OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Torsten Homeyer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 08-Jul-2004 14:34:50
Branch: OPENPKG_2_0_SOLID Handle: 2004070813345000
Added files: (Branch: OPENPKG_2_0_SOLID)
openpkg-src/dhcpd dhcpd.patch
Modified files: (Branch: OPENPKG_2_0_SOLID)
openpkg-src/dhcpd dhcpd.spec
Log:
SA-2004.031; CAN-2004-0460, CAN-2004-0461
Summary:
Revision Changes Path
1.4.2.1 +482 -0 openpkg-src/dhcpd/dhcpd.patch
1.56.2.2 +3 -1 openpkg-src/dhcpd/dhcpd.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/dhcpd/dhcpd.patch
============================================================================
$ cvs diff -u -r0 -r1.4.2.1 dhcpd.patch
--- /dev/null 2004-07-08 14:34:50.000000000 +0200
+++ dhcpd.patch 2004-07-08 14:34:50.000000000 +0200
@@ -0,0 +1,482 @@
+Index: includes/cf/aix.h
+--- includes/cf/aix.h.orig 2004-07-08 13:09:10 +0200
++++ includes/cf/aix.h 2004-07-08 13:10:32 +0200
+@@ -85,8 +85,9 @@
+ #define VA_start(list, last) va_start (list)
+ #define va_dcl
+
+-#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
+-#define NO_SNPRINTF
++#ifdef NO_SNPRINTF
++# undef NO_SNPRINTF
++#endif
+
+ #define EOL '\n'
+ #define VOIDPTR void *
+Index: includes/cf/alphaosf.h
+--- includes/cf/alphaosf.h.orig 2004-07-08 13:09:10 +0200
++++ includes/cf/alphaosf.h 2004-07-08 13:12:33 +0200
+@@ -100,9 +100,9 @@
+ #define jdref(x) (x)
+ #define jrefproto jmp_buf
+
+-/* OSF/1 doesn't support limited sprintfs. */
+-#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
+-#define NO_SNPRINTF
++#ifdef NO_SNPRINTF
++# undef NO_SNPRINTF
++#endif
+
+ #define NEED_OSF_PFILT_HACKS
+ #define BPF_FORMAT "/dev/pf/pfilt%d"
+Index: includes/cf/cygwin32.h
+--- includes/cf/cygwin32.h.orig 2004-07-08 13:09:10 +0200
++++ includes/cf/cygwin32.h 2004-07-08 13:13:30 +0200
+@@ -77,8 +77,10 @@
+ #define VA_DOTDOTDOT ...
+ #define va_dcl
+ #define VA_start(list, last) va_start (list, last)
+-#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
+-#define NO_SNPRINTF
++
++#ifdef NO_SNPRINTF
++# undef NO_SNPRINTF
++#endif
+
+ #ifndef _PATH_DHCPD_PID
+ #define _PATH_DHCPD_PID "//e/etc/dhcpd.pid"
+Index: includes/cf/hpux.h
+--- includes/cf/hpux.h.orig 2004-07-08 13:09:10 +0200
++++ includes/cf/hpux.h 2004-07-08 13:13:48 +0200
+@@ -90,8 +90,9 @@
+ #define VA_start(list, last) va_start (list)
+ #endif
+
+-#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
+-#define NO_SNPRINTF
++#ifdef NO_SNPRINTF
++# undef NO_SNPRINTF
++#endif
+
+ #define USE_SOCKETS 1
+ #define EOL '\n'
+Index: includes/cf/linux.h
+--- includes/cf/linux.h.orig 2004-07-08 13:09:10 +0200
++++ includes/cf/linux.h 2004-07-08 13:14:40 +0200
+@@ -105,8 +105,9 @@
+ #define VA_start(list, last) va_start (list, last)
+ #define va_dcl
+
+-#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
+-#define NO_SNPRINTF
++#ifdef NO_SNPRINTF
++# undef NO_SNPRINTF
++#endif
+
+ #define VOIDPTR void *
+
+Index: includes/cf/qnx.h
+--- includes/cf/qnx.h.orig 2004-07-08 13:09:10 +0200
++++ includes/cf/qnx.h 2004-07-08 13:16:21 +0200
+@@ -115,9 +115,8 @@
+ #define USE_SOCKETS
+ #undef AF_LINK
+
+-#ifndef __QNXNTO__
+-# define NO_SNPRINTF
+-# define vsnprintf( buf, size, fmt, list ) vsprintf( buf, fbuf, list )
++#ifdef NO_SNPRINTF
++# undef NO_SNPRINTF
+ #endif
+
+ #ifdef __QNXNTO__
+Index: includes/cf/sco.h
+--- includes/cf/sco.h.orig 2004-07-08 13:09:10 +0200
++++ includes/cf/sco.h 2004-07-08 13:16:49 +0200
+@@ -113,9 +113,9 @@
+ #define VA_start(list, last) va_start (list, last)
+ #define va_dcl
+
+-/* SCO doesn't support limited sprintfs. */
+-#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
+-#define NO_SNPRINTF
++#ifdef NO_SNPRINTF
++# undef NO_SNPRINTF
++#endif
+
+ /* By default, use BSD Socket API for receiving and sending packets.
+ This actually works pretty well on Solaris, which doesn't censor
+Index: includes/cf/sunos4.h
+--- includes/cf/sunos4.h.orig 2004-07-08 13:09:10 +0200
++++ includes/cf/sunos4.h 2004-07-08 13:17:04 +0200
+@@ -128,9 +128,9 @@
+ #define VA_start(list, last) va_start (list)
+ #endif /* !__GNUC__*/
+
+-/* SunOS doesn't support limited sprintfs. */
+-#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
+-#define NO_SNPRINTF
++#ifdef NO_SNPRINTF
++# undef NO_SNPRINTF
++#endif
+
+ /* SunOS doesn't supply strerror... */
+ #define NO_STRERROR
+Index: includes/cf/sunos5-5.h
+--- includes/cf/sunos5-5.h.orig 2004-07-08 13:09:10 +0200
++++ includes/cf/sunos5-5.h 2004-07-08 13:17:16 +0200
+@@ -116,9 +116,9 @@
+ #define VA_start(list, last) va_start (list)
+ #endif /* !__GNUC__*/
+
+-/* Solaris doesn't support limited sprintfs. */
+-#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
+-#define NO_SNPRINTF
++#ifdef NO_SNPRINTF
++# undef NO_SNPRINTF
++#endif
+
+ #define NEED_INET_ATON
+
+Index: server/bootp.c
+--- server/bootp.c.orig 2002-11-17 03:29:30 +0100
++++ server/bootp.c 2004-07-08 13:07:02 +0200
+@@ -77,7 +77,10 @@
+ if (packet -> raw -> op != BOOTREQUEST)
+ return;
+
+- sprintf (msgbuf, "BOOTREQUEST from %s via %s",
++ /* %Audit% This is log output. %2004.06.17,Safe%
++ * If we truncate we hope the user can get a hint from the log.
++ */
++ snprintf (msgbuf, sizeof msgbuf, "BOOTREQUEST from %s via %s",
+ print_hw_addr (packet -> raw -> htype,
+ packet -> raw -> hlen,
+ packet -> raw -> chaddr),
+Index: server/db.c
+--- server/db.c.orig 2002-11-03 01:28:44 +0100
++++ server/db.c 2004-07-08 13:07:02 +0200
+@@ -782,7 +782,17 @@
+
+ /* Make a temporary lease file... */
+ GET_TIME (&t);
+- sprintf (newfname, "%s.%d", path_dhcpd_db, (int)t);
++
++ /* %Audit% Truncated filename causes panic. %2004.06.17,Safe%
++ * This should never happen since the path is a configuration
++ * variable from build-time or command-line. But if it should,
++ * either by malice or ignorance, we panic, since the potential
++ * for havoc is high.
++ */
++ if (snprintf (newfname, sizeof newfname, "%s.%d",
++ path_dhcpd_db, (int)t) >= sizeof newfname)
++ log_fatal("new_lease_file: lease file path too long");
++
+ db_fd = open (newfname, O_WRONLY | O_TRUNC | O_CREAT, 0664);
+ if (db_fd < 0) {
+ log_error ("Can't create new lease file: %m");
+@@ -832,8 +842,17 @@
+ #if defined (TRACING)
+ if (!trace_playback ()) {
+ #endif
++ /* %Audit% Truncated filename causes panic. %2004.06.17,Safe%
++ * This should never happen since the path is a configuration
++ * variable from build-time or command-line. But if it should,
++ * either by malice or ignorance, we panic, since the potential
++ * for havoc is too high.
++ */
++ if (snprintf (backfname, sizeof backfname, "%s~", path_dhcpd_db)
++ >= sizeof backfname)
++ log_fatal("new_lease_file: backup lease file path too long");
++
+ /* Get the old database out of the way... */
+- sprintf (backfname, "%s~", path_dhcpd_db);
+ if (unlink (backfname) < 0 && errno != ENOENT) {
+ log_error ("Can't remove old lease database backup %s: %m",
+ backfname);
+Index: server/ddns.c
+--- server/ddns.c.orig 2002-11-17 03:29:30 +0100
++++ server/ddns.c 2004-07-08 13:07:02 +0200
+@@ -345,6 +345,12 @@
+ &lease -> scope, oc, MDL);
+
+ if (s1 && s2) {
++ if (ddns_hostname.len + ddns_domainname.len > 253) {
++ log_error ("ddns_update: host.domain name too long");
++
++ goto out;
++ }
++
+ buffer_allocate (&ddns_fwd_name.buffer,
+ ddns_hostname.len + ddns_domainname.len + 2,
+ MDL);
+@@ -449,6 +455,11 @@
+ if (!ddns_fwd_name.len)
+ goto out;
+
++ if (ddns_fwd_name.len > 255) {
++ log_error ("client provided fqdn: too long");
++ goto out;
++ }
++
+ /*
+ * Compute the RR TTL.
+ */
+@@ -480,6 +491,12 @@
+ state -> options,
+ &lease -> scope, oc, MDL);
+
++ if (d1.len > 238) {
++ log_error ("ddns_update: Calculated rev domain name too long.");
++ s1 = 0;
++ data_string_forget (&d1, MDL);
++ }
++
+ if (oc && s1) {
+ /* Buffer length:
+ XXX.XXX.XXX.XXX.<ddns-rev-domain-name>\0 */
+Index: server/dhcp.c
+--- server/dhcp.c.orig 2004-01-09 01:41:00 +0100
++++ server/dhcp.c 2004-07-08 13:07:02 +0200
+@@ -268,14 +268,19 @@
+ find_lease (&lease, packet, packet -> shared_network,
+ 0, &allocatedp, (struct lease *)0, MDL);
+
+- if (lease && lease -> client_hostname &&
++ if (lease && lease -> client_hostname) {
++ if ((strlen (lease -> client_hostname) <= 64) &&
+ db_printable (lease -> client_hostname))
+ s = lease -> client_hostname;
+ else
++ s = "Hostname Unsuitable for Printing";
++ } else
+ s = (char *)0;
+
+- /* Say what we're doing... */
+- sprintf (msgbuf, "DHCPDISCOVER from %s %s%s%svia %s",
++ /* %Audit% This is log output. %2004.06.17,Safe%
++ * If we truncate we hope the user can get a hint from the log.
++ */
++ snprintf (msgbuf, sizeof msgbuf, "DHCPDISCOVER from %s %s%s%svia %s",
+ (packet -> raw -> htype
+ ? print_hw_addr (packet -> raw -> htype,
+ packet -> raw -> hlen,
+@@ -446,10 +451,13 @@
+ /* XXX consider using allocatedp arg to find_lease to see
+ XXX that this isn't a compliant DHCPREQUEST. */
+
+- if (lease && lease -> client_hostname &&
++ if (lease && lease -> client_hostname) {
++ if ((strlen (lease -> client_hostname) <= 64) &&
+ db_printable (lease -> client_hostname))
+ s = lease -> client_hostname;
+ else
++ s = "Hostname Unsuitable for Printing";
++ } else
+ s = (char *)0;
+
+ oc = lookup_option (&dhcp_universe, packet -> options,
+@@ -463,13 +471,19 @@
+ sip.len = 4;
+ memcpy (sip.iabuf, data.data, 4);
+ data_string_forget (&data, MDL);
++ /* piaddr() should not return more than a 15 byte string.
++ * safe.
++ */
+ sprintf (smbuf, " (%s)", piaddr (sip));
+ have_server_identifier = 1;
+ } else
+ smbuf [0] = 0;
+
+- /* Say what we're doing... */
+- sprintf (msgbuf, "DHCPREQUEST for %s%s from %s %s%s%svia %s",
++ /* %Audit% This is log output. %2004.06.17,Safe%
++ * If we truncate we hope the user can get a hint from the log.
++ */
++ snprintf (msgbuf, sizeof msgbuf,
++ "DHCPREQUEST for %s%s from %s %s%s%svia %s",
+ piaddr (cip), smbuf,
+ (packet -> raw -> htype
+ ? print_hw_addr (packet -> raw -> htype,
+@@ -742,17 +756,26 @@
+ packet -> raw -> chaddr, packet -> raw -> hlen)))
+ lease_dereference (&lease, MDL);
+
+- if (lease && lease -> client_hostname &&
++ if (lease && lease -> client_hostname) {
++ if ((strlen (lease -> client_hostname) <= 64) &&
+ db_printable (lease -> client_hostname))
+ s = lease -> client_hostname;
+ else
++ s = "Hostname Unsuitable for Printing";
++ } else
+ s = (char *)0;
+
++ /* %Audit% Cannot exceed 16 bytes. %2004.06.17,Safe%
++ * We copy this out to stack because we actually want to log two
++ * inet_ntoa()'s in this message.
++ */
+ strncpy(cstr, inet_ntoa (packet -> raw -> ciaddr), 15);
+ cstr[15] = '\0';
+
+- /* Say what we're doing... */
+- sprintf (msgbuf,
++ /* %Audit% This is log output. %2004.06.17,Safe%
++ * If we truncate we hope the user can get a hint from the log.
++ */
++ snprintf (msgbuf, sizeof msgbuf,
+ "DHCPRELEASE of %s from %s %s%s%svia %s (%sfound)",
+ cstr,
+ (packet -> raw -> htype
+@@ -830,13 +853,20 @@
+ data_string_forget (&data, MDL);
+ find_lease_by_ip_addr (&lease, cip, MDL);
+
+- if (lease && lease -> client_hostname &&
++ if (lease && lease -> client_hostname) {
++ if ((strlen (lease -> client_hostname) <= 64) &&
+ db_printable (lease -> client_hostname))
+ s = lease -> client_hostname;
+ else
++ s = "Hostname Unsuitable for Printing";
++ } else
+ s = (char *)0;
+
+- sprintf (msgbuf, "DHCPDECLINE of %s from %s %s%s%svia %s",
++ /* %Audit% This is log output. %2004.06.17,Safe%
++ * If we truncate we hope the user can get a hint from the log.
++ */
++ snprintf (msgbuf, sizeof msgbuf,
++ "DHCPDECLINE of %s from %s %s%s%svia %s",
+ piaddr (cip),
+ (packet -> raw -> htype
+ ? print_hw_addr (packet -> raw -> htype,
+@@ -947,7 +977,10 @@
+ memcpy (cip.iabuf, &packet -> raw -> ciaddr, 4);
+ }
+
+- sprintf (msgbuf, "DHCPINFORM from %s via %s",
++ /* %Audit% This is log output. %2004.06.17,Safe%
++ * If we truncate we hope the user can get a hint from the log.
++ */
++ snprintf (msgbuf, sizeof msgbuf, "DHCPINFORM from %s via %s",
+ piaddr (cip), packet -> interface -> name);
+
+ /* If the IP source address is zero, don't respond. */
+@@ -2748,10 +2781,13 @@
+ raw.hops = state -> hops;
+ raw.op = BOOTREPLY;
+
+- if (lease -> client_hostname &&
++ if (lease -> client_hostname) {
++ if ((strlen (lease -> client_hostname) <= 64) &&
+ db_printable (lease -> client_hostname))
+ s = lease -> client_hostname;
+ else
++ s = "Hostname Unsuitable for Printing";
++ } else
+ s = (char *)0;
+
+ /* Say what we're doing... */
+Index: server/failover.c
+--- server/failover.c.orig 2003-04-18 21:55:49 +0200
++++ server/failover.c 2004-07-08 13:07:02 +0200
+@@ -3407,14 +3407,17 @@
+ va_list va;
+ char tbuf [256];
+
++ /* %Audit% Truncation causes panic. %2004.06.17,Revisit%
++ * It is unclear what the effects of truncation here are, or
++ * how that condition should be handled. It seems that this
++ * function is used for formatting messages in the failover
++ * command channel. For now the safest thing is for
++ * overflow-truncation to cause a fatal log.
++ */
+ va_start (va, fmt);
+-#if defined (HAVE_SNPRINTF)
+- /* Presumably if we have snprintf, we also have
+- vsnprintf. */
+- vsnprintf (tbuf, sizeof tbuf, fmt, va);
+-#else
+- vsprintf (tbuf, fmt, va);
+-#endif
++ if (vsnprintf (tbuf, sizeof tbuf, fmt, va) >= sizeof tbuf)
++ log_fatal ("%s: vsnprintf would truncate",
++ "dhcp_failover_make_option");
+ va_end (va);
+
+ return dhcp_failover_make_option (code, obuf, obufix, obufmax,
+@@ -3515,7 +3518,16 @@
+ putUShort (&option.data [2], size - 4);
+
+ #if defined (DEBUG_FAILOVER_MESSAGES)
+- sprintf (tbuf, " (%s<%d>", info -> name, option.count);
++ /* %Audit% Truncation causes panic. %2004.06.17,Revisit%
++ * It is unclear what the effects of truncation here are, or
++ * how that condition should be handled. It seems that this
++ * message may be sent over the failover command channel.
++ * For now the safest thing is for overflow-truncation to cause
++ * a fatal log.
++ */
++ if (snprintf (tbuf, sizeof tbuf, " (%s<%d>", info -> name,
++ option.count) >= sizeof tbuf)
++ log_fatal ("dhcp_failover_make_option: tbuf overflow");
+ failover_print (obuf, obufix, obufmax, tbuf);
+ #endif
+
+@@ -3576,17 +3588,21 @@
+ break;
+
+ /* On output, TEXT_OR_BYTES is _always_ text, and always NUL
+- terminated. Note that the caller should be careful not to
+- provide a format and data that amount to more than 256 bytes
+- of data, since it will be truncated on platforms that
+- support snprintf, and will mung the stack on those platforms
+- that do not support snprintf. Also, callers should not pass
+- data acquired from the network without specifically checking
+- it to make sure it won't bash the stack. */
++ terminated. Note that the caller should be careful not
++ to provide a format and data that amount to more than 256
++ bytes of data, since it will cause a fatal error. */
+ case FT_TEXT_OR_BYTES:
+ case FT_TEXT:
+ #if defined (DEBUG_FAILOVER_MESSAGES)
+- sprintf (tbuf, "\"%s\"", txt);
++ /* %Audit% Truncation causes panic. %2004.06.17,Revisit%
++ * It is unclear what the effects of truncation here are, or
++ * how that condition should be handled. It seems that this
++ * function is used for formatting messages in the failover
++ * command channel. For now the safest thing is for
++ * overflow-truncation to cause a fatal log.
++ */
++ if (snprintf (tbuf, sizeof tbuf, "\"%s\"", txt) >= sizeof tbuf)
++ log_fatal ("dhcp_failover_make_option: tbuf overflow");
+ failover_print (obuf, obufix, obufmax, tbuf);
+ #endif
+ memcpy (&option.data [4], txt, count);
+@@ -4494,19 +4510,15 @@
+ }
+ if (new_binding_state != msg -> binding_status) {
+ char outbuf [100];
+-#if !defined (NO_SNPRINTF)
+- snprintf (outbuf, sizeof outbuf,
+- "%s: invalid state transition: %s to %s",
+- piaddr (lease -> ip_addr),
+- binding_state_print (lease -> binding_state),
+- binding_state_print (msg -> binding_status));
+-#else
+- sprintf (outbuf,
++
++ if (snprintf (outbuf, sizeof outbuf,
+ "%s: invalid state transition: %s to %s",
+ piaddr (lease -> ip_addr),
+ binding_state_print (lease -> binding_state),
+- binding_state_print (msg -> binding_status));
+-#endif
++ binding_state_print (msg -> binding_status))
++ >= sizeof outbuf)
++ log_fatal ("%s: impossible outbuf overflow");
++
+ dhcp_failover_send_bind_ack (state, msg,
+ FTR_FATAL_CONFLICT,
+ outbuf);
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/dhcpd/dhcpd.spec
============================================================================
$ cvs diff -u -r1.56.2.1 -r1.56.2.2 dhcpd.spec
--- openpkg-src/dhcpd/dhcpd.spec 18 Feb 2004 14:48:47 -0000 1.56.2.1
+++ openpkg-src/dhcpd/dhcpd.spec 8 Jul 2004 12:34:50 -0000 1.56.2.2
@@ -34,7 +34,7 @@
Group: DNS
License: ISC/BSD
Version: 3.0.1rc13
-Release: 2.0.0
+Release: 2.0.1
# package options
%option with_fsl yes
@@ -44,6 +44,7 @@
Source1: dhcpd.conf
Source2: rc.dhcpd
Source3: fsl.dhcpd
+Patch0: dhcpd.patch
# build information
Prefix: %{l_prefix}
@@ -69,6 +70,7 @@
%prep
%setup -q -n dhcp-%{version}
+ %patch -p0
%build
# configure program
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
