packages/quota
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
quota/0005-quota-4.04-warnquota-Check-snprintf-for-overflows.patch
overweight 34566f3278 Package init
2019-09-30 11:16:07 -04:00

77 lines
3.3 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From eeef53917864600e0f5ac42ce5c3d884967012a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 5 Feb 2018 10:31:47 +0100
Subject: [PATCH 1/2] warnquota: Check snprintf() for overflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
GCC 8 with GNU libc 2.27 prerelease warns:
gcc -DHAVE_CONFIG_H -I. -g -O2 -Wall -fPIC -I/usr/include/tirpc -c -o warnquota.o warnquota.c
warnquota.c: In function lookup_user:
warnquota.c:415:29: warning: %s directive output may be truncated writing up to 2047 bytes into a region of size 255 [-Wformat-truncation=]
snprintf(searchbuf, 256, "(%s=%s)", config->ldap_search_attr, user);
^~
warnquota.c:415:2: note: snprintf output 4 or more bytes (assuming 2051) into a destination of size 256
snprintf(searchbuf, 256, "(%s=%s)", config->ldap_search_attr, user);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
warnquota.c: In function warn_quota:
warnquota.c:896:51: warning: %s directive output may be truncated writing up to 2047 bytes into a region of size 2041 [-Wformat-truncation=]
snprintf(config->ldap_uri, CNF_BUFFER, "ldap://%s:%d", config->ldap_host, config->ldap_port);
^~ ~~~~~~~~~~~~~~~~~
warnquota.c:896:4: note: snprintf output between 10 and 2067 bytes into a destination of size 2048
snprintf(config->ldap_uri, CNF_BUFFER, "ldap://%s:%d", config->ldap_host, config->ldap_port);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is patch fixes it by catching the cases when snprintf() truncates and
reporting an error.
Perfect fix would fall back into dynamically allocated buffers but
I think that would make these corner case too complicated provided
nobody had yet complained about them.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
warnquota.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/warnquota.c b/warnquota.c
index 073c45e..bc11055 100644
--- a/warnquota.c
+++ b/warnquota.c
@@ -412,7 +412,13 @@ static char *lookup_user(struct configparams *config, char *user)
}
/* search for the offender_name in ldap */
- snprintf(searchbuf, 256, "(%s=%s)", config->ldap_search_attr, user);
+ if (256 <= snprintf(searchbuf, 256, "(%s=%s)", config->ldap_search_attr,
+ user)) {
+ errstr(_("Could not format LDAP search filter for %s user and "
+ "%s search attribute due to excessive length.\n"),
+ user, config->ldap_search_attr);
+ return NULL;
+ }
ret = ldap_search_ext_s(ldapconn,
config->ldap_basedn, LDAP_SCOPE_SUBTREE,
searchbuf, NULL, 0, NULL, NULL, NULL,
@@ -893,7 +899,14 @@ cc_parse_err:
if (config->use_ldap_mail)
{
if (!config->ldap_uri[0]) {
- snprintf(config->ldap_uri, CNF_BUFFER, "ldap://%s:%d", config->ldap_host, config->ldap_port);
+ if (CNF_BUFFER <= snprintf(config->ldap_uri, CNF_BUFFER,
+ "ldap://%s:%d", config->ldap_host,
+ config->ldap_port)) {
+ errstr(_("Could not format LDAP URI because "
+ "it's longer than %d bytes.\n"),
+ CNF_BUFFER);
+ return -1;
+ }
errstr(_("LDAP library version >= 2.3 detected. Please use LDAP_URI instead of hostname and port.\nGenerated URI %s\n"), config->ldap_uri);
}
}
--
2.13.6
Reference in New Issue View Git Blame Copy Permalink