[src/netbsd-1-4]: src/usr.sbin/amd/libamu pull up rev 1.4 from trunk (request...

[cgd <cgd%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/9932b761a648
branches:  netbsd-1-4
changeset: 469454:9932b761a648
user:      cgd <cgd%NetBSD.org@localhost>
date:      Tue Sep 21 04:58:32 1999 +0000

description:
pull up rev 1.4 from trunk (requested by christos):
  Upgrade amd(8) and related software to fix expoitable stack overflows
  in amq(8), as reported in BUGTRAQ and elsewhere.

diffstat:

 usr.sbin/amd/libamu/xutil.c |  49 ++++++++++++++++++++++++++++++++------------
 1 files changed, 35 insertions(+), 14 deletions(-)

diffs (118 lines):

diff -r 56c63cf58b27 -r 9932b761a648 usr.sbin/amd/libamu/xutil.c
--- a/usr.sbin/amd/libamu/xutil.c       Tue Sep 21 04:58:27 1999 +0000
+++ b/usr.sbin/amd/libamu/xutil.c       Tue Sep 21 04:58:32 1999 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xutil.c,v 1.3 1999/02/01 19:05:13 christos Exp $       */
+/*     $NetBSD: xutil.c,v 1.3.2.1 1999/09/21 04:58:32 cgd Exp $        */
 
 /*
  * Copyright (c) 1997-1999 Erez Zadok
@@ -40,7 +40,7 @@
  *
  *      %W% (Berkeley) %G%
  *
- * Id: xutil.c,v 1.3 1999/01/10 21:54:39 ezk Exp 
+ * Id: xutil.c,v 1.5 1999/08/24 21:31:10 ezk Exp 
  *
  */
 
@@ -50,7 +50,12 @@
 #include <am_defs.h>
 #include <amu.h>
 
-FILE *logfp = stderr;          /* Log errors to stderr initially */
+/*
+ * Logfp is the default logging device, and is initialized to stderr by
+ * default in dplog/plog below, and in
+ * amd/amfs_program.c:amfs_program_exec().
+ */
+FILE *logfp = NULL;
 
 static char *am_progname = "unknown";  /* "amd" */
 static char am_hostname[MAXHOSTNAMELEN + 1] = "unknown"; /* Hostname */
@@ -274,34 +279,38 @@
 
 /*
  * Take a log format string and expand occurrences of %m
- * with the current error code taken from errno.
+ * with the current error code taken from errno.  Make sure
+ * 'e' never gets longer than maxlen characters.
  */
 static void
-expand_error(char *f, char *e)
+expand_error(char *f, char *e, int maxlen)
 {
   extern int sys_nerr;
-  char *p;
+  char *p, *q;
   int error = errno;
+  int len = 0;
 
-  for (p = f; (*e = *p); e++, p++) {
+  for (p = f, q = e; (*q = *p) && len < maxlen; len++, q++, p++) {
     if (p[0] == '%' && p[1] == 'm') {
+      const char *errstr;
 #ifdef HAVE_STRERROR
-      strcpy(e, strerror(error));
+      errstr = strerror(error);
 #else
-      const char *errstr;
       if (error < 0 || error >= sys_nerr)
        errstr = NULL;
       else
        errstr = sys_errlist[error];
+#endif
       if (errstr)
-       strcpy(e, errstr);
+       strcpy(q, errstr);
       else
-       sprintf(e, "Error %d", error);
-#endif
-      e += strlen(e) - 1;
+       sprintf(q, "Error %d", error);
+      len += strlen(q) - 1;
+      q += strlen(q) - 1;
       p++;
     }
   }
+  e[maxlen-1] = '\0';          /* null terminate, to be sure */
 }
 
 
@@ -373,6 +382,9 @@
 {
   va_list ap;
 
+  if (!logfp)
+    logfp = stderr;            /* initialize before possible first use */
+
   va_start(ap, fmt);
   real_plog(XLOG_DEBUG, fmt, ap);
   va_end(ap);
@@ -385,6 +397,9 @@
 {
   va_list ap;
 
+  if (!logfp)
+    logfp = stderr;            /* initialize before possible first use */
+
   va_start(ap, fmt);
   real_plog(lvl, fmt, ap);
   va_end(ap);
@@ -407,9 +422,15 @@
   checkup_mem();
 #endif /* DEBUG_MEM */
 
-  expand_error(fmt, efmt);
+  expand_error(fmt, efmt, 1024);
 
+  /*
+   * XXX: ptr is 1024 bytes long.  It is possible to write into it
+   * more than 1024 bytes, if efmt is already large, and vargs expand
+   * as well.
+   */
   vsprintf(ptr, efmt, vargs);
+  msg[1023] = '\0';            /* null terminate, to be sure */
 
   ptr += strlen(ptr);
   if (ptr[-1] == '\n')