tReally fix the format string exploit against the Win32 server this time, and for good measure audit all other uses of the g_print() function. Replace some fprintf calls with fputs for additional safety. - vaccinewars - be a doctor and try to vaccinate the world (HTM) git clone git://src.adamsgaard.dk/vaccinewars (DIR) Log (DIR) Files (DIR) Refs (DIR) README (DIR) LICENSE --- (DIR) commit 30f0d92bee92b1b53dbd636392685c32cd8efe5f (DIR) parent ebaf2ad8dadfe0f5536c707508a811c8634cd732 (HTM) Author: Ben Webb <ben@salilab.org> Date: Fri, 30 Dec 2005 21:26:13 +0000 Really fix the format string exploit against the Win32 server this time, and for good measure audit all other uses of the g_print() function. Replace some fprintf calls with fputs for additional safety. Diffstat: M ChangeLog | 4 ++++ M src/configfile.c | 12 ++++++------ M src/dopewars.c | 5 ++--- M src/log.c | 3 +-- M src/serverside.c | 7 ++++--- M src/tstring.c | 2 +- M src/winmain.c | 5 ++--- 7 files changed, 20 insertions(+), 18 deletions(-) --- (DIR) diff --git a/ChangeLog b/ChangeLog t@@ -1,3 +1,7 @@ +1.5.12 30-12-2005 + - Really fix a potential exploit against the Win32 server when running as + an NT service (user data was being used as a format string in some cases). + 1.5.11 30-12-2005 - Add example configuration file to the documentation. - Fixed various typos in the German translation (thanks to Jens Seidel (DIR) diff --git a/src/configfile.c b/src/configfile.c t@@ -119,7 +119,7 @@ static void WriteConfigValue(FILE *fp, Converter *conv, int GlobalIndex, *GetGlobalString(GlobalIndex, StructIndex), -1); PrintEscaped(fp, convstr); g_free(convstr); - fprintf(fp, "\"\n"); + fputs("\"\n", fp); } else if (Globals[GlobalIndex].StringList) { int i; gchar *convstr; t@@ -127,7 +127,7 @@ static void WriteConfigValue(FILE *fp, Converter *conv, int GlobalIndex, fprintf(fp, "%s = { ", GlobalName); for (i = 0; i < *Globals[GlobalIndex].MaxIndex; i++) { if (i > 0) - fprintf(fp, ", "); + fputs(", ", fp); fputc('"', fp); convstr = Conv_ToExternal(conv, (*Globals[GlobalIndex].StringList)[i], -1); t@@ -135,7 +135,7 @@ static void WriteConfigValue(FILE *fp, Converter *conv, int GlobalIndex, g_free(convstr); fputc('"', fp); } - fprintf(fp, " }\n"); + fputs(" }\n", fp); } if (Globals[GlobalIndex].NameStruct[0]) t@@ -182,9 +182,9 @@ static void ReadFileToString(FILE *fp, gchar *str, int matchlen) rewind(fp); ftruncate(fileno(fp), 0); - fprintf(fp, file->str); + fputs(file->str, fp); - fprintf(fp, str); + fputs(str, fp); g_string_free(file, TRUE); } t@@ -201,7 +201,7 @@ static void WriteConfigFile(FILE *fp, gboolean ForceUTF8) if (ForceUTF8 && !IsConfigFileUTF8()) { g_free(LocalCfgEncoding); LocalCfgEncoding = g_strdup("UTF-8"); - fprintf(fp, "encoding \"UTF-8\"\n"); + fputs("encoding \"UTF-8\"\n", fp); } if (LocalCfgEncoding && LocalCfgEncoding[0]) { (DIR) diff --git a/src/dopewars.c b/src/dopewars.c t@@ -2157,7 +2157,7 @@ void PrintConfigValue(int GlobalIndex, int StructIndex, } g_string_append(text, " }\n"); - g_print(text->str); + g_print("%s", text->str); g_string_free(text, TRUE); } } t@@ -2950,8 +2950,7 @@ static void DefaultLogMessage(const gchar *log_domain, text = GetLogString(log_level, message); if (text) { - g_string_append(text, "\n"); - g_print(text->str); + g_print("%s\n", text->str); g_string_free(text, TRUE); } } (DIR) diff --git a/src/log.c b/src/log.c t@@ -50,8 +50,7 @@ void dopelog(const int loglevel, const LogFlags flags, return; va_start(args, format); - g_logv(G_LOG_DOMAIN, 1 << (loglevel + G_LOG_LEVEL_USER_SHIFT), format, - args); + g_logv(G_LOG_DOMAIN, 1 << (loglevel + G_LOG_LEVEL_USER_SHIFT), format, args); va_end(args); #ifdef HAVE_SYSLOG_H (DIR) diff --git a/src/serverside.c b/src/serverside.c t@@ -737,7 +737,7 @@ void PrintHelpTo(FILE *fp) } fprintf(fp, "%-26s %s\n", VarName->str, _(Globals[i].Help)); } - fprintf(fp, "\n\n"); + fputs("\n\n", fp); g_string_free(VarName, TRUE); } t@@ -780,8 +780,9 @@ static void ServerReply(const gchar *msg) QueueMessageForSend(reply_netbuf, msgcp); g_free(msgcp); } - } else - g_print(msg); + } else { + g_print("%s", msg); + } } /* (DIR) diff --git a/src/tstring.c b/src/tstring.c t@@ -277,7 +277,7 @@ void dpg_print(gchar *format, ...) va_start(ap, format); retstr = HandleTFmt(format, ap); va_end(ap); - g_print(retstr); + g_print("%s", retstr); g_free(retstr); } (DIR) diff --git a/src/winmain.c b/src/winmain.c t@@ -62,8 +62,7 @@ static void ServerLogMessage(const gchar *log_domain, text = GetLogString(log_level, message); if (text) { - g_string_append(text, "\n"); - g_print(text->str); + g_print("%s\n", text->str); g_string_free(text, TRUE); } } t@@ -112,7 +111,7 @@ static void LogFileStart() static void LogFilePrintFunc(const gchar *string) { if (LogFile) { - fprintf(LogFile, "%s", string); + fputs(string, LogFile); fflush(LogFile); } }