By the way, I just found one more when using 'cfenvd': --- src/cfenvd.c 2004-09-21 01:08:53.000000000 -0700 +++ src/cfenvd.c.fc4 2005-04-06 09:59:33.000000000 -0700 @@ -280,7 +280,7 @@ sprintf(VBUFF,"%s/state/cf_users",CFWORKDIR); CreateEmptyFile(VBUFF); -snprintf(AVDB,CF_BUFSIZE,"%s/state/%s",CFWORKDIR,CF_AVDB_FILE); +snprintf(AVDB,1024,"%s/state/%s",CFWORKDIR,CF_AVDB_FILE); snprintf(STATELOG,CF_BUFSIZE,"%s/state/%s",CFWORKDIR,CF_STATELOG_FILE); snprintf(ENV_NEW,CF_BUFSIZE,"%s/state/%s",CFWORKDIR,CF_ENVNEW_FILE); snprintf(ENV,CF_BUFSIZE,"%s/state/%s",CFWORKDIR,CF_ENV_FILE);
-Jeff On 4/6/05 9:50 AM, "Jeff Sheltren" <[EMAIL PROTECTED]> wrote: > Hi Mark, I did some more checking, and it looks like there is a possible > buffer overflow there (and I found a few others after that was fixed). The > good news is, after changing a few snprintf calls to have a more appropriate > buffer size, cfagent is now running fine. I'm attaching a patch which makes > the changes, although it currently uses a hardcoded '1024', which would be > better to change to some constant defined elsewhere. For example, the one I > wrote about was line 52 of crypto.c: > snprintf(AVDB,CF_BUFSIZE,"%s/%s",CFWORKDIR,CF_AVDB_FILE); > > AVDB is defined as 'char AVDB[1024]', but CF_BUFSIZE is 4096 (as is > CFWORKDIR), so a buffer overflow is possible there. Changing the snprintf > call to use 1024 as the buffer size (since that is the size of AVDB) works > great: > snprintf(AVDB,1024,"%s/%s",CFWORKDIR,CF_AVDB_FILE); > > There were two others that I found after that was fixed (see the patch). > There may be more, but after fixing those I was able to do a clean run of > cfagent in my environment. > > -Jeff _______________________________________________ Bug-cfengine mailing list [email protected] http://lists.gnu.org/mailman/listinfo/bug-cfengine
