From 0 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Mon, 15 Oct 2007 23:22:44 +0000 Subject: [PATCH 05] Update and apply dhcp-3.0.4-owl-bound.patch diff --git a/dhcp/client/dhclient.c b/dhcp/client/dhclient.c index defaced..defaced 100644 --- a/dhcp/client/dhclient.c +++ b/dhcp/client/dhclient.c @@ -197,9 +197,9 @@ static void usage(const char *sfmt, const char *sarg) { log_info("%s %s", message, PACKAGE_VERSION); - log_info(copyright); - log_info(arr); - log_info(url); + log_info("%s", copyright); + log_info("%s", arr); + log_info("%s", url); /* If desired print out the specific error message */ #ifdef PRINT_SPECIFIC_CL_ERRORS @@ -691,9 +691,9 @@ main(int argc, char **argv) { if (!quiet) { log_info("%s %s", message, PACKAGE_VERSION); - log_info(copyright); - log_info(arr); - log_info(url); + log_info("%s", copyright); + log_info("%s", arr); + log_info("%s", url); log_info("%s", ""); } else { log_perror = 0; @@ -792,7 +792,7 @@ main(int argc, char **argv) { */ if (!persist) { /* Nothing more to do. */ - log_info("No broadcast interfaces found - exiting."); + log_info("%s", "No broadcast interfaces found - exiting."); finish(0); } } else if (!release_mode && !exit_mode) { @@ -2170,7 +2170,8 @@ void dhcpoffer (packet) return; } - sprintf (obuf, "%s of %s from %s", name, + snprintf (obuf, sizeof(obuf), + "%s of %s from %s", name, inet_ntoa(packet->raw->yiaddr), piaddr(packet->client_addr)); @@ -4590,7 +4591,7 @@ void client_envadd (struct client_state *client, { char spbuf [1024]; char *s; - unsigned len; + int len; struct string_list *val; va_list list; @@ -4598,6 +4599,11 @@ void client_envadd (struct client_state *client, len = vsnprintf (spbuf, sizeof spbuf, fmt, list); va_end (list); +/* Handle truncation on glibc 2.0.x or possible unexpected errors on others; + * avoid integer overflow in the addition below. */ + if (len < 0 || len > 0x3fffffff) + return; + val = dmalloc (strlen (prefix) + strlen (name) + 1 /* = */ + len + sizeof *val, MDL); if (!val) { diff --git a/dhcp/common/bpf.c b/dhcp/common/bpf.c index defaced..defaced 100644 --- a/dhcp/common/bpf.c +++ b/dhcp/common/bpf.c @@ -93,7 +93,7 @@ int if_register_bpf (info) /* Open a BPF device */ for (b = 0; 1; b++) { /* %Audit% 31 bytes max. %2004.06.17,Safe% */ - sprintf(filename, BPF_FORMAT, b); + snprintf(filename, sizeof(filename), BPF_FORMAT, b); sock = open (filename, O_RDWR, 0); if (sock < 0) { if (errno == EBUSY) { diff --git a/dhcp/common/comapi.c b/dhcp/common/comapi.c index defaced..defaced 100644 --- a/dhcp/common/comapi.c +++ b/dhcp/common/comapi.c @@ -273,7 +273,7 @@ isc_result_t dhcp_group_signal_handler (omapi_object_t *h, /* Group objects always have to have names. */ if (!group -> name) { char hnbuf [64]; - sprintf (hnbuf, "ng%08lx%08lx", + snprintf (hnbuf, sizeof(hnbuf), "ng%08lx%08lx", (unsigned long)cur_time, (unsigned long)group); group -> name = dmalloc (strlen (hnbuf) + 1, MDL); diff --git a/dhcp/common/dns.c b/dhcp/common/dns.c index defaced..defaced 100644 --- a/dhcp/common/dns.c +++ b/dhcp/common/dns.c @@ -1250,7 +1250,7 @@ find_cached_zone(dhcp_ddns_cb_t *ddns_cb, int direction) dns_zone_dereference(&zone, MDL); return (ISC_R_NOSPACE); } - strcpy((char *)&ddns_cb->zone_name[0], zone->name); + strncpy((char *)&ddns_cb->zone_name[0], zone->name, DHCP_MAXDNS_WIRE-1); memset (&nsaddrs, 0, sizeof nsaddrs); ix = 0; diff --git a/dhcp/common/print.c b/dhcp/common/print.c index defaced..defaced 100644 --- a/dhcp/common/print.c +++ b/dhcp/common/print.c @@ -525,7 +525,7 @@ char *print_dec_1 (val) unsigned long val; { static char vbuf [32]; - sprintf (vbuf, "%lu", val); + snprintf (vbuf, sizeof(vbuf), "%lu", val); return vbuf; } @@ -533,7 +533,7 @@ char *print_dec_2 (val) unsigned long val; { static char vbuf [32]; - sprintf (vbuf, "%lu", val); + snprintf (vbuf, sizeof(vbuf), "%lu", val); return vbuf; } @@ -565,7 +565,7 @@ static unsigned print_subexpression (expr, buf, len) case expr_check: rv = 10 + strlen (expr -> data.check -> name); if (len > rv) { - sprintf (buf, "(check %s)", + snprintf (buf, len, "(check %s)", expr -> data.check -> name); return rv; } @@ -711,7 +711,7 @@ static unsigned print_subexpression (expr, buf, len) case expr_host_lookup: rv = 15 + strlen (expr -> data.host_lookup -> hostname); if (len > rv) { - sprintf (buf, "(dns-lookup %s)", + snprintf (buf, len, "(dns-lookup %s)", expr -> data.host_lookup -> hostname); return rv; } @@ -795,7 +795,7 @@ static unsigned print_subexpression (expr, buf, len) rv = strlen (s) + 2 + (strlen (expr -> data.option -> name) + strlen (expr -> data.option -> universe -> name)); if (len > rv) { - sprintf (buf, "(option %s.%s)", + snprintf (buf, len, "(option %s.%s)", expr -> data.option -> universe -> name, expr -> data.option -> name); return rv; @@ -931,7 +931,7 @@ static unsigned print_subexpression (expr, buf, len) rv = 10 + (strlen (expr -> data.option -> name) + strlen (expr -> data.option -> universe -> name)); if (len > rv) { - sprintf (buf, "(exists %s.%s)", + snprintf (buf, len, "(exists %s.%s)", expr -> data.option -> universe -> name, expr -> data.option -> name); return rv; @@ -941,7 +941,8 @@ static unsigned print_subexpression (expr, buf, len) case expr_variable_exists: rv = 10 + strlen (expr -> data.variable); if (len > rv) { - sprintf (buf, "(defined %s)", expr -> data.variable); + snprintf (buf, len, + "(defined %s)", expr -> data.variable); return rv; } break; @@ -949,7 +950,7 @@ static unsigned print_subexpression (expr, buf, len) case expr_variable_reference: rv = strlen (expr -> data.variable); if (len > rv) { - sprintf (buf, "%s", expr -> data.variable); + snprintf (buf, len, "%s", expr -> data.variable); return rv; } break; @@ -1246,7 +1247,7 @@ int token_indent_data_string (FILE *file, int col, int indent, } for (i = 0; i < data -> len; i++) { - sprintf (obuf, "%2.2x", data -> data [i]); + snprintf (obuf, sizeof(obuf), "%2.2x", data -> data [i]); col = token_print_indent (file, col, indent, i == 0 ? prefix : "", (i + 1 == data -> len diff --git a/dhcp/common/tree.c b/dhcp/common/tree.c index defaced..defaced 100644 --- a/dhcp/common/tree.c +++ b/dhcp/common/tree.c @@ -3528,7 +3528,7 @@ int write_expression (file, expr, col, indent, firstp) col = write_expression (file, expr -> data.extract_int, col, indent, 1); col = token_print_indent (file, col, scol, "", " ", ","); - sprintf (obuf, "%d", width); + snprintf (obuf, sizeof(obuf), "%d", width); col = token_print_indent (file, col, scol, " ", "", obuf); col = token_print_indent (file, col, indent, "", "", ")"); break; @@ -3551,7 +3551,7 @@ int write_expression (file, expr, col, indent, firstp) col = write_expression (file, expr -> data.extract_int, col, indent, 1); col = token_print_indent (file, col, scol, "", " ", ","); - sprintf (obuf, "%d", width); + snprintf (obuf, sizeof(obuf), "%d", width); col = token_print_indent (file, col, scol, " ", "", obuf); col = token_print_indent (file, col, indent, "", "", ")"); @@ -3566,7 +3566,7 @@ int write_expression (file, expr, col, indent, firstp) goto encode_int; case expr_const_int: - sprintf (obuf, "%lu", expr -> data.const_int); + snprintf (obuf, sizeof(obuf), "%lu", expr -> data.const_int); col = token_print_indent (file, col, indent, "", "", obuf); break; diff --git a/dhcp/common/upf.c b/dhcp/common/upf.c index defaced..defaced 100644 --- a/dhcp/common/upf.c +++ b/dhcp/common/upf.c @@ -69,7 +69,7 @@ int if_register_upf (info) /* Open a UPF device */ for (b = 0; 1; b++) { /* %Audit% Cannot exceed 36 bytes. %2004.06.17,Safe% */ - sprintf(filename, "/dev/pf/pfilt%d", b); + snprintf(filename, sizeof(filename), "/dev/pf/pfilt%d", b); sock = open (filename, O_RDWR, 0); if (sock < 0) { diff --git a/dhcp/omapip/iscprint.c b/dhcp/omapip/iscprint.c index defaced..defaced 100644 --- a/dhcp/omapip/iscprint.c +++ b/dhcp/omapip/iscprint.c @@ -230,7 +230,7 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { head = ""; tmpui = tmpi; } - sprintf(buf, "%u", tmpui); + snprintf(buf, sizeof(buf), "%u", tmpui); goto printint; case 'o': if (q) @@ -239,7 +239,7 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { tmpui = va_arg(ap, long int); else tmpui = va_arg(ap, int); - sprintf(buf, alt ? "%#o" + snprintf(buf, sizeof(buf), alt ? "%#o" : "%o", tmpui); goto printint; case 'u': @@ -249,7 +249,7 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { tmpui = va_arg(ap, unsigned long int); else tmpui = va_arg(ap, unsigned int); - sprintf(buf, "%u", tmpui); + snprintf(buf, sizeof(buf), "%u", tmpui); goto printint; case 'x': if (q) @@ -263,7 +263,7 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { if (precision > 2) precision -= 2; } - sprintf(buf, "%x", tmpui); + snprintf(buf, sizeof(buf), "%x", tmpui); goto printint; case 'X': if (q) @@ -277,7 +277,7 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { if (precision > 2) precision -= 2; } - sprintf(buf, "%X", tmpui); + snprintf(buf, sizeof(buf), "%X", tmpui); goto printint; printint: if (precision != 0 || width != 0) { @@ -403,7 +403,7 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { break; case 'p': v = va_arg(ap, void *); - sprintf(buf, "%p", v); + snprintf(buf, sizeof(buf), "%p", v); length = strlen(buf); if (precision > length) zeropad = precision - length; @@ -479,7 +479,7 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { */ if (precision > 512) precision = 512; - sprintf(fmt, "%%%s%s.%lu%s%c", alt ? "#" : "", + snprintf(fmt, sizeof(fmt), "%%%s%s.%lu%s%c", alt ? "#" : "", plus ? "+" : space ? " " : "", precision, l ? "L" : "", *format); switch (*format) { @@ -491,12 +491,12 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { #ifdef HAVE_LONG_DOUBLE if (l) { ldbl = va_arg(ap, long double); - sprintf(buf, fmt, ldbl); + snprintf(buf, sizeof(buf), fmt, ldbl); } else #endif { dbl = va_arg(ap, double); - sprintf(buf, fmt, dbl); + snprintf(buf, sizeof(buf), fmt, dbl); } length = strlen(buf); if (width > 0) { diff --git a/dhcp/server/dhcp.c b/dhcp/server/dhcp.c index defaced..defaced 100644 --- a/dhcp/server/dhcp.c +++ b/dhcp/server/dhcp.c @@ -115,7 +115,7 @@ dhcp (struct packet *packet) { s = dhcp_type_names[packet->packet_type - 1]; } else { /* %Audit% Cannot exceed 28 bytes. %2004.06.17,Safe% */ - sprintf(typebuf, "type %d", packet->packet_type); + snprintf(typebuf, sizeof(typebuf), "type %d", packet->packet_type); s = typebuf; } @@ -519,7 +519,7 @@ void dhcprequest (packet, ms_nulltp, ip_lease) /* piaddr() should not return more than a 15 byte string. * safe. */ - sprintf (smbuf, " (%s)", piaddr (sip)); + snprintf (smbuf, sizeof(smbuf), " (%s)", piaddr (sip)); } else { smbuf [0] = 0; sip.len = 0; @@ -2444,6 +2444,8 @@ void ack_lease (packet, lease, offer, when, msg, ms_nulltp, hp) host_dereference(&hp, MDL); } if (!host) { + if (hp) + host_dereference (&hp, MDL); find_hosts_by_haddr (&hp, packet -> raw -> htype, packet -> raw -> chaddr, diff --git a/dhcp/server/failover.c b/dhcp/server/failover.c index defaced..defaced 100644 --- a/dhcp/server/failover.c +++ b/dhcp/server/failover.c @@ -4119,7 +4119,7 @@ failover_option_t *dhcp_failover_make_option (unsigned code, val = va_arg (va, unsigned); #if defined (DEBUG_FAILOVER_MESSAGES) /* %Audit% Cannot exceed 24 bytes. %2004.06.17,Safe% */ - sprintf (tbuf, " %d", val); + snprintf (tbuf, sizeof(tbuf), " %d", val); failover_print (obuf, obufix, obufmax, tbuf); #endif option.data [i + 4] = val; @@ -4139,7 +4139,7 @@ failover_option_t *dhcp_failover_make_option (unsigned code, #if defined (DEBUG_FAILOVER_MESSAGES) /*%Audit% Cannot exceed 17 bytes. %2004.06.17,Safe%*/ - sprintf (tbuf, " %u.%u.%u.%u", + snprintf (tbuf, sizeof(tbuf), " %u.%u.%u.%u", iaddr [0], iaddr [1], iaddr [2], iaddr [3]); failover_print (obuf, obufix, obufmax, tbuf); #endif @@ -4152,7 +4152,7 @@ failover_option_t *dhcp_failover_make_option (unsigned code, val = va_arg (va, unsigned); #if defined (DEBUG_FAILOVER_MESSAGES) /*%Audit% Cannot exceed 24 bytes. %2004.06.17,Safe%*/ - sprintf (tbuf, " %d", val); + snprintf (tbuf, sizeof(tbuf), " %d", val); failover_print (obuf, obufix, obufmax, tbuf); #endif putULong (&option.data [4 + i * 4], val); @@ -4165,7 +4165,7 @@ failover_option_t *dhcp_failover_make_option (unsigned code, #if defined (DEBUG_FAILOVER_MESSAGES) for (i = 0; i < count; i++) { /* 23 bytes plus nul, safe. */ - sprintf (tbuf, " %d", bval [i]); + snprintf (tbuf, sizeof(tbuf), " %d", bval [i]); failover_print (obuf, obufix, obufmax, tbuf); } #endif @@ -4203,7 +4203,7 @@ failover_option_t *dhcp_failover_make_option (unsigned code, #if defined (DEBUG_FAILOVER_MESSAGES) for (i = 4; i < size; i++) { /*%Audit% Cannot exceed 24 bytes. %2004.06.17,Safe%*/ - sprintf (tbuf, " %d", option.data [i]); + snprintf (tbuf, sizeof(tbuf), " %d", option.data [i]); failover_print (obuf, obufix, obufmax, tbuf); } #endif @@ -4214,7 +4214,7 @@ failover_option_t *dhcp_failover_make_option (unsigned code, val = va_arg (va, u_int32_t); #if defined (DEBUG_FAILOVER_MESSAGES) /*%Audit% Cannot exceed 24 bytes. %2004.06.17,Safe%*/ - sprintf (tbuf, " %d", val); + snprintf (tbuf, sizeof(tbuf), " %d", val); failover_print (obuf, obufix, obufmax, tbuf); #endif putUShort (&option.data [4 + i * 2], val); diff --git a/dhcp/server/omapi.c b/dhcp/server/omapi.c index defaced..defaced 100644 --- a/dhcp/server/omapi.c +++ b/dhcp/server/omapi.c @@ -1234,7 +1234,7 @@ isc_result_t dhcp_host_signal_handler (omapi_object_t *h, if (!host -> name) { char hnbuf [64]; - sprintf (hnbuf, "nh%08lx%08lx", + snprintf (hnbuf, sizeof(hnbuf), "nh%08lx%08lx", (unsigned long)cur_time, (unsigned long)host); host -> name = dmalloc (strlen (hnbuf) + 1, MDL); if (!host -> name)