From owner-freebsd-audit Sun Nov 19 3:22:52 2000 Delivered-To: freebsd-audit@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 0027D37B479 for ; Sun, 19 Nov 2000 03:22:39 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAJBNjW92228 for audit@freebsd.org; Sun, 19 Nov 2000 03:23:45 -0800 (PST) (envelope-from kris) Date: Sun, 19 Nov 2000 03:23:45 -0800 From: Kris Kennaway To: audit@freebsd.org Subject: bootpd patch Message-ID: <20001119032345.A91835@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable The following patches are taken from OpenBSD. Reviews, anyone? Kris Index: bootpd.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/libexec/bootpd/bootpd.c,v retrieving revision 1.13 diff -u -r1.13 bootpd.c --- bootpd.c 1999/08/28 00:09:16 1.13 +++ bootpd.c 2000/11/19 11:19:01 @@ -95,7 +95,7 @@ #define CONFIG_FILE "/etc/bootptab" #endif #ifndef DUMPTAB_FILE -#define DUMPTAB_FILE "/tmp/bootpd.dump" +#define DUMPTAB_FILE "/var/run/bootpd.dump" #endif =20 =0C @@ -633,11 +633,17 @@ int32 bootsize =3D 0; unsigned hlen, hashcode; int32 dest; - char realpath[1024]; + char realpath[MAXPATHLEN]; char *clntpath; char *homedir, *bootfile; int n; =20 + /* + * Force C strings in packet to be NUL-terminated. + */ + bp->bp_sname[BP_SNAME_LEN-1] =3D '\0'; + bp->bp_file[BP_FILE_LEN-1] =3D '\0'; + bp->bp_file[sizeof(bp->bp_file)-1] =3D '\0'; =20 /* XXX - SLIP init: Set bp_ciaddr =3D recv_addr here? */ @@ -658,9 +664,18 @@ return; } } else { - strcpy(bp->bp_sname, hostname); + strlcpy(bp->bp_sname, hostname, sizeof(bp->bp_sname)); } =20 + /* If it uses an unknown network type, ignore the request. */ + if (bp->bp_htype >=3D hwinfocnt) { + if (debug) + report(LOG_INFO, + "Request with unknown network type %u", + bp->bp_htype); + return; + } + /* Convert the request into a reply. */ bp->bp_op =3D BOOTREPLY; if (bp->bp_ciaddr.s_addr =3D=3D 0) { @@ -675,7 +690,7 @@ } hlen =3D haddrlength(bp->bp_htype); if (hlen !=3D bp->bp_hlen) { - report(LOG_NOTICE, "bad addr len from from %s address %s", + report(LOG_NOTICE, "bad addr len from %s address %s", netname(bp->bp_htype), haddrtoa(bp->bp_chaddr, hlen)); } @@ -766,11 +781,9 @@ /* Run a program, passing the client name as a parameter. */ if (hp->flags.exec_file) { char tst[100]; - /* XXX - Check string lengths? -gwr */ - strcpy (tst, hp->exec_file->string); - strcat (tst, " "); - strcat (tst, hp->hostname->string); - strcat (tst, " &"); + + snprintf(tst, sizeof(tst), "%s %s &", hp->exec_file->string, + hp->hostname->string); if (debug) report(LOG_INFO, "executing %s", tst); system(tst); /* Hope this finishes soon... */ @@ -838,7 +851,7 @@ * daemon chroot directory (i.e. /tftpboot). */ if (hp->flags.tftpdir) { - snprintf(realpath, sizeof(realpath), "%s", hp->tftpdir->string); + strlcpy(realpath, hp->tftpdir->string, sizeof(realpath)); clntpath =3D &realpath[strlen(realpath)]; } else { realpath[0] =3D '\0'; @@ -882,14 +895,18 @@ */ if (homedir) { if (homedir[0] !=3D '/') - strcat(clntpath, "/"); - strcat(clntpath, homedir); + strlcat(clntpath, "/", + sizeof(realpath) - (clntpath - realpath)); + strlcat(clntpath, homedir, + sizeof(realpath) - (clntpath - realpath)); homedir =3D NULL; } if (bootfile) { if (bootfile[0] !=3D '/') - strcat(clntpath, "/"); - strcat(clntpath, bootfile); + strlcat(clntpath, "/", + sizeof(realpath) - (clntpath - realpath)); + strlcat(clntpath, bootfile, + sizeof(realpath) - (clntpath - realpath)); bootfile =3D NULL; } =20 @@ -897,8 +914,9 @@ * First try to find the file with a ".host" suffix */ n =3D strlen(clntpath); - strcat(clntpath, "."); - strcat(clntpath, hp->hostname->string); + strlcat(clntpath, ".", sizeof(realpath) - (clntpath - realpath)); + strlcat(clntpath, hp->hostname->string, + sizeof(realpath) - (clntpath - realpath)); if (chk_access(realpath, &bootsize) < 0) { clntpath[n] =3D 0; /* Try it without the suffix */ if (chk_access(realpath, &bootsize) < 0) { @@ -933,7 +951,7 @@ #endif /* CHECK_FILE_ACCESS */ } } - strncpy(bp->bp_file, clntpath, BP_FILE_LEN); + strlcpy(bp->bp_file, clntpath, sizeof(bp->bp_file)); if (debug > 2) report(LOG_INFO, "bootfile=3D\"%s\"", clntpath); =20 @@ -1177,7 +1195,7 @@ * domain name server, ien name server, time server */ vendp =3D (struct cmu_vend *) bp->bp_vend; - strcpy(vendp->v_magic, (char *)vm_cmu); + strlcpy(vendp->v_magic, (char *)vm_cmu, sizeof(vendp->v_magic)); if (hp->flags.subnet_mask) { (vendp->v_smask).s_addr =3D hp->subnet_mask.s_addr; (vendp->v_flags) |=3D VF_SMASK; Index: getether.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/libexec/bootpd/getether.c,v retrieving revision 1.9 diff -u -r1.9 getether.c --- getether.c 1999/08/28 00:09:17 1.9 +++ getether.c 2000/11/19 11:12:46 @@ -80,7 +80,7 @@ int nit; =20 bzero((char *) &ifrnit, sizeof(ifrnit)); - strncpy(&ifrnit.ifr_name[0], ifname, IFNAMSIZ); + strlcpy(&ifrnit.ifr_name[0], ifname, IFNAMSIZ); =20 nit =3D open("/dev/nit", 0); if (nit < 0) { @@ -136,7 +136,7 @@ ifc.ifc_buf =3D (caddr_t) ibuf; if (ioctl(fd, SIOCGIFCONF, (char *) &ifc) < 0 || ifc.ifc_len < sizeof(struct ifreq)) { - report(LOG_ERR, "getether: SIOCGIFCONF: %s", get_errmsg); + report(LOG_ERR, "getether: SIOCGIFCONF: %s", get_errmsg()); goto out; } /* Search interface configuration list for link layer address. */ Index: hwaddr.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/libexec/bootpd/hwaddr.c,v retrieving revision 1.7 diff -u -r1.7 hwaddr.c --- hwaddr.c 1999/08/28 00:09:18 1.7 +++ hwaddr.c 2000/11/19 11:14:02 @@ -33,6 +33,7 @@ #endif =20 #include +#include #ifndef NO_UNISTD #include #endif @@ -201,7 +202,7 @@ snprintf(buf, sizeof(buf), "arp -d %s; arp -s %s %s temp", a, a, haddrtoa(haddr, halen)); if (debug > 2) - report(LOG_INFO, buf); + report(LOG_INFO, "%s", buf); status =3D system(buf); if (status) report(LOG_ERR, "arp failed, exit code=3D0x%x", status); @@ -227,7 +228,8 @@ =20 bufptr =3D haddrbuf; while (hlen > 0) { - sprintf(bufptr, "%02X:", (unsigned) (*haddr++ & 0xFF)); + snprintf(bufptr, sizeof(haddrbuf) - (bufptr - haddrbuf), + "%02X:", (unsigned) (*haddr++ & 0xFF)); bufptr +=3D 3; hlen--; } Index: readfile.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/libexec/bootpd/readfile.c,v retrieving revision 1.6 diff -u -r1.6 readfile.c --- readfile.c 1999/08/28 00:09:19 1.6 +++ readfile.c 2000/11/19 11:16:33 @@ -342,7 +342,7 @@ #ifdef DEBUG if (debug > 3) { char timestr[28]; - strcpy(timestr, ctime(&(st.st_mtime))); + strlcpy(timestr, ctime(&(st.st_mtime)), sizeof(timestr)); /* zap the newline */ timestr[24] =3D '\0'; report(LOG_INFO, "bootptab mtime: %s", Index: report.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/libexec/bootpd/report.c,v retrieving revision 1.3 diff -u -r1.3 report.c --- report.c 2000/09/04 05:48:09 1.3 +++ report.c 2000/11/19 11:16:59 @@ -105,7 +105,7 @@ #endif { va_list ap; - static char buf[128]; + static char buf[256]; =20 if ((priority < 0) || (priority >=3D numlevels)) { priority =3D numlevels - 1; --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoXuEEACgkQWry0BWjoQKWupACgrrIVqNPqjF8cL4ll/ZmTt6Xv EtIAoM4nzepDHKRUMlVgjm2uZcRaIrXm =Co3H -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message