String buffer safety cleanup. I don't think any of these were exploitable

remotely, but they would be if e.g. it happened to call the logging function using a DNS hostname. Also replace random() by arc4random() - only one of these is arguably required since it's directly used in the protocol, but we might as well replace both to avoid using two different PRNGs. Reviewed by: green, alex
svn path=/head/; revision=66858
2024-09-20 16:54:02 +00:00 · 2000-10-09 06:08:00 +00:00 · 2000-10-09 06:08:00 +00:00 · aed217b4c6 · 2020-12-20 02:59:44 +00:00
parent b2338d532a
commit aed217b4c6
4 changed files with 8 additions and 12 deletions
--- a/usr.sbin/mrouted/cfparse.y
+++ b/usr.sbin/mrouted/cfparse.y
@ -658,7 +658,7 @@ static void
 fatal(char *fmt, ...)
 {
 	va_list ap;
-	char buf[200];
+	char buf[MAXHOSTNAMELEN + 100];

 	va_start(ap, fmt);
 #else
@ -669,11 +669,11 @@ char *fmt;
 va_dcl
 {
 	va_list ap;
-	char buf[200];
+	char buf[MAXHOSTNAMELEN + 100];

 	va_start(ap);
 #endif
-	vsprintf(buf, fmt, ap);
+	vsnprintf(buf, sizeof(buf), fmt, ap);
 	va_end(ap);

 	log(LOG_ERR,0,"%s: %s near line %d", configfilename, buf, lineno);
@ -699,7 +699,7 @@ va_dcl

 	va_start(ap);
 #endif
-	vsprintf(buf, fmt, ap);
+	vsnprintf(buf, sizeof(buf), fmt, ap);
 	va_end(ap);

 	log(LOG_WARNING,0,"%s: %s near line %d", configfilename, buf, lineno);
--- a/usr.sbin/mrouted/main.c
+++ b/usr.sbin/mrouted/main.c
@ -266,8 +266,6 @@ main(argc, argv)

 #ifdef SYSV
    srand48(time(NULL));
-#else
-    srandom(gethostid());
 #endif

    /*
@ -966,7 +964,7 @@ log(severity, syserr, format, va_alist)

    va_start(ap);
 #endif
-    vsprintf(&fmt[10], format, ap);
+    vsnprintf(&fmt[10], sizeof(fmt) - 10, format, ap);
    va_end(ap);
    msg = (severity == LOG_WARNING) ? fmt : &fmt[10];

@ -987,7 +985,7 @@ log(severity, syserr, format, va_alist)
    gettimeofday(&now,NULL);
    now_sec = now.tv_sec;
    thyme = localtime(&now_sec);
-    sprintf(logmsg[logmsgno++], "%02d:%02d:%02d.%03ld %s err %d",
+    snprintf(logmsg[logmsgno++], LOGMSGSIZE, "%02d:%02d:%02d.%03ld %s err %d",
 		    thyme->tm_hour, thyme->tm_min, thyme->tm_sec,
 		    now.tv_usec / 1000, msg, syserr);
    logmsgno %= NLOGMSGS;
--- a/usr.sbin/mrouted/mtrace.c
+++ b/usr.sbin/mrouted/mtrace.c
@ -1263,7 +1263,7 @@ send_recv(dst, type, code, tries, save, callback)
 #ifdef SYSV    
 	    TR_SETQID(query->tr_rttlqid, ((u_int32)lrand48() >> 8));
 #else
-	    TR_SETQID(query->tr_rttlqid, ((u_int32)random() >> 8));
+	    TR_SETQID(query->tr_rttlqid, ((u_int32)arc4random() >> 8));
 #endif

 	/*
@ -2745,8 +2745,6 @@ char *argv[];
    seed = tv.tv_usec ^ lcl_addr;
 #ifdef SYSV    
    srand48(seed);
-#else
-    srandom(seed);
 #endif

    /*
--- a/usr.sbin/mrouted/prune.c
+++ b/usr.sbin/mrouted/prune.c
@ -32,7 +32,7 @@ extern int allow_black_holes;
 #ifdef SYSV
 #define JITTERED_VALUE(x) ((x)/2 + (lrand48() % (x)))
 #else
-#define JITTERED_VALUE(x) ((x)/2 + (random() % (x)))
+#define JITTERED_VALUE(x) ((x)/2 + (arc4random() % (x)))
 #endif
 #define	CACHE_LIFETIME(x)	JITTERED_VALUE(x) /* XXX */