[2170] in bugtraq
syslog()
daemon@ATHENA.MIT.EDU (Mark A. Fullmer)
Tue Aug 29 22:23:11 1995
Date: Tue, 29 Aug 1995 09:22:15 -0400
Reply-To: maf@net.ohio-state.edu
From: "Mark A. Fullmer" <maf@net.ohio-state.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
The syslog() problem is pretty severe since alot more than just sendmail
is involved.
I few months ago my pager software would crash in strange ways, it turned
out
report (LOG_INFO,
"%s: from=%s, size=%d, to=%s, status=%x, msg=%s",
qfname, sender, entry->messagelen, recipient, entry->status, message);
was crashing inside report() -- report() is a little syslog/fprintf front
end I borrowed out of bootpd.
report() basically is
static char buf[128];
...
vsprintf(buf, fmt, ap);
no bounds checking...
unfortunately syslog() is the same thing. one snprintf() I found doesn't
actually use the 'n' for bounds checking..ugh. Another implements it
like:
static char *rcsid = "snprintf.c,v 1.3 1993/08/26 00:47:24 jtc Exp";
f._flags = __SWR | __SSTR;
f._bf._base = f._p = (unsigned char *)str;
f._bf._size = f._w = n - 1;
ret = vfprintf(&f, fmt, ap);
This is stdio implementation specific code though.
As a quick workaround I ended up doing
report.c:
static char buf[4096]; /* evil */
and
report (LOG_INFO,
"%.512s: from=%.512s, size=%d, to=%.512s, status=%x, msg=%.512s",
qfname, sender, entry->messagelen, recipient, entry->status, message);
on all calls to report()...This still makes an assumption that buf is 4K
or so, which is not true on all systems. Grabbing a bunch of syslog.c's
found by archie showed atleast one that had a really small buffer.
Kinda makes you wonder of a really long domain name might just be able
to crash anything that uses syslog(LOG_WHATEVER "hostname:%s", host)..
--
mark
maf+@osu.edu
