From 92deddd6a336a8c76f90d50b502c238780fdccb5 Mon Sep 17 00:00:00 2001 From: nhmall Date: Mon, 20 Jan 2020 16:08:11 -0500 Subject: [PATCH] use vsnprintf instead of vsprintf in pline.c --- doc/fixes36.5 | 1 + include/vmsconf.h | 5 +++++ src/pline.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 54 insertions(+) diff --git a/doc/fixes36.5 b/doc/fixes36.5 index 18b38439a..514e59c01 100644 --- a/doc/fixes36.5 +++ b/doc/fixes36.5 @@ -15,6 +15,7 @@ fix potential buffer overflow in sym_val() fix potential buffer overflow in pline(), raw_printf(), and config_error_add() via bad config file values or command line arguments fix potential buffer overflow in choose_windows() +use vsnprintf instead of vsprintf in pline.c where possible Fixes to Post-3.6.4 Problems that Were Exposed Via git Repository diff --git a/include/vmsconf.h b/include/vmsconf.h index a815e704a..dbfbff948 100644 --- a/include/vmsconf.h +++ b/include/vmsconf.h @@ -168,6 +168,11 @@ PANICTRACE_GDB=2 #at conclusion of panic, show a call traceback and then #define FCMASK 0660 /* file creation mask */ +/* + * + */ +#define NO_VSNPRINTF /* Avoid vsnprintf, use less-safe vsprintf instead. */ + /* * The remainder of the file should not need to be changed. */ diff --git a/src/pline.c b/src/pline.c index 9b5fc31de..19cafd372 100644 --- a/src/pline.c +++ b/src/pline.c @@ -125,6 +125,9 @@ VA_DECL(const char *, line) char pbuf[BIGBUFSZ]; /* will get chopped down to BUFSZ-1 if longer */ int ln; int msgtyp; +#if !defined(NO_VSNPRINTF) + int vlen = 0; +#endif boolean no_repeat; /* Do NOT use VA_START and VA_END in here... see above */ @@ -138,7 +141,16 @@ VA_DECL(const char *, line) return; if (index(line, '%')) { +#if !defined(NO_VSNPRINTF) + vlen = vsnprintf(pbuf, sizeof pbuf, line, VA_ARGS); +#if (NH_DEVEL_STATUS != NH_STATUS_RELEASED) && defined(DEBUG) + if (vlen >= (int) sizeof pbuf) + panic("pline", "truncation of buffer at %zu of %d bytes", + sizeof pbuf, vlen); +#endif +#else Vsprintf(pbuf, line, VA_ARGS); +#endif line = pbuf; } if ((ln = (int) strlen(line)) > BUFSZ - 1) { @@ -447,11 +459,23 @@ void raw_printf VA_DECL(const char *, line) #endif { +#if !defined(NO_VSNPRINTF) + int vlen = 0; +#endif char pbuf[BIGBUFSZ]; /* will be chopped down to BUFSZ-1 if longer */ /* Do NOT use VA_START and VA_END in here... see above */ if (index(line, '%')) { +#if !defined(NO_VSNPRINTF) + vlen = vsnprintf(pbuf, sizeof pbuf, line, VA_ARGS); +#if (NH_DEVEL_STATUS != NH_STATUS_RELEASED) && defined(DEBUG) + if (vlen >= (int) sizeof pbuf) + panic("raw_printf", "truncation of buffer at %zu of %d bytes", + sizeof pbuf, vlen); +#endif +#else Vsprintf(pbuf, line, VA_ARGS); +#endif line = pbuf; } if ((int) strlen(line) > BUFSZ - 1) { @@ -473,6 +497,9 @@ VA_DECL(const char *, line) void impossible VA_DECL(const char *, s) { +#if !defined(NO_VSNPRINTF) + int vlen = 0; +#endif char pbuf[BIGBUFSZ]; /* will be chopped down to BUFSZ-1 if longer */ VA_START(s); @@ -481,7 +508,16 @@ VA_DECL(const char *, s) panic("impossible called impossible"); program_state.in_impossible = 1; +#if !defined(NO_VSNPRINTF) + vlen = vsnprintf(pbuf, sizeof pbuf, s, VA_ARGS); +#if (NH_DEVEL_STATUS != NH_STATUS_RELEASED) && defined(DEBUG) + if (vlen >= (int) sizeof pbuf) + panic("impossible", "truncation of buffer at %zu of %d bytes", + sizeof pbuf, vlen); +#endif +#else Vsprintf(pbuf, s, VA_ARGS); +#endif pbuf[BUFSZ - 1] = '\0'; /* sanity */ paniclog("impossible", pbuf); if (iflags.debug_fuzzer) @@ -574,9 +610,21 @@ config_error_add VA_DECL(const char *, str) #endif /* ?(USE_STDARG || USE_VARARG) */ { /* start of vconf...() or of nested block in USE_OLDARG's conf...() */ +#if !defined(NO_VSNPRINTF) + int vlen = 0; +#endif char buf[BIGBUFSZ]; /* will be chopped down to BUFSZ-1 if longer */ +#if !defined(NO_VSNPRINTF) + vlen = vsnprintf(buf, sizeof buf, str, VA_ARGS); +#if (NH_DEVEL_STATUS != NH_STATUS_RELEASED) && defined(DEBUG) + if (vlen >= (int) sizeof buf) + panic("config_error_add", "truncation of buffer at %zu of %d bytes", + sizeof buf, vlen); +#endif +#else Vsprintf(buf, str, VA_ARGS); +#endif buf[BUFSZ - 1] = '\0'; config_erradd(buf);