04/25 10:13:53
@@ -275,7 +275,7 @@
return t1;
=20
default:
- warn ("Bad node id in tree: %d.");
+ warn ("Bad node id in tree: %d.", tree -> op);
t1 =3D MAX_TIME;
return t1;
}
Index: includes/dhcpd.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/contrib/isc-dhcp/includes/dhcpd.h,v
retrieving revision 1.1.1.6
diff -u -r1.1.1.6 dhcpd.h
--- includes/dhcpd.h 2000/07/20 08:36:42 1.1.1.6
+++ includes/dhcpd.h 2001/04/25 10:11:24
@@ -487,11 +487,11 @@
=20
/* errwarn.c */
extern int warnings_occurred;
-void error PROTO ((char *, ...));
-int warn PROTO ((char *, ...));
-int note PROTO ((char *, ...));
-int debug PROTO ((char *, ...));
-int parse_warn PROTO ((char *, ...));
+void error PROTO ((char *, ...)) __attribute__((format(printf, 1, 2)));
+int warn PROTO ((char *, ...)) __attribute__((format(printf, 1, 2)));
+int note PROTO ((char *, ...)) __attribute__((format(printf, 1, 2)));
+int debug PROTO ((char *, ...)) __attribute__((format(printf, 1, 2)));
+int parse_warn PROTO ((char *, ...)) __attribute__((format(printf, 1, 2)));
=20
/* dhcpd.c */
extern TIME cur_time;
@@ -905,7 +905,7 @@
char *, struct client_lease *));
int script_go PROTO ((struct interface_info *));
void client_envadd PROTO ((struct client_state *,
- const char *, const char *, const char *, ...));
+ const char *, const char *, const char *, ...)) __attribute__((forma=
t(printf, 4, 5)));
int dhcp_option_ev_name (char *, size_t, struct option *);
=20
struct client_lease *packet_to_lease PROTO ((struct packet *));
--4Ckj6UjgE2iN1+kY
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE65qemWry0BWjoQKURAnAjAKCf+kgrHOiai1nAm1fAbTIcL+EUXACgjlnn
wZ8o6a8skPVk8hB2EQ/ipQ0=
=U3Jf
-----END PGP SIGNATURE-----
--4Ckj6UjgE2iN1+kY--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010425033207.A68532>