Bug#354190: siproxd: invalid argument for format string

Fri, 24 Feb 2006 00:03:08 -0800 

Package: siproxd
Version: 1:0.5.10+cvs20050423-1
Severity: normal
Tags: patch

In proxy.c, functions proxy_request() and proxy_response(), an argument
of type osip_uri_t* is used for a "%s" conversion specification. However,
osip_uri_t is a struct; it seems like what really was meant is its member
"host" of type char*.

This seems to only affect siproxd if debug output is activated,
DBCLASS_PROXY is included in debug_level and a host name read from the
network cannot be resolved. By chance I happened to hit it all the same. ;)
Luckily, on my system, a NUL byte was less than 20 bytes of garbage away.

The code in question is also present in 1:0.5.11-1 (testing, unstable),
as proxy.c is identical to 1:0.5.10+cvs20050423-1 (before applying
debian patches). In current upstream (24Feb2006), the code has been
removed from the two functions in proxy.c, but added to
sip_find_direction() in sip_utils.c, still containing the bug.

Regards, Fabian

diff -du4rN siproxd-0.5.10+cvs20050423/src/proxy.c 
siproxd-0.5.10+cvs20050423-format/src/proxy.c
--- siproxd-0.5.10+cvs20050423/src/proxy.c      2005-04-22 00:41:02.000000000 
+0200
+++ siproxd-0.5.10+cvs20050423-format/src/proxy.c       2006-02-24 
06:46:53.000000000 +0100
@@ -143,9 +143,9 @@
 
       if (urlmap[i].active == 0) continue;
       if (get_ip_by_host(urlmap[i].true_url->host, &tmp_addr) == STS_FAILURE) {
          DEBUGC(DBCLASS_PROXY, "proxy_request: cannot resolve host [%s]",
-             urlmap[i].true_url);
+             urlmap[i].true_url->host);
       } else {
          DEBUGC(DBCLASS_PROXY, "proxy_request: reghost:%s ip:%s",
                 urlmap[i].true_url->host, utils_inet_ntoa(from->sin_addr));
          if (memcmp(&tmp_addr, &from->sin_addr, sizeof(tmp_addr)) == 0) {
@@ -639,9 +639,9 @@
       if (urlmap[i].active == 0) continue;
 
       if (get_ip_by_host(urlmap[i].true_url->host, &tmp_addr) == STS_FAILURE) {
          DEBUGC(DBCLASS_PROXY, "proxy_response: cannot resolve host [%s]",
-             urlmap[i].true_url);
+             urlmap[i].true_url->host);
       } else {
          DEBUGC(DBCLASS_PROXY, "proxy_response: reghost:%s ip:%s",
                 urlmap[i].true_url->host, utils_inet_ntoa(from->sin_addr));
          if (memcmp(&tmp_addr, &from->sin_addr, sizeof(tmp_addr)) == 0) {

Attachment: signature.asc
Description: Digital signature

Reply via email to