From a32f996b6041ed60aec7ecd23cb750e98ba56e4f Mon Sep 17 00:00:00 2001 From: Nick Withers Date: Mon, 20 Jan 2014 13:00:35 +1100 Subject: Don't use unsafe buffer operations Don't use unsafe buffer operations, averting (stack) buffer overflow when the syslog message length (including Facility and Level encoding) would exceed 199 characters --- cpukit/libnetworking/lib/syslog.c | 30 ++++++++++++------------------ 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/cpukit/libnetworking/lib/syslog.c b/cpukit/libnetworking/lib/syslog.c index c0e7270b77..066d7ab0e4 100644 --- a/cpukit/libnetworking/lib/syslog.c +++ b/cpukit/libnetworking/lib/syslog.c @@ -49,7 +49,6 @@ void vsyslog (int pri, const char *fmt, va_list ap) { int cnt; - char *cp; char *msgp, cbuf[200]; int sent; @@ -65,26 +64,21 @@ vsyslog (int pri, const char *fmt, va_list ap) if ((pri & LOG_FACMASK) == 0) pri |= LogFacility; - cnt = sprintf (cbuf, "<%d>", pri); - cp = msgp = cbuf + cnt; - if (LogTag) { - const char *lp = LogTag; - while ((*cp = *lp++) != '\0') - cp++; - } - if (LogStatus & LOG_PID) { + cnt = snprintf (cbuf, sizeof (cbuf), "<%d>", pri); + msgp = cbuf + (cnt < sizeof (cbuf) ? cnt : sizeof (cbuf) - 1); + if (LogTag && cnt < sizeof (cbuf) - 1) + cnt += snprintf (cbuf + cnt, sizeof (cbuf) - cnt, "%s", LogTag); + if (LogStatus & LOG_PID && cnt < sizeof (cbuf) - 1) { rtems_id tid; rtems_task_ident (RTEMS_SELF, 0, &tid); - cnt = sprintf (cp, "[%#lx]", (unsigned long)tid); - cp += cnt; - } - if (LogTag) { - *cp++ = ':'; - *cp++ = ' '; + cnt += snprintf (cbuf + cnt, sizeof (cbuf) - cnt, "[%#lx]", (unsigned long)tid); } - cnt = vsprintf (cp, fmt, ap); - cnt += cp - cbuf; - if (cbuf[cnt-1] == '\n') + if (LogTag && cnt < sizeof (cbuf) - 1) + cnt += snprintf (cbuf + cnt, sizeof (cbuf) - cnt, ": "); + cnt += vsnprintf (cbuf + cnt, sizeof (cbuf) - cnt, fmt, ap); + if (cnt > sizeof (cbuf) - 1) + cnt = sizeof (cbuf) - 1; + while (cnt > 0 && cbuf[cnt-1] == '\n') cbuf[--cnt] = '\0'; if (LogStatus & LOG_PERROR) -- cgit v1.2.3