[PATCH] Fix buffer overflows with "long" messages in syslog()

Sun, 19 Jan 2014 18:09:16 -0800 

Hi all,

The attached patch replaces some unsafe buffer operations in syslog()
which would cause stack buffer overflow when the syslog message length
(including Facility and Level encoding) would exceed 199 characters.

(There's still the implicit assumption that *printf() won't error and
return -1)
-- 
Nick Withers

Embedded Systems Programmer
Department of Nuclear Physics, Research School of Physics and Engineering
The Australian National University (CRICOS: 00120C)


>From affa0f7a10e6b76441ceb323125958be31c2abc8 Mon Sep 17 00:00:00 2001
From: Nick Withers <nick.with...@anu.edu.au>
Date: Mon, 20 Jan 2014 13:00:35 +1100
Subject: [PATCH] Don't use unsafe buffer operations, averting (stack) buffer
 overflow when the syslog message length (including Facility and Level
 encoding) would exceed 199 characters

---
 cpukit/libnetworking/lib/syslog.c | 30 ++++++++++++------------------
 1 file changed, 12 insertions(+), 18 deletions(-)

diff --git a/cpukit/libnetworking/lib/syslog.c b/cpukit/libnetworking/lib/syslog.c
index c0e7270..066d7ab 100644
--- a/cpukit/libnetworking/lib/syslog.c
+++ b/cpukit/libnetworking/lib/syslog.c
@@ -49,7 +49,6 @@ void
 vsyslog (int pri, const char *fmt, va_list ap)
 {
 	int cnt;
-	char *cp;
 	char *msgp, cbuf[200];
 	int sent;
 
@@ -65,26 +64,21 @@ vsyslog (int pri, const char *fmt, va_list ap)
 	if ((pri & LOG_FACMASK) == 0)
 		pri |= LogFacility;
 
-	cnt = sprintf (cbuf, "<%d>", pri);
-	cp = msgp = cbuf + cnt;
-	if (LogTag) {
-		const char *lp = LogTag;
-		while ((*cp = *lp++) != '\0')
-			cp++;
-	}
-	if (LogStatus & LOG_PID) {
+	cnt = snprintf (cbuf, sizeof (cbuf), "<%d>", pri);
+	msgp = cbuf + (cnt < sizeof (cbuf) ? cnt : sizeof (cbuf) - 1);
+	if (LogTag && cnt < sizeof (cbuf) - 1)
+		cnt += snprintf (cbuf + cnt, sizeof (cbuf) - cnt, "%s", LogTag);
+	if (LogStatus & LOG_PID && cnt < sizeof (cbuf) - 1) {
 		rtems_id tid;
 		rtems_task_ident (RTEMS_SELF, 0, &tid);
-		cnt = sprintf (cp, "[%#lx]", (unsigned long)tid);
-		cp += cnt;
-	}
-	if (LogTag) {
-		*cp++ = ':';
-		*cp++ = ' ';
+		cnt += snprintf (cbuf + cnt, sizeof (cbuf) - cnt, "[%#lx]", (unsigned long)tid);
 	}
-	cnt = vsprintf (cp, fmt, ap);
-	cnt += cp - cbuf;
-	if (cbuf[cnt-1] == '\n')
+	if (LogTag && cnt < sizeof (cbuf) - 1)
+		cnt += snprintf (cbuf + cnt, sizeof (cbuf) - cnt, ": ");
+	cnt += vsnprintf (cbuf + cnt, sizeof (cbuf) - cnt, fmt, ap);
+	if (cnt > sizeof (cbuf) - 1)
+		cnt = sizeof (cbuf) - 1;
+	while (cnt > 0 && cbuf[cnt-1] == '\n')
 		cbuf[--cnt] = '\0';
 
 	if (LogStatus & LOG_PERROR)
-- 
1.8.5.2


_______________________________________________
rtems-devel mailing list
rtems-devel@rtems.org
http://www.rtems.org/mailman/listinfo/rtems-devel

Reply via email to