tReally fix the format string exploit against the Win32 server this time, and for good measure audit all other uses of the g_print() function. Replace some fprintf calls with fputs for additional safety. - vaccinewars - be a doctor and try to vaccinate the world
(HTM) git clone git://src.adamsgaard.dk/vaccinewars
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
(DIR) commit 30f0d92bee92b1b53dbd636392685c32cd8efe5f
(DIR) parent ebaf2ad8dadfe0f5536c707508a811c8634cd732
(HTM) Author: Ben Webb <ben@salilab.org>
Date: Fri, 30 Dec 2005 21:26:13 +0000
Really fix the format string exploit against the Win32 server this time,
and for good measure audit all other uses of the g_print() function. Replace
some fprintf calls with fputs for additional safety.
Diffstat:
M ChangeLog | 4 ++++
M src/configfile.c | 12 ++++++------
M src/dopewars.c | 5 ++---
M src/log.c | 3 +--
M src/serverside.c | 7 ++++---
M src/tstring.c | 2 +-
M src/winmain.c | 5 ++---
7 files changed, 20 insertions(+), 18 deletions(-)
---
(DIR) diff --git a/ChangeLog b/ChangeLog
t@@ -1,3 +1,7 @@
+1.5.12 30-12-2005
+ - Really fix a potential exploit against the Win32 server when running as
+ an NT service (user data was being used as a format string in some cases).
+
1.5.11 30-12-2005
- Add example configuration file to the documentation.
- Fixed various typos in the German translation (thanks to Jens Seidel
(DIR) diff --git a/src/configfile.c b/src/configfile.c
t@@ -119,7 +119,7 @@ static void WriteConfigValue(FILE *fp, Converter *conv, int GlobalIndex,
*GetGlobalString(GlobalIndex, StructIndex), -1);
PrintEscaped(fp, convstr);
g_free(convstr);
- fprintf(fp, "\"\n");
+ fputs("\"\n", fp);
} else if (Globals[GlobalIndex].StringList) {
int i;
gchar *convstr;
t@@ -127,7 +127,7 @@ static void WriteConfigValue(FILE *fp, Converter *conv, int GlobalIndex,
fprintf(fp, "%s = { ", GlobalName);
for (i = 0; i < *Globals[GlobalIndex].MaxIndex; i++) {
if (i > 0)
- fprintf(fp, ", ");
+ fputs(", ", fp);
fputc('"', fp);
convstr = Conv_ToExternal(conv,
(*Globals[GlobalIndex].StringList)[i], -1);
t@@ -135,7 +135,7 @@ static void WriteConfigValue(FILE *fp, Converter *conv, int GlobalIndex,
g_free(convstr);
fputc('"', fp);
}
- fprintf(fp, " }\n");
+ fputs(" }\n", fp);
}
if (Globals[GlobalIndex].NameStruct[0])
t@@ -182,9 +182,9 @@ static void ReadFileToString(FILE *fp, gchar *str, int matchlen)
rewind(fp);
ftruncate(fileno(fp), 0);
- fprintf(fp, file->str);
+ fputs(file->str, fp);
- fprintf(fp, str);
+ fputs(str, fp);
g_string_free(file, TRUE);
}
t@@ -201,7 +201,7 @@ static void WriteConfigFile(FILE *fp, gboolean ForceUTF8)
if (ForceUTF8 && !IsConfigFileUTF8()) {
g_free(LocalCfgEncoding);
LocalCfgEncoding = g_strdup("UTF-8");
- fprintf(fp, "encoding \"UTF-8\"\n");
+ fputs("encoding \"UTF-8\"\n", fp);
}
if (LocalCfgEncoding && LocalCfgEncoding[0]) {
(DIR) diff --git a/src/dopewars.c b/src/dopewars.c
t@@ -2157,7 +2157,7 @@ void PrintConfigValue(int GlobalIndex, int StructIndex,
}
g_string_append(text, " }\n");
- g_print(text->str);
+ g_print("%s", text->str);
g_string_free(text, TRUE);
}
}
t@@ -2950,8 +2950,7 @@ static void DefaultLogMessage(const gchar *log_domain,
text = GetLogString(log_level, message);
if (text) {
- g_string_append(text, "\n");
- g_print(text->str);
+ g_print("%s\n", text->str);
g_string_free(text, TRUE);
}
}
(DIR) diff --git a/src/log.c b/src/log.c
t@@ -50,8 +50,7 @@ void dopelog(const int loglevel, const LogFlags flags,
return;
va_start(args, format);
- g_logv(G_LOG_DOMAIN, 1 << (loglevel + G_LOG_LEVEL_USER_SHIFT), format,
- args);
+ g_logv(G_LOG_DOMAIN, 1 << (loglevel + G_LOG_LEVEL_USER_SHIFT), format, args);
va_end(args);
#ifdef HAVE_SYSLOG_H
(DIR) diff --git a/src/serverside.c b/src/serverside.c
t@@ -737,7 +737,7 @@ void PrintHelpTo(FILE *fp)
}
fprintf(fp, "%-26s %s\n", VarName->str, _(Globals[i].Help));
}
- fprintf(fp, "\n\n");
+ fputs("\n\n", fp);
g_string_free(VarName, TRUE);
}
t@@ -780,8 +780,9 @@ static void ServerReply(const gchar *msg)
QueueMessageForSend(reply_netbuf, msgcp);
g_free(msgcp);
}
- } else
- g_print(msg);
+ } else {
+ g_print("%s", msg);
+ }
}
/*
(DIR) diff --git a/src/tstring.c b/src/tstring.c
t@@ -277,7 +277,7 @@ void dpg_print(gchar *format, ...)
va_start(ap, format);
retstr = HandleTFmt(format, ap);
va_end(ap);
- g_print(retstr);
+ g_print("%s", retstr);
g_free(retstr);
}
(DIR) diff --git a/src/winmain.c b/src/winmain.c
t@@ -62,8 +62,7 @@ static void ServerLogMessage(const gchar *log_domain,
text = GetLogString(log_level, message);
if (text) {
- g_string_append(text, "\n");
- g_print(text->str);
+ g_print("%s\n", text->str);
g_string_free(text, TRUE);
}
}
t@@ -112,7 +111,7 @@ static void LogFileStart()
static void LogFilePrintFunc(const gchar *string)
{
if (LogFile) {
- fprintf(LogFile, "%s", string);
+ fputs(string, LogFile);
fflush(LogFile);
}
}