Package: librxtx-java
Version: 2.2pre2-10
Severity: important
Dear Maintainer,
I've noticed that large system paths produce a buffer overflow (other than
reported in #673778). This error
is produced if you use serial devices out of /dev/tty* (ie.
/dev/serial/by-path/pci-0000:00:1d.0-usb-0:1.2:1.0).
I've detected the overflow in message buffer and lock file buffer. So, I've
avaluated the solution used in #673778
but this patch truncates messages (not very important) but lock files
(critical). So, finally, I've replaced
sprintf and snprintf funtions involving file[] and message[] by asprintf and
free.
This patch was tested in Linux platform but not others.
Please, check this solution to fix overflows.
-- System Information:
Debian Release: wheezy/sid
APT prefers precise-updates
APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500,
'precise'), (100, 'precise-backports')
Architecture: amd64 (x86_64)
Kernel: Linux 3.5.0-41-generic (SMP w/4 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to C.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages librxtx-java depends on:
ii libc6 2.15-0ubuntu10.5
librxtx-java recommends no packages.
librxtx-java suggests no packages.
-- no debconf information
--- a/src/SerialImp.c
+++ b/src/SerialImp.c
@@ -5821,7 +5821,7 @@ int is_device_locked( const char *port_f
LOCKDIR, NULL
};
const char *lockprefixes[] = { "LCK..", "lk..", "LK.", NULL };
- char *p, file[80], pid_buffer[20], message[80];
+ char *p, *file, pid_buffer[20], *message;
int i = 0, j, k, fd , pid;
struct stat buf, buf2, lockbuf;
@@ -5862,19 +5862,22 @@ int is_device_locked( const char *port_f
while ( lockprefixes[k] )
{
/* FHS style */
- sprintf( file, "%s/%s%s", lockdirs[i],
+ asprintf( &file, "%s/%s%s", lockdirs[i],
lockprefixes[k], p );
if( stat( file, &buf ) == 0 )
{
- sprintf( message, UNEXPECTED_LOCK_FILE,
+ asprintf( &message, UNEXPECTED_LOCK_FILE,
file );
report_warning( message );
+ free( message );
+ free( file );
return 1;
}
+ free( file );
/* UUCP style */
stat(port_filename , &buf );
- sprintf( file, "%s/%s%03d.%03d.%03d",
+ asprintf( &file, "%s/%s%03d.%03d.%03d",
lockdirs[i],
lockprefixes[k],
(int) major( buf.st_dev ),
@@ -5883,11 +5886,14 @@ int is_device_locked( const char *port_f
);
if( stat( file, &buf ) == 0 )
{
- sprintf( message, UNEXPECTED_LOCK_FILE,
+ asprintf( &message, UNEXPECTED_LOCK_FILE,
file );
report_warning( message );
+ free( message );
+ free( file );
return 1;
}
+ free( file );
k++;
}
}
@@ -5911,7 +5917,7 @@ int is_device_locked( const char *port_f
#endif /* __unixware__ */
p--;
}
- sprintf( file, "%s/%s%s", LOCKDIR, LOCKFILEPREFIX, p );
+ asprintf( &file, "%s/%s%s", LOCKDIR, LOCKFILEPREFIX, p );
#else
/* UUCP standard locks */
if ( stat( port_filename, &buf ) != 0 )
@@ -5919,7 +5925,7 @@ int is_device_locked( const char *port_f
report( "RXTX is_device_locked() could not find device.\n" );
return 1;
}
- sprintf( file, "%s/LK.%03d.%03d.%03d",
+ asprintf( &file, "%s/LK.%03d.%03d.%03d",
LOCKDIR,
(int) major( buf.st_dev ),
(int) major( buf.st_rdev ),
@@ -5940,21 +5946,25 @@ int is_device_locked( const char *port_f
if( kill( (pid_t) pid, 0 ) && errno==ESRCH )
{
- sprintf( message,
+ asprintf( &message,
"RXTX Warning: Removing stale lock file. %s\n",
file );
report_warning( message );
+ free( message );
if( unlink( file ) != 0 )
{
- snprintf( message, 80, "RXTX Error: Unable to \
+ asprintf( &message, "RXTX Error: Unable to \
remove stale lock file: %s\n",
file
);
report_warning( message );
+ free( message );
+ free( file );
return 1;
}
}
}
+ free(file);
return 0;
}
#endif /* WIN32 */
--- a/src/lfd/lockdaemon.c
+++ b/src/lfd/lockdaemon.c
@@ -120,8 +120,8 @@ int fhs_lock( const char *filename, int
*
*/
int fd,j;
- char lockinfo[12], message[80];
- char file[80], *p;
+ char lockinfo[12];
+ char *file, *p, *message;
j = strlen( filename );
p = ( char * ) filename + j;
@@ -136,24 +136,28 @@ int fhs_lock( const char *filename, int
#endif /* __unixware__ */
p--;
}
- sprintf( file, "%s/LCK..%s", LOCKDIR, p );
if ( check_lock_status( filename ) )
{
/* syslog( LOG_INFO, "fhs_lock() lockstatus fail\n" ); */
return 1;
}
+ asprintf( &file, "%s/LCK..%s", LOCKDIR, p );
fd = open( file, O_CREAT | O_WRONLY | O_EXCL, 0444 );
if( fd < 0 )
{
- sprintf( message,
+ asprintf( &message,
"RXTX fhs_lock() Error: creating lock file: %s: %s\n",
file, strerror(errno) );
syslog( LOG_INFO, message );
+ free(message);
+ free(file);
return 1;
}
sprintf( lockinfo, "%10d\n", pid );
- sprintf( message, "fhs_lock: creating lockfile: %s\n", lockinfo );
+ //asprintf( &message, "fhs_lock: creating lockfile: %s\n", lockinfo );
//syslog( LOG_INFO, message );
+ //free(message);
+ free(file);
write( fd, lockinfo, 11 );
close( fd );
return 0;
@@ -563,7 +567,7 @@ int is_device_locked( const char *port_f
LOCKDIR, NULL
};
const char *lockprefixes[] = { "LCK..", "lk..", "LK.", NULL };
- char *p, file[80], pid_buffer[20], message[80];
+ char *p, *file, pid_buffer[20], *message;
int i = 0, j, k, fd , pid;
struct stat buf;
struct stat buf2;
@@ -602,19 +606,22 @@ int is_device_locked( const char *port_f
while ( lockprefixes[k] )
{
/* FHS style */
- sprintf( file, "%s/%s%s", lockdirs[i],
+ asprintf( &file, "%s/%s%s", lockdirs[i],
lockprefixes[k], p );
if( stat( file, &buf ) == 0 )
{
- sprintf( message, UNEXPECTED_LOCK_FILE,
+ asprintf( &message, UNEXPECTED_LOCK_FILE,
file );
syslog( LOG_INFO, message );
+ free( message );
+ free( file );
return 1;
}
+ free( file );
/* UUCP style */
stat(port_filename , &buf );
- sprintf( file, "%s/%s%03d.%03d.%03d",
+ asprintf( &file, "%s/%s%03d.%03d.%03d",
lockdirs[i],
lockprefixes[k],
(int) major( buf.st_dev ),
@@ -623,11 +630,14 @@ int is_device_locked( const char *port_f
);
if( stat( file, &buf ) == 0 )
{
- sprintf( message, UNEXPECTED_LOCK_FILE,
+ asprintf( &message, UNEXPECTED_LOCK_FILE,
file );
syslog( LOG_INFO, message );
+ free( message );
+ free( file );
return 1;
}
+ free( file );
k++;
}
}
@@ -651,10 +661,10 @@ int is_device_locked( const char *port_f
#endif /* __unixware__ */
p--;
}
- sprintf( file, "%s/%s%s", LOCKDIR, LOCKFILEPREFIX, p );
+ asprintf( &file, "%s/%s%s", LOCKDIR, LOCKFILEPREFIX, p );
#else
/* UUCP standard locks */
- sprintf( file, "%s/LK.%03d.%03d.%03d",
+ asprintf( &file, "%s/LK.%03d.%03d.%03d",
LOCKDIR,
(int) major( buf.st_dev ),
(int) major( buf.st_rdev ),
@@ -672,32 +682,39 @@ int is_device_locked( const char *port_f
/* FIXME null terminiate pid_buffer? need to check in Solaris */
close( fd );
sscanf( pid_buffer, "%d", &pid );
- sprintf( message, "found lock for %s with pid %i\n", file, pid );
+ /* asprintf( &message, "found lock for %s with pid %i\n", file, pid ); */
/* syslog( LOG_INFO, message ); */
+ /* free( message ); */
if( kill( (pid_t) pid, 0 ) && errno==ESRCH )
{
- sprintf( message,
+ asprintf( &message,
"RXTX Warning: Removing stale lock file. %s\n",
file );
syslog( LOG_INFO, message );
+ free( message );
if( unlink( file ) != 0 )
{
- snprintf( message, 80, "RXTX Error: Unable to \
+ asprintf( &message, "RXTX Error: Unable to \
remove stale lock file: %s\n",
file
);
syslog( LOG_INFO, message );
+ free( message );
+ free( file );
return 0;
}
}
else
{
- sprintf( message, "could not kill %i\n", pid );
+ /* asprintf( &message, "could not kill %i\n", pid ); */
/* syslog( LOG_INFO, message ); */
+ /* free( message ); */
+ free( file );
return 1;
}
}
+ free( file );
return 0;
}
int init( void )
--- a/src/lfd/lockdaemon.c.noinetd
+++ b/src/lfd/lockdaemon.c.noinetd
@@ -119,8 +119,8 @@ int fhs_lock( const char *filename, int
*
*/
int fd,j;
- char lockinfo[12], message[80];
- char file[80], *p;
+ char lockinfo[12];
+ char *file, *p, *message;
j = strlen( filename );
p = ( char * ) filename + j;
@@ -135,24 +135,28 @@ int fhs_lock( const char *filename, int
#endif /* __unixware__ */
p--;
}
- sprintf( file, "%s/LCK..%s", LOCKDIR, p );
if ( check_lock_status( filename ) )
{
syslog( LOG_INFO, "fhs_lock() lockstatus fail\n" );
return 1;
}
+ asprintf( &file, "%s/LCK..%s", LOCKDIR, p );
fd = open( file, O_CREAT | O_WRONLY | O_EXCL, 0444 );
if( fd < 0 )
{
- sprintf( message,
+ asprintf( &message,
"RXTX fhs_lock() Error: creating lock file: %s: %s\n",
file, strerror(errno) );
syslog( LOG_INFO, message );
+ free(message);
+ free(file);
return 1;
}
sprintf( lockinfo, "%10d\n", pid );
- sprintf( message, "fhs_lock: creating lockfile: %s\n", lockinfo );
+ asprintf( &message, "fhs_lock: creating lockfile: %s\n", lockinfo );
syslog( LOG_INFO, message );
+ free( message );
+ free( file );
write( fd, lockinfo, 11 );
close( fd );
return 0;
@@ -556,7 +560,7 @@ int is_device_locked( const char *port_f
LOCKDIR, NULL
};
const char *lockprefixes[] = { "LCK..", "lk..", "LK.", NULL };
- char *p, file[80], pid_buffer[20], message[80];
+ char *p, *file, pid_buffer[20], *message;
int i = 0, j, k, fd , pid;
struct stat buf;
struct stat buf2;
@@ -595,19 +599,22 @@ int is_device_locked( const char *port_f
while ( lockprefixes[k] )
{
/* FHS style */
- sprintf( file, "%s/%s%s", lockdirs[i],
+ asprintf( &file, "%s/%s%s", lockdirs[i],
lockprefixes[k], p );
if( stat( file, &buf ) == 0 )
{
- sprintf( message, UNEXPECTED_LOCK_FILE,
+ asprintf( &message, UNEXPECTED_LOCK_FILE,
file );
syslog( LOG_INFO, message );
+ free( message );
+ free( file );
return 1;
}
+ free( file );
/* UUCP style */
stat(port_filename , &buf );
- sprintf( file, "%s/%s%03d.%03d.%03d",
+ asprintf( &file, "%s/%s%03d.%03d.%03d",
lockdirs[i],
lockprefixes[k],
(int) major( buf.st_dev ),
@@ -616,11 +623,14 @@ int is_device_locked( const char *port_f
);
if( stat( file, &buf ) == 0 )
{
- sprintf( message, UNEXPECTED_LOCK_FILE,
+ asprintf( &message, UNEXPECTED_LOCK_FILE,
file );
syslog( LOG_INFO, message );
+ free( message );
+ free( file );
return 1;
}
+ free( file );
k++;
}
}
@@ -644,7 +654,7 @@ int is_device_locked( const char *port_f
#endif /* __unixware__ */
p--;
}
- sprintf( file, "%s/%s%s", LOCKDIR, LOCKFILEPREFIX, p );
+ asprintf( &file, "%s/%s%s", LOCKDIR, LOCKFILEPREFIX, p );
#else
/* UUCP standard locks */
if ( stat( port_filename, &buf ) != 0 )
@@ -656,7 +666,7 @@ int is_device_locked( const char *port_f
syslog( LOG_INFO, message );
return 1;
}
- sprintf( file, "%s/LK.%03d.%03d.%03d",
+ asprintf( &file, "%s/LK.%03d.%03d.%03d",
LOCKDIR,
(int) major( buf.st_dev ),
(int) major( buf.st_rdev ),
@@ -677,10 +687,11 @@ int is_device_locked( const char *port_f
if( kill( (pid_t) pid, 0 ) && errno==ESRCH )
{
- sprintf( message,
+ asprintf( &message,
"RXTX Warning: Removing stale lock file. %s\n",
file );
syslog( LOG_INFO, message );
+ free( message );
if( unlink( file ) != 0 )
{
snprintf( message, 80, "RXTX Error: Unable to \
@@ -688,10 +699,13 @@ int is_device_locked( const char *port_f
file
);
syslog( LOG_INFO, message );
+ free( message );
+ free( file );
return 1;
}
}
}
+ free( file );
return 0;
}
int init( void )
