syslogd pathlen

Mon, 25 Aug 2014 12:01:10 -0700 

Hi,

Call check_tty_name() and check_log_name() with the string size and
don't access memory beyond.  Make sure that the complete string
"/dev/null" can be copied.

ok?

bluhm

? usr.sbin/syslogd/obj
Index: usr.sbin/syslogd/privsep.c
===================================================================
RCS file: /cvs/src/usr.sbin/syslogd/privsep.c,v
retrieving revision 1.42
diff -u -p -r1.42 privsep.c
--- usr.sbin/syslogd/privsep.c  25 Aug 2014 18:19:18 -0000      1.42
+++ usr.sbin/syslogd/privsep.c  25 Aug 2014 18:24:32 -0000
@@ -215,7 +215,7 @@ priv_init(char *conf, int numeric, int l
                                _exit(1);
                        must_read(socks[0], &path, path_len);
                        path[path_len - 1] = '\0';
-                       check_tty_name(path, path_len);
+                       check_tty_name(path, sizeof(path));
                        fd = open(path, O_WRONLY|O_NONBLOCK, 0);
                        send_fd(socks[0], fd);
                        if (fd < 0)
@@ -234,7 +234,7 @@ priv_init(char *conf, int numeric, int l
                                _exit(1);
                        must_read(socks[0], &path, path_len);
                        path[path_len - 1] = '\0';
-                       check_log_name(path, path_len);
+                       check_log_name(path, sizeof(path));
 
                        if (cmd == PRIV_OPEN_LOG)
                                fd = open_file(path);
@@ -469,13 +469,13 @@ open_pipe(char *cmd)
  * Either /dev/console or /dev/tty* are allowed.
  */
 static void
-check_tty_name(char *tty, size_t ttylen)
+check_tty_name(char *tty, size_t ttysize)
 {
        const char ttypre[] = "/dev/tty";
        char *p;
 
        /* Any path containing '..' is invalid.  */
-       for (p = tty; *p && p < tty + ttylen; p++)
+       for (p = tty; p + 1 < tty + ttysize && *p; p++)
                if (*p == '.' && *(p + 1) == '.')
                        goto bad_path;
 
@@ -486,7 +486,7 @@ check_tty_name(char *tty, size_t ttylen)
 bad_path:
        warnx ("%s: invalid attempt to open %s: rewriting to /dev/null",
            "check_tty_name", tty);
-       strlcpy(tty, "/dev/null", ttylen);
+       strlcpy(tty, "/dev/null", ttysize);
 }
 
 /* If we are in the initial configuration state, accept a logname and add
@@ -494,13 +494,13 @@ bad_path:
  * and rewrite to /dev/null if it's a bad path.
  */
 static void
-check_log_name(char *lognam, size_t loglen)
+check_log_name(char *lognam, size_t logsize)
 {
        struct logname *lg;
        char *p;
 
        /* Any path containing '..' is invalid.  */
-       for (p = lognam; *p && p < lognam + loglen; p++)
+       for (p = lognam; p + 1 < lognam + logsize && *p; p++)
                if (*p == '.' && *(p + 1) == '.')
                        goto bad_path;
 
@@ -528,7 +528,7 @@ check_log_name(char *lognam, size_t logl
 bad_path:
        warnx("%s: invalid attempt to open %s: rewriting to /dev/null",
            "check_log_name", lognam);
-       strlcpy(lognam, "/dev/null", loglen);
+       strlcpy(lognam, "/dev/null", logsize);
 }
 
 /* Crank our state into less permissive modes */

Reply via email to