Package: librxtx-java Version: 2.2pre2-10 Severity: important Dear Maintainer,
I've noticed that large system paths produce a buffer overflow (other than reported in #673778). This error is produced if you use serial devices out of /dev/tty* (ie. /dev/serial/by-path/pci-0000:00:1d.0-usb-0:1.2:1.0). I've detected the overflow in message buffer and lock file buffer. So, I've avaluated the solution used in #673778 but this patch truncates messages (not very important) but lock files (critical). So, finally, I've replaced sprintf and snprintf funtions involving file[] and message[] by asprintf and free. This patch was tested in Linux platform but not others. Please, check this solution to fix overflows. -- System Information: Debian Release: wheezy/sid APT prefers precise-updates APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 'precise'), (100, 'precise-backports') Architecture: amd64 (x86_64) Kernel: Linux 3.5.0-41-generic (SMP w/4 CPU cores) Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages librxtx-java depends on: ii libc6 2.15-0ubuntu10.5 librxtx-java recommends no packages. librxtx-java suggests no packages. -- no debconf information
--- a/src/SerialImp.c +++ b/src/SerialImp.c @@ -5821,7 +5821,7 @@ int is_device_locked( const char *port_f LOCKDIR, NULL }; const char *lockprefixes[] = { "LCK..", "lk..", "LK.", NULL }; - char *p, file[80], pid_buffer[20], message[80]; + char *p, *file, pid_buffer[20], *message; int i = 0, j, k, fd , pid; struct stat buf, buf2, lockbuf; @@ -5862,19 +5862,22 @@ int is_device_locked( const char *port_f while ( lockprefixes[k] ) { /* FHS style */ - sprintf( file, "%s/%s%s", lockdirs[i], + asprintf( &file, "%s/%s%s", lockdirs[i], lockprefixes[k], p ); if( stat( file, &buf ) == 0 ) { - sprintf( message, UNEXPECTED_LOCK_FILE, + asprintf( &message, UNEXPECTED_LOCK_FILE, file ); report_warning( message ); + free( message ); + free( file ); return 1; } + free( file ); /* UUCP style */ stat(port_filename , &buf ); - sprintf( file, "%s/%s%03d.%03d.%03d", + asprintf( &file, "%s/%s%03d.%03d.%03d", lockdirs[i], lockprefixes[k], (int) major( buf.st_dev ), @@ -5883,11 +5886,14 @@ int is_device_locked( const char *port_f ); if( stat( file, &buf ) == 0 ) { - sprintf( message, UNEXPECTED_LOCK_FILE, + asprintf( &message, UNEXPECTED_LOCK_FILE, file ); report_warning( message ); + free( message ); + free( file ); return 1; } + free( file ); k++; } } @@ -5911,7 +5917,7 @@ int is_device_locked( const char *port_f #endif /* __unixware__ */ p--; } - sprintf( file, "%s/%s%s", LOCKDIR, LOCKFILEPREFIX, p ); + asprintf( &file, "%s/%s%s", LOCKDIR, LOCKFILEPREFIX, p ); #else /* UUCP standard locks */ if ( stat( port_filename, &buf ) != 0 ) @@ -5919,7 +5925,7 @@ int is_device_locked( const char *port_f report( "RXTX is_device_locked() could not find device.\n" ); return 1; } - sprintf( file, "%s/LK.%03d.%03d.%03d", + asprintf( &file, "%s/LK.%03d.%03d.%03d", LOCKDIR, (int) major( buf.st_dev ), (int) major( buf.st_rdev ), @@ -5940,21 +5946,25 @@ int is_device_locked( const char *port_f if( kill( (pid_t) pid, 0 ) && errno==ESRCH ) { - sprintf( message, + asprintf( &message, "RXTX Warning: Removing stale lock file. %s\n", file ); report_warning( message ); + free( message ); if( unlink( file ) != 0 ) { - snprintf( message, 80, "RXTX Error: Unable to \ + asprintf( &message, "RXTX Error: Unable to \ remove stale lock file: %s\n", file ); report_warning( message ); + free( message ); + free( file ); return 1; } } } + free(file); return 0; } #endif /* WIN32 */ --- a/src/lfd/lockdaemon.c +++ b/src/lfd/lockdaemon.c @@ -120,8 +120,8 @@ int fhs_lock( const char *filename, int * */ int fd,j; - char lockinfo[12], message[80]; - char file[80], *p; + char lockinfo[12]; + char *file, *p, *message; j = strlen( filename ); p = ( char * ) filename + j; @@ -136,24 +136,28 @@ int fhs_lock( const char *filename, int #endif /* __unixware__ */ p--; } - sprintf( file, "%s/LCK..%s", LOCKDIR, p ); if ( check_lock_status( filename ) ) { /* syslog( LOG_INFO, "fhs_lock() lockstatus fail\n" ); */ return 1; } + asprintf( &file, "%s/LCK..%s", LOCKDIR, p ); fd = open( file, O_CREAT | O_WRONLY | O_EXCL, 0444 ); if( fd < 0 ) { - sprintf( message, + asprintf( &message, "RXTX fhs_lock() Error: creating lock file: %s: %s\n", file, strerror(errno) ); syslog( LOG_INFO, message ); + free(message); + free(file); return 1; } sprintf( lockinfo, "%10d\n", pid ); - sprintf( message, "fhs_lock: creating lockfile: %s\n", lockinfo ); + //asprintf( &message, "fhs_lock: creating lockfile: %s\n", lockinfo ); //syslog( LOG_INFO, message ); + //free(message); + free(file); write( fd, lockinfo, 11 ); close( fd ); return 0; @@ -563,7 +567,7 @@ int is_device_locked( const char *port_f LOCKDIR, NULL }; const char *lockprefixes[] = { "LCK..", "lk..", "LK.", NULL }; - char *p, file[80], pid_buffer[20], message[80]; + char *p, *file, pid_buffer[20], *message; int i = 0, j, k, fd , pid; struct stat buf; struct stat buf2; @@ -602,19 +606,22 @@ int is_device_locked( const char *port_f while ( lockprefixes[k] ) { /* FHS style */ - sprintf( file, "%s/%s%s", lockdirs[i], + asprintf( &file, "%s/%s%s", lockdirs[i], lockprefixes[k], p ); if( stat( file, &buf ) == 0 ) { - sprintf( message, UNEXPECTED_LOCK_FILE, + asprintf( &message, UNEXPECTED_LOCK_FILE, file ); syslog( LOG_INFO, message ); + free( message ); + free( file ); return 1; } + free( file ); /* UUCP style */ stat(port_filename , &buf ); - sprintf( file, "%s/%s%03d.%03d.%03d", + asprintf( &file, "%s/%s%03d.%03d.%03d", lockdirs[i], lockprefixes[k], (int) major( buf.st_dev ), @@ -623,11 +630,14 @@ int is_device_locked( const char *port_f ); if( stat( file, &buf ) == 0 ) { - sprintf( message, UNEXPECTED_LOCK_FILE, + asprintf( &message, UNEXPECTED_LOCK_FILE, file ); syslog( LOG_INFO, message ); + free( message ); + free( file ); return 1; } + free( file ); k++; } } @@ -651,10 +661,10 @@ int is_device_locked( const char *port_f #endif /* __unixware__ */ p--; } - sprintf( file, "%s/%s%s", LOCKDIR, LOCKFILEPREFIX, p ); + asprintf( &file, "%s/%s%s", LOCKDIR, LOCKFILEPREFIX, p ); #else /* UUCP standard locks */ - sprintf( file, "%s/LK.%03d.%03d.%03d", + asprintf( &file, "%s/LK.%03d.%03d.%03d", LOCKDIR, (int) major( buf.st_dev ), (int) major( buf.st_rdev ), @@ -672,32 +682,39 @@ int is_device_locked( const char *port_f /* FIXME null terminiate pid_buffer? need to check in Solaris */ close( fd ); sscanf( pid_buffer, "%d", &pid ); - sprintf( message, "found lock for %s with pid %i\n", file, pid ); + /* asprintf( &message, "found lock for %s with pid %i\n", file, pid ); */ /* syslog( LOG_INFO, message ); */ + /* free( message ); */ if( kill( (pid_t) pid, 0 ) && errno==ESRCH ) { - sprintf( message, + asprintf( &message, "RXTX Warning: Removing stale lock file. %s\n", file ); syslog( LOG_INFO, message ); + free( message ); if( unlink( file ) != 0 ) { - snprintf( message, 80, "RXTX Error: Unable to \ + asprintf( &message, "RXTX Error: Unable to \ remove stale lock file: %s\n", file ); syslog( LOG_INFO, message ); + free( message ); + free( file ); return 0; } } else { - sprintf( message, "could not kill %i\n", pid ); + /* asprintf( &message, "could not kill %i\n", pid ); */ /* syslog( LOG_INFO, message ); */ + /* free( message ); */ + free( file ); return 1; } } + free( file ); return 0; } int init( void ) --- a/src/lfd/lockdaemon.c.noinetd +++ b/src/lfd/lockdaemon.c.noinetd @@ -119,8 +119,8 @@ int fhs_lock( const char *filename, int * */ int fd,j; - char lockinfo[12], message[80]; - char file[80], *p; + char lockinfo[12]; + char *file, *p, *message; j = strlen( filename ); p = ( char * ) filename + j; @@ -135,24 +135,28 @@ int fhs_lock( const char *filename, int #endif /* __unixware__ */ p--; } - sprintf( file, "%s/LCK..%s", LOCKDIR, p ); if ( check_lock_status( filename ) ) { syslog( LOG_INFO, "fhs_lock() lockstatus fail\n" ); return 1; } + asprintf( &file, "%s/LCK..%s", LOCKDIR, p ); fd = open( file, O_CREAT | O_WRONLY | O_EXCL, 0444 ); if( fd < 0 ) { - sprintf( message, + asprintf( &message, "RXTX fhs_lock() Error: creating lock file: %s: %s\n", file, strerror(errno) ); syslog( LOG_INFO, message ); + free(message); + free(file); return 1; } sprintf( lockinfo, "%10d\n", pid ); - sprintf( message, "fhs_lock: creating lockfile: %s\n", lockinfo ); + asprintf( &message, "fhs_lock: creating lockfile: %s\n", lockinfo ); syslog( LOG_INFO, message ); + free( message ); + free( file ); write( fd, lockinfo, 11 ); close( fd ); return 0; @@ -556,7 +560,7 @@ int is_device_locked( const char *port_f LOCKDIR, NULL }; const char *lockprefixes[] = { "LCK..", "lk..", "LK.", NULL }; - char *p, file[80], pid_buffer[20], message[80]; + char *p, *file, pid_buffer[20], *message; int i = 0, j, k, fd , pid; struct stat buf; struct stat buf2; @@ -595,19 +599,22 @@ int is_device_locked( const char *port_f while ( lockprefixes[k] ) { /* FHS style */ - sprintf( file, "%s/%s%s", lockdirs[i], + asprintf( &file, "%s/%s%s", lockdirs[i], lockprefixes[k], p ); if( stat( file, &buf ) == 0 ) { - sprintf( message, UNEXPECTED_LOCK_FILE, + asprintf( &message, UNEXPECTED_LOCK_FILE, file ); syslog( LOG_INFO, message ); + free( message ); + free( file ); return 1; } + free( file ); /* UUCP style */ stat(port_filename , &buf ); - sprintf( file, "%s/%s%03d.%03d.%03d", + asprintf( &file, "%s/%s%03d.%03d.%03d", lockdirs[i], lockprefixes[k], (int) major( buf.st_dev ), @@ -616,11 +623,14 @@ int is_device_locked( const char *port_f ); if( stat( file, &buf ) == 0 ) { - sprintf( message, UNEXPECTED_LOCK_FILE, + asprintf( &message, UNEXPECTED_LOCK_FILE, file ); syslog( LOG_INFO, message ); + free( message ); + free( file ); return 1; } + free( file ); k++; } } @@ -644,7 +654,7 @@ int is_device_locked( const char *port_f #endif /* __unixware__ */ p--; } - sprintf( file, "%s/%s%s", LOCKDIR, LOCKFILEPREFIX, p ); + asprintf( &file, "%s/%s%s", LOCKDIR, LOCKFILEPREFIX, p ); #else /* UUCP standard locks */ if ( stat( port_filename, &buf ) != 0 ) @@ -656,7 +666,7 @@ int is_device_locked( const char *port_f syslog( LOG_INFO, message ); return 1; } - sprintf( file, "%s/LK.%03d.%03d.%03d", + asprintf( &file, "%s/LK.%03d.%03d.%03d", LOCKDIR, (int) major( buf.st_dev ), (int) major( buf.st_rdev ), @@ -677,10 +687,11 @@ int is_device_locked( const char *port_f if( kill( (pid_t) pid, 0 ) && errno==ESRCH ) { - sprintf( message, + asprintf( &message, "RXTX Warning: Removing stale lock file. %s\n", file ); syslog( LOG_INFO, message ); + free( message ); if( unlink( file ) != 0 ) { snprintf( message, 80, "RXTX Error: Unable to \ @@ -688,10 +699,13 @@ int is_device_locked( const char *port_f file ); syslog( LOG_INFO, message ); + free( message ); + free( file ); return 1; } } } + free( file ); return 0; } int init( void )