From owner-freebsd-audit Wed Apr 25 3:32:21 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 12DBF37B422 for ; Wed, 25 Apr 2001 03:32:12 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id B0A8F66DF6; Wed, 25 Apr 2001 03:32:07 -0700 (PDT) Date: Wed, 25 Apr 2001 03:32:07 -0700 From: Kris Kennaway To: dhcp-client@isc.org Cc: audit@FreeBSD.org Subject: Format string security patches Message-ID: <20010425033207.A68532@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="4Ckj6UjgE2iN1+kY" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi there, The following patches are against the DHCP 2.0pl5 code, and include a number of format string errors which may be exploitable under the right (wrong) circumstances (I didn't check too closely yet), as well as a number which are trivial and just silence compiler warnings. There are also several bugs due to missing format string arguments which I came across and fixed -- one or two I had to guess from context. Please send me back a copy of the version of this patch which you eventually apply to your CVS repository so I can import the same patch into FreeBSD -- thanks. Kris P.S. I couldn't find a contact address on the ISC website for security issues, so I hope this list is acceptible. The website contains a PGP key presumably for use in security matters, but doesn't give a contact address with which to use it to contact ISC developers directly. Index: client/clparse.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/contrib/isc-dhcp/client/clparse.c,v retrieving revision 1.6 diff -u -r1.6 clparse.c --- client/clparse.c 2000/07/20 09:56:18 1.6 +++ client/clparse.c 2001/04/25 10:09:46 @@ -389,7 +389,7 @@ break; } if (i =3D=3D 256) { - parse_warn ("%s: expected option name."); + parse_warn ("%s: expected option name.", val); skip_to_semi (cfile); return 0; } Index: client/dhclient.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/contrib/isc-dhcp/client/dhclient.c,v retrieving revision 1.18 diff -u -r1.18 dhclient.c --- client/dhclient.c 2000/11/04 19:59:11 1.18 +++ client/dhclient.c 2001/04/25 10:10:44 @@ -178,11 +178,11 @@ =20 if (!quiet) { note ("%s %s", message, DHCP_VERSION); - note (copyright); - note (arr); + note ("%s", copyright); + note ("%s", arr); note (""); - note (contrib); - note (url); + note ("%s", contrib); + note ("%s", url); note (""); } else log_perror =3D 0; @@ -293,12 +293,12 @@ static void usage (appname) char *appname; { - note (message); - note (copyright); - note (arr); + note ("%s", message); + note ("%s", copyright); + note ("%s", arr); note (""); - note (contrib); - note (url); + note ("%s", contrib); + note ("%s", url); note (""); =20 warn ("Usage: %s [-D] [-d] [-p ] [-cf conf-file]", appname); Index: common/bpf.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/contrib/isc-dhcp/common/bpf.c,v retrieving revision 1.1.1.5 diff -u -r1.1.1.5 bpf.c --- common/bpf.c 1999/06/23 23:39:42 1.1.1.5 +++ common/bpf.c 2001/04/25 10:12:06 @@ -249,7 +249,7 @@ error ("Can't get bpf buffer length: %m"); info -> rbuf =3D malloc (info -> rbuf_max); if (!info -> rbuf) - error ("Can't allocate %d bytes for bpf input buffer."); + error ("Can't allocate %d bytes for bpf input buffer.", info -> rbuf_max= ); info -> rbuf_offset =3D 0; info -> rbuf_len =3D 0; =20 Index: common/errwarn.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/contrib/isc-dhcp/common/errwarn.c,v retrieving revision 1.1.1.1 diff -u -r1.1.1.1 errwarn.c --- common/errwarn.c 1999/02/10 09:10:13 1.1.1.1 +++ common/errwarn.c 2001/04/25 10:08:43 @@ -71,7 +71,7 @@ va_end (list); =20 #ifndef DEBUG - syslog (log_priority | LOG_ERR, mbuf); + syslog (log_priority | LOG_ERR, "%s", mbuf); #endif =20 /* Also log it to stderr? */ @@ -104,7 +104,7 @@ va_end (list); =20 #ifndef DEBUG - syslog (log_priority | LOG_ERR, mbuf); + syslog (log_priority | LOG_ERR, "%s", mbuf); #endif =20 if (log_perror) { @@ -130,7 +130,7 @@ va_end (list); =20 #ifndef DEBUG - syslog (log_priority | LOG_INFO, mbuf); + syslog (log_priority | LOG_INFO, "%s", mbuf); #endif =20 if (log_perror) { @@ -156,7 +156,7 @@ va_end (list); =20 #ifndef DEBUG - syslog (log_priority | LOG_DEBUG, mbuf); + syslog (log_priority | LOG_DEBUG, "%s", mbuf); #endif =20 if (log_perror) { @@ -231,8 +231,8 @@ va_end (list); =20 #ifndef DEBUG - syslog (log_priority | LOG_ERR, mbuf); - syslog (log_priority | LOG_ERR, token_line); + syslog (log_priority | LOG_ERR, "%s", mbuf); + syslog (log_priority | LOG_ERR, "%s", token_line); if (lexline < 81) syslog (log_priority | LOG_ERR, "%s^", &spaces [sizeof spaces - lexchar]); Index: common/print.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/contrib/isc-dhcp/common/print.c,v retrieving revision 1.1.1.3 diff -u -r1.1.1.3 print.c --- common/print.c 1999/02/28 20:34:39 1.1.1.3 +++ common/print.c 2001/04/25 10:13:19 @@ -150,7 +150,7 @@ for (i =3D 0; i < len; i++) { if ((i & 15) =3D=3D 0) { if (lbix) - note (lbuf); + note ("%s", lbuf); sprintf (lbuf, "%03x:", i); lbix =3D 4; } else if ((i & 7) =3D=3D 0) @@ -158,7 +158,7 @@ sprintf (&lbuf [lbix], " %02x", buf [i]); lbix +=3D 3; } - note (lbuf); + note ("%s", lbuf); } =20 void hash_dump (table) @@ -178,7 +178,7 @@ if (bp -> len) dump_raw (bp -> name, bp -> len); else - note ((char *)bp -> name); + note ("%s", (char *)bp -> name); } } } Index: common/tree.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/contrib/isc-dhcp/common/tree.c,v retrieving revision 1.1.1.1 diff -u -r1.1.1.1 tree.c --- common/tree.c 1999/02/10 09:10:13 1.1.1.1 +++ common/tree.c 2001/04/25 10:13:53 @@ -275,7 +275,7 @@ return t1; =20 default: - warn ("Bad node id in tree: %d."); + warn ("Bad node id in tree: %d.", tree -> op); t1 =3D MAX_TIME; return t1; } Index: includes/dhcpd.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/contrib/isc-dhcp/includes/dhcpd.h,v retrieving revision 1.1.1.6 diff -u -r1.1.1.6 dhcpd.h --- includes/dhcpd.h 2000/07/20 08:36:42 1.1.1.6 +++ includes/dhcpd.h 2001/04/25 10:11:24 @@ -487,11 +487,11 @@ =20 /* errwarn.c */ extern int warnings_occurred; -void error PROTO ((char *, ...)); -int warn PROTO ((char *, ...)); -int note PROTO ((char *, ...)); -int debug PROTO ((char *, ...)); -int parse_warn PROTO ((char *, ...)); +void error PROTO ((char *, ...)) __attribute__((format(printf, 1, 2))); +int warn PROTO ((char *, ...)) __attribute__((format(printf, 1, 2))); +int note PROTO ((char *, ...)) __attribute__((format(printf, 1, 2))); +int debug PROTO ((char *, ...)) __attribute__((format(printf, 1, 2))); +int parse_warn PROTO ((char *, ...)) __attribute__((format(printf, 1, 2))); =20 /* dhcpd.c */ extern TIME cur_time; @@ -905,7 +905,7 @@ char *, struct client_lease *)); int script_go PROTO ((struct interface_info *)); void client_envadd PROTO ((struct client_state *, - const char *, const char *, const char *, ...)); + const char *, const char *, const char *, ...)) __attribute__((forma= t(printf, 4, 5))); int dhcp_option_ev_name (char *, size_t, struct option *); =20 struct client_lease *packet_to_lease PROTO ((struct packet *)); --4Ckj6UjgE2iN1+kY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE65qemWry0BWjoQKURAnAjAKCf+kgrHOiai1nAm1fAbTIcL+EUXACgjlnn wZ8o6a8skPVk8hB2EQ/ipQ0= =U3Jf -----END PGP SIGNATURE----- --4Ckj6UjgE2iN1+kY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message