head 1.8; access; symbols OPENPKG_E1_MP_HEAD:1.7 OPENPKG_E1_MP:1.7 OPENPKG_E1_MP_2_STABLE:1.7 OPENPKG_E1_FP:1.7 OPENPKG_2_STABLE_MP:1.7 OPENPKG_2_STABLE_20061018:1.7 OPENPKG_2_STABLE_20060622:1.7 OPENPKG_2_STABLE:1.7.0.2 OPENPKG_2_STABLE_BP:1.7 OPENPKG_2_5_SOLID:1.6.0.4 OPENPKG_2_5_SOLID_BP:1.6 OPENPKG_2_4_RELEASE:1.6 OPENPKG_2_4_SOLID:1.6.0.2 OPENPKG_2_4_SOLID_BP:1.6 OPENPKG_2_3_RELEASE:1.5 OPENPKG_2_3_SOLID:1.5.0.2 OPENPKG_2_3_SOLID_BP:1.5 OPENPKG_2_2_RELEASE:1.4 OPENPKG_2_2_SOLID:1.4.0.6 OPENPKG_2_2_SOLID_BP:1.4 OPENPKG_2_1_RELEASE:1.4 OPENPKG_2_1_SOLID:1.4.0.4 OPENPKG_2_1_SOLID_BP:1.4 OPENPKG_2_0_RELEASE:1.4 OPENPKG_2_0_SOLID:1.4.0.2 OPENPKG_2_0_SOLID_BP:1.4 OPENPKG_1_3_RELEASE:1.2.4.1 OPENPKG_1_3_SOLID:1.2.4.1.0.2 OPENPKG_1_3_SOLID_BP:1.2.4.1 OPENPKG_1_STABLE_MP:1.3 OPENPKG_1_2_SOLID:1.2.0.6 OPENPKG_1_2_SOLID_BP:1.2 OPENPKG_1_STABLE:1.2.0.4 OPENPKG_1_STABLE_BP:1.2 OPENPKG_1_0_SOLID:1.2.0.2 OPENPKG_1_1_RELEASE:1.1 OPENPKG_1_1_SOLID:1.1.0.2 OPENPKG_1_1_SOLID_BP:1.1; locks; strict; comment @# @; 1.8 date 2007.12.20.12.27.50; author rse; state dead; branches; next 1.7; commitid oE5sRteI3Eq0paKs; 1.7 date 2006.05.16.06.40.47; author rse; state Exp; branches; next 1.6; commitid p1vH6LqDJneOddxr; 1.6 date 2005.03.22.19.26.54; author rse; state dead; branches; next 1.5; 1.5 date 2004.11.13.17.32.05; author rse; state Exp; branches; next 1.4; 1.4 date 2003.08.30.07.54.00; author rse; state dead; branches 1.4.2.1; next 1.3; 1.3 date 2003.02.19.12.57.05; author thl; state Exp; branches; next 1.2; 1.2 date 2002.11.08.09.36.30; author rse; state dead; branches 1.2.2.1 1.2.4.1 1.2.6.1; next 1.1; 1.1 date 2002.06.04.10.18.07; author rse; state Exp; branches 1.1.2.1; next ; 1.4.2.1 date 2004.07.08.12.34.50; author tho; state Exp; branches; next ; 1.2.2.1 date 2003.01.16.13.16.41; author rse; state Exp; branches; next ; 1.2.4.1 date 2003.02.19.13.00.16; author thl; state Exp; branches 1.2.4.1.2.1; next ; 1.2.4.1.2.1 date 2004.07.08.12.36.25; author tho; state Exp; branches; next ; 1.2.6.1 date 2003.02.19.13.37.45; author thl; state Exp; branches; next ; 1.1.2.1 date 2003.01.16.13.17.21; author rse; state Exp; branches; next 1.1.2.2; 1.1.2.2 date 2003.02.19.13.47.15; author thl; state Exp; branches; next ; desc @@ 1.8 log @upgrade to ISC DHCPd 4.0 @ text @Index: includes/cf/freebsd.h --- includes/cf/freebsd.h.orig 2004-09-01 19:06:36 +0200 +++ includes/cf/freebsd.h 2006-05-16 08:37:08 +0200 @@@@ -82,7 +82,7 @@@@ /* Time stuff... */ #include -#define TIME time_t +#define TIME u_int32_t #define GET_TIME(x) time ((x)) #define HAVE_SA_LEN @ 1.7 log @remove obsolete substitution; add a patch from the FreeBSD ports which fixes time handling under 64-bit platforms @ text @@ 1.6 log @upgrading package: dhcpd 3.0.2 -> 3.0.3b1 @ text @d1 4 a4 6 Index: includes/dhcpd.h --- includes/dhcpd.h.orig 2004-10-01 20:43:21 +0200 +++ includes/dhcpd.h 2004-11-13 18:15:48 +0100 @@@@ -306,9 +306,9 @@@@ # define EPHEMERAL_FLAGS (MS_NULL_TERMINATION | \ UNICAST_BROADCAST_HACK) d6 5 a10 8 - binding_state_t __attribute__ ((mode (__byte__))) binding_state; - binding_state_t __attribute__ ((mode (__byte__))) next_binding_state; - binding_state_t __attribute__ ((mode (__byte__))) desired_binding_state; + binding_state_t binding_state; + binding_state_t next_binding_state; + binding_state_t desired_binding_state; struct lease_state *state; d12 1 @ 1.5 log @fix building under gcc 3.4.3 @ text @@ 1.4 log @upgrading package: dhcpd 3.0.1rc11 -> 3.0.1rc12 @ text @d1 6 a6 7 --- relay/dhcrelay.c-orig Sat Apr 27 05:34:20 2002 +++ relay/dhcrelay.c Wed Feb 19 12:44:19 2003 @@@@ -88,6 +88,7 @@@@ did not match any known circuit ID. */ int missing_circuit_id = 0; /* Circuit ID option in matching RAI option was missing. */ +int max_hop_count = 4; /* Maximum hop count */ d8 8 a15 33 /* Maximum size of a packet with agent options added. */ int dhcp_max_agent_option_packet_length = 576; @@@@ -182,6 +183,15 @@@@ quiet_interface_discovery = 1; } else if (!strcmp (argv [i], "-a")) { add_agent_options = 1; + } else if (!strcmp (argv [i], "-c")) { + int hcount; + if (++i == argc) + usage (); + hcount = atoi(argv[i]); + if (hcount <= 16) + max_hop_count = hcount; + else + usage (); } else if (!strcmp (argv [i], "-A")) { if (++i == argc) usage (); @@@@ -425,6 +435,17 @@@@ packet -> giaddr = ip -> primary_address; if (packet -> hops != 255) packet -> hops = packet -> hops + 1; + + /* ftp://ftp.rfc-editor.org/in-notes/rfc1542.txt + * 4.1.1 BOOTREQUEST Messages + * The relay agent MUST silently discard BOOTREQUEST messages whose + * 'hops' field exceeds the value 16. A configuration option SHOULD be + * provided to set this threshold to a smaller value if desired by the + * network manager. The default setting for a configurable threshold + * SHOULD be 4. + */ + if (packet -> hops >= max_hop_count) + return; a16 11 /* Otherwise, it's a BOOTREQUEST, so forward it to all the servers. */ @@@@ -470,7 +470,7 @@@@ static void usage () { log_fatal ("Usage: dhcrelay [-p ] [-d] [-D] [-i %s%s%s", - "interface]\n ", + "interface] [-c max_hop_count]\n ", "[-q] [-a] [-A length] [-m append|replace|forward|discard]\n", " [server1 [... serverN]]"); } @ 1.4.2.1 log @SA-2004.031; CAN-2004-0460, CAN-2004-0461 @ text @d1 53 a53 482 Index: includes/cf/aix.h --- includes/cf/aix.h.orig 2004-07-08 13:09:10 +0200 +++ includes/cf/aix.h 2004-07-08 13:10:32 +0200 @@@@ -85,8 +85,9 @@@@ #define VA_start(list, last) va_start (list) #define va_dcl -#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) -#define NO_SNPRINTF +#ifdef NO_SNPRINTF +# undef NO_SNPRINTF +#endif #define EOL '\n' #define VOIDPTR void * Index: includes/cf/alphaosf.h --- includes/cf/alphaosf.h.orig 2004-07-08 13:09:10 +0200 +++ includes/cf/alphaosf.h 2004-07-08 13:12:33 +0200 @@@@ -100,9 +100,9 @@@@ #define jdref(x) (x) #define jrefproto jmp_buf -/* OSF/1 doesn't support limited sprintfs. */ -#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) -#define NO_SNPRINTF +#ifdef NO_SNPRINTF +# undef NO_SNPRINTF +#endif #define NEED_OSF_PFILT_HACKS #define BPF_FORMAT "/dev/pf/pfilt%d" Index: includes/cf/cygwin32.h --- includes/cf/cygwin32.h.orig 2004-07-08 13:09:10 +0200 +++ includes/cf/cygwin32.h 2004-07-08 13:13:30 +0200 @@@@ -77,8 +77,10 @@@@ #define VA_DOTDOTDOT ... #define va_dcl #define VA_start(list, last) va_start (list, last) -#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) -#define NO_SNPRINTF + +#ifdef NO_SNPRINTF +# undef NO_SNPRINTF +#endif #ifndef _PATH_DHCPD_PID #define _PATH_DHCPD_PID "//e/etc/dhcpd.pid" Index: includes/cf/hpux.h --- includes/cf/hpux.h.orig 2004-07-08 13:09:10 +0200 +++ includes/cf/hpux.h 2004-07-08 13:13:48 +0200 @@@@ -90,8 +90,9 @@@@ #define VA_start(list, last) va_start (list) #endif -#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) -#define NO_SNPRINTF +#ifdef NO_SNPRINTF +# undef NO_SNPRINTF +#endif #define USE_SOCKETS 1 #define EOL '\n' Index: includes/cf/linux.h --- includes/cf/linux.h.orig 2004-07-08 13:09:10 +0200 +++ includes/cf/linux.h 2004-07-08 13:14:40 +0200 @@@@ -105,8 +105,9 @@@@ #define VA_start(list, last) va_start (list, last) #define va_dcl -#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) -#define NO_SNPRINTF +#ifdef NO_SNPRINTF +# undef NO_SNPRINTF +#endif #define VOIDPTR void * Index: includes/cf/qnx.h --- includes/cf/qnx.h.orig 2004-07-08 13:09:10 +0200 +++ includes/cf/qnx.h 2004-07-08 13:16:21 +0200 @@@@ -115,9 +115,8 @@@@ #define USE_SOCKETS #undef AF_LINK -#ifndef __QNXNTO__ -# define NO_SNPRINTF -# define vsnprintf( buf, size, fmt, list ) vsprintf( buf, fbuf, list ) +#ifdef NO_SNPRINTF +# undef NO_SNPRINTF #endif #ifdef __QNXNTO__ Index: includes/cf/sco.h --- includes/cf/sco.h.orig 2004-07-08 13:09:10 +0200 +++ includes/cf/sco.h 2004-07-08 13:16:49 +0200 @@@@ -113,9 +113,9 @@@@ #define VA_start(list, last) va_start (list, last) #define va_dcl -/* SCO doesn't support limited sprintfs. */ -#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) -#define NO_SNPRINTF +#ifdef NO_SNPRINTF +# undef NO_SNPRINTF +#endif /* By default, use BSD Socket API for receiving and sending packets. This actually works pretty well on Solaris, which doesn't censor Index: includes/cf/sunos4.h --- includes/cf/sunos4.h.orig 2004-07-08 13:09:10 +0200 +++ includes/cf/sunos4.h 2004-07-08 13:17:04 +0200 @@@@ -128,9 +128,9 @@@@ #define VA_start(list, last) va_start (list) #endif /* !__GNUC__*/ -/* SunOS doesn't support limited sprintfs. */ -#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) -#define NO_SNPRINTF +#ifdef NO_SNPRINTF +# undef NO_SNPRINTF +#endif /* SunOS doesn't supply strerror... */ #define NO_STRERROR Index: includes/cf/sunos5-5.h --- includes/cf/sunos5-5.h.orig 2004-07-08 13:09:10 +0200 +++ includes/cf/sunos5-5.h 2004-07-08 13:17:16 +0200 @@@@ -116,9 +116,9 @@@@ #define VA_start(list, last) va_start (list) #endif /* !__GNUC__*/ -/* Solaris doesn't support limited sprintfs. */ -#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) -#define NO_SNPRINTF +#ifdef NO_SNPRINTF +# undef NO_SNPRINTF +#endif #define NEED_INET_ATON Index: server/bootp.c --- server/bootp.c.orig 2002-11-17 03:29:30 +0100 +++ server/bootp.c 2004-07-08 13:07:02 +0200 @@@@ -77,7 +77,10 @@@@ if (packet -> raw -> op != BOOTREQUEST) return; - sprintf (msgbuf, "BOOTREQUEST from %s via %s", + /* %Audit% This is log output. %2004.06.17,Safe% + * If we truncate we hope the user can get a hint from the log. + */ + snprintf (msgbuf, sizeof msgbuf, "BOOTREQUEST from %s via %s", print_hw_addr (packet -> raw -> htype, packet -> raw -> hlen, packet -> raw -> chaddr), Index: server/db.c --- server/db.c.orig 2002-11-03 01:28:44 +0100 +++ server/db.c 2004-07-08 13:07:02 +0200 @@@@ -782,7 +782,17 @@@@ /* Make a temporary lease file... */ GET_TIME (&t); - sprintf (newfname, "%s.%d", path_dhcpd_db, (int)t); + + /* %Audit% Truncated filename causes panic. %2004.06.17,Safe% + * This should never happen since the path is a configuration + * variable from build-time or command-line. But if it should, + * either by malice or ignorance, we panic, since the potential + * for havoc is high. + */ + if (snprintf (newfname, sizeof newfname, "%s.%d", + path_dhcpd_db, (int)t) >= sizeof newfname) + log_fatal("new_lease_file: lease file path too long"); + db_fd = open (newfname, O_WRONLY | O_TRUNC | O_CREAT, 0664); if (db_fd < 0) { log_error ("Can't create new lease file: %m"); @@@@ -832,8 +842,17 @@@@ #if defined (TRACING) if (!trace_playback ()) { #endif + /* %Audit% Truncated filename causes panic. %2004.06.17,Safe% + * This should never happen since the path is a configuration + * variable from build-time or command-line. But if it should, + * either by malice or ignorance, we panic, since the potential + * for havoc is too high. + */ + if (snprintf (backfname, sizeof backfname, "%s~", path_dhcpd_db) + >= sizeof backfname) + log_fatal("new_lease_file: backup lease file path too long"); + /* Get the old database out of the way... */ - sprintf (backfname, "%s~", path_dhcpd_db); if (unlink (backfname) < 0 && errno != ENOENT) { log_error ("Can't remove old lease database backup %s: %m", backfname); Index: server/ddns.c --- server/ddns.c.orig 2002-11-17 03:29:30 +0100 +++ server/ddns.c 2004-07-08 13:07:02 +0200 @@@@ -345,6 +345,12 @@@@ &lease -> scope, oc, MDL); if (s1 && s2) { + if (ddns_hostname.len + ddns_domainname.len > 253) { + log_error ("ddns_update: host.domain name too long"); + + goto out; + } + buffer_allocate (&ddns_fwd_name.buffer, ddns_hostname.len + ddns_domainname.len + 2, MDL); @@@@ -449,6 +455,11 @@@@ if (!ddns_fwd_name.len) goto out; + if (ddns_fwd_name.len > 255) { + log_error ("client provided fqdn: too long"); + goto out; + } + /* * Compute the RR TTL. */ @@@@ -480,6 +491,12 @@@@ state -> options, &lease -> scope, oc, MDL); + if (d1.len > 238) { + log_error ("ddns_update: Calculated rev domain name too long."); + s1 = 0; + data_string_forget (&d1, MDL); + } + if (oc && s1) { /* Buffer length: XXX.XXX.XXX.XXX.\0 */ Index: server/dhcp.c --- server/dhcp.c.orig 2004-01-09 01:41:00 +0100 +++ server/dhcp.c 2004-07-08 13:07:02 +0200 @@@@ -268,14 +268,19 @@@@ find_lease (&lease, packet, packet -> shared_network, 0, &allocatedp, (struct lease *)0, MDL); - if (lease && lease -> client_hostname && + if (lease && lease -> client_hostname) { + if ((strlen (lease -> client_hostname) <= 64) && db_printable (lease -> client_hostname)) s = lease -> client_hostname; else + s = "Hostname Unsuitable for Printing"; + } else s = (char *)0; - /* Say what we're doing... */ - sprintf (msgbuf, "DHCPDISCOVER from %s %s%s%svia %s", + /* %Audit% This is log output. %2004.06.17,Safe% + * If we truncate we hope the user can get a hint from the log. + */ + snprintf (msgbuf, sizeof msgbuf, "DHCPDISCOVER from %s %s%s%svia %s", (packet -> raw -> htype ? print_hw_addr (packet -> raw -> htype, packet -> raw -> hlen, @@@@ -446,10 +451,13 @@@@ /* XXX consider using allocatedp arg to find_lease to see XXX that this isn't a compliant DHCPREQUEST. */ - if (lease && lease -> client_hostname && + if (lease && lease -> client_hostname) { + if ((strlen (lease -> client_hostname) <= 64) && db_printable (lease -> client_hostname)) s = lease -> client_hostname; else + s = "Hostname Unsuitable for Printing"; + } else s = (char *)0; oc = lookup_option (&dhcp_universe, packet -> options, @@@@ -463,13 +471,19 @@@@ sip.len = 4; memcpy (sip.iabuf, data.data, 4); data_string_forget (&data, MDL); + /* piaddr() should not return more than a 15 byte string. + * safe. + */ sprintf (smbuf, " (%s)", piaddr (sip)); have_server_identifier = 1; } else smbuf [0] = 0; - /* Say what we're doing... */ - sprintf (msgbuf, "DHCPREQUEST for %s%s from %s %s%s%svia %s", + /* %Audit% This is log output. %2004.06.17,Safe% + * If we truncate we hope the user can get a hint from the log. + */ + snprintf (msgbuf, sizeof msgbuf, + "DHCPREQUEST for %s%s from %s %s%s%svia %s", piaddr (cip), smbuf, (packet -> raw -> htype ? print_hw_addr (packet -> raw -> htype, @@@@ -742,17 +756,26 @@@@ packet -> raw -> chaddr, packet -> raw -> hlen))) lease_dereference (&lease, MDL); - if (lease && lease -> client_hostname && + if (lease && lease -> client_hostname) { + if ((strlen (lease -> client_hostname) <= 64) && db_printable (lease -> client_hostname)) s = lease -> client_hostname; else + s = "Hostname Unsuitable for Printing"; + } else s = (char *)0; + /* %Audit% Cannot exceed 16 bytes. %2004.06.17,Safe% + * We copy this out to stack because we actually want to log two + * inet_ntoa()'s in this message. + */ strncpy(cstr, inet_ntoa (packet -> raw -> ciaddr), 15); cstr[15] = '\0'; - /* Say what we're doing... */ - sprintf (msgbuf, + /* %Audit% This is log output. %2004.06.17,Safe% + * If we truncate we hope the user can get a hint from the log. + */ + snprintf (msgbuf, sizeof msgbuf, "DHCPRELEASE of %s from %s %s%s%svia %s (%sfound)", cstr, (packet -> raw -> htype @@@@ -830,13 +853,20 @@@@ data_string_forget (&data, MDL); find_lease_by_ip_addr (&lease, cip, MDL); - if (lease && lease -> client_hostname && + if (lease && lease -> client_hostname) { + if ((strlen (lease -> client_hostname) <= 64) && db_printable (lease -> client_hostname)) s = lease -> client_hostname; else + s = "Hostname Unsuitable for Printing"; + } else s = (char *)0; - sprintf (msgbuf, "DHCPDECLINE of %s from %s %s%s%svia %s", + /* %Audit% This is log output. %2004.06.17,Safe% + * If we truncate we hope the user can get a hint from the log. + */ + snprintf (msgbuf, sizeof msgbuf, + "DHCPDECLINE of %s from %s %s%s%svia %s", piaddr (cip), (packet -> raw -> htype ? print_hw_addr (packet -> raw -> htype, @@@@ -947,7 +977,10 @@@@ memcpy (cip.iabuf, &packet -> raw -> ciaddr, 4); } - sprintf (msgbuf, "DHCPINFORM from %s via %s", + /* %Audit% This is log output. %2004.06.17,Safe% + * If we truncate we hope the user can get a hint from the log. + */ + snprintf (msgbuf, sizeof msgbuf, "DHCPINFORM from %s via %s", piaddr (cip), packet -> interface -> name); /* If the IP source address is zero, don't respond. */ @@@@ -2748,10 +2781,13 @@@@ raw.hops = state -> hops; raw.op = BOOTREPLY; - if (lease -> client_hostname && + if (lease -> client_hostname) { + if ((strlen (lease -> client_hostname) <= 64) && db_printable (lease -> client_hostname)) s = lease -> client_hostname; else + s = "Hostname Unsuitable for Printing"; + } else s = (char *)0; /* Say what we're doing... */ Index: server/failover.c --- server/failover.c.orig 2003-04-18 21:55:49 +0200 +++ server/failover.c 2004-07-08 13:07:02 +0200 @@@@ -3407,14 +3407,17 @@@@ va_list va; char tbuf [256]; + /* %Audit% Truncation causes panic. %2004.06.17,Revisit% + * It is unclear what the effects of truncation here are, or + * how that condition should be handled. It seems that this + * function is used for formatting messages in the failover + * command channel. For now the safest thing is for + * overflow-truncation to cause a fatal log. + */ va_start (va, fmt); -#if defined (HAVE_SNPRINTF) - /* Presumably if we have snprintf, we also have - vsnprintf. */ - vsnprintf (tbuf, sizeof tbuf, fmt, va); -#else - vsprintf (tbuf, fmt, va); -#endif + if (vsnprintf (tbuf, sizeof tbuf, fmt, va) >= sizeof tbuf) + log_fatal ("%s: vsnprintf would truncate", + "dhcp_failover_make_option"); va_end (va); return dhcp_failover_make_option (code, obuf, obufix, obufmax, @@@@ -3515,7 +3518,16 @@@@ putUShort (&option.data [2], size - 4); #if defined (DEBUG_FAILOVER_MESSAGES) - sprintf (tbuf, " (%s<%d>", info -> name, option.count); + /* %Audit% Truncation causes panic. %2004.06.17,Revisit% + * It is unclear what the effects of truncation here are, or + * how that condition should be handled. It seems that this + * message may be sent over the failover command channel. + * For now the safest thing is for overflow-truncation to cause + * a fatal log. + */ + if (snprintf (tbuf, sizeof tbuf, " (%s<%d>", info -> name, + option.count) >= sizeof tbuf) + log_fatal ("dhcp_failover_make_option: tbuf overflow"); failover_print (obuf, obufix, obufmax, tbuf); #endif @@@@ -3576,17 +3588,21 @@@@ break; /* On output, TEXT_OR_BYTES is _always_ text, and always NUL - terminated. Note that the caller should be careful not to - provide a format and data that amount to more than 256 bytes - of data, since it will be truncated on platforms that - support snprintf, and will mung the stack on those platforms - that do not support snprintf. Also, callers should not pass - data acquired from the network without specifically checking - it to make sure it won't bash the stack. */ + terminated. Note that the caller should be careful not + to provide a format and data that amount to more than 256 + bytes of data, since it will cause a fatal error. */ case FT_TEXT_OR_BYTES: case FT_TEXT: #if defined (DEBUG_FAILOVER_MESSAGES) - sprintf (tbuf, "\"%s\"", txt); + /* %Audit% Truncation causes panic. %2004.06.17,Revisit% + * It is unclear what the effects of truncation here are, or + * how that condition should be handled. It seems that this + * function is used for formatting messages in the failover + * command channel. For now the safest thing is for + * overflow-truncation to cause a fatal log. + */ + if (snprintf (tbuf, sizeof tbuf, "\"%s\"", txt) >= sizeof tbuf) + log_fatal ("dhcp_failover_make_option: tbuf overflow"); failover_print (obuf, obufix, obufmax, tbuf); #endif memcpy (&option.data [4], txt, count); @@@@ -4494,19 +4510,15 @@@@ } if (new_binding_state != msg -> binding_status) { char outbuf [100]; -#if !defined (NO_SNPRINTF) - snprintf (outbuf, sizeof outbuf, - "%s: invalid state transition: %s to %s", - piaddr (lease -> ip_addr), - binding_state_print (lease -> binding_state), - binding_state_print (msg -> binding_status)); -#else - sprintf (outbuf, + + if (snprintf (outbuf, sizeof outbuf, "%s: invalid state transition: %s to %s", piaddr (lease -> ip_addr), binding_state_print (lease -> binding_state), - binding_state_print (msg -> binding_status)); -#endif + binding_state_print (msg -> binding_status)) + >= sizeof outbuf) + log_fatal ("%s: impossible outbuf overflow"); + dhcp_failover_send_bind_ack (state, msg, FTR_FATAL_CONFLICT, outbuf); @ 1.3 log @towards SA-2003.012-dhcpd; CAN-2003-0039 @ text @@ 1.2 log @remove obsolete stuff @ text @d1 53 a53 11 --- server/omapi.c.orig Tue Jun 4 12:02:11 2002 +++ server/omapi.c Tue Jun 4 12:02:11 2002 @@@@ -244,7 +244,7 @@@@ if (lease -> binding_state != bar) { lease -> next_binding_state = bar; if (supersede_lease (lease, 0, 1, 1, 1)) { - log_info ("lease %d state changed from %s to %s", + log_info ("lease state changed from %s to %s", ols, nls); return ISC_R_SUCCESS; } @ 1.2.6.1 log @MFS: SA-2003.012-dhcpd; CAN-2003-0039 @ text @d1 11 a11 53 --- relay/dhcrelay.c-orig Sat Apr 27 05:34:20 2002 +++ relay/dhcrelay.c Wed Feb 19 12:44:19 2003 @@@@ -88,6 +88,7 @@@@ did not match any known circuit ID. */ int missing_circuit_id = 0; /* Circuit ID option in matching RAI option was missing. */ +int max_hop_count = 4; /* Maximum hop count */ /* Maximum size of a packet with agent options added. */ int dhcp_max_agent_option_packet_length = 576; @@@@ -182,6 +183,15 @@@@ quiet_interface_discovery = 1; } else if (!strcmp (argv [i], "-a")) { add_agent_options = 1; + } else if (!strcmp (argv [i], "-c")) { + int hcount; + if (++i == argc) + usage (); + hcount = atoi(argv[i]); + if (hcount <= 16) + max_hop_count = hcount; + else + usage (); } else if (!strcmp (argv [i], "-A")) { if (++i == argc) usage (); @@@@ -425,6 +435,17 @@@@ packet -> giaddr = ip -> primary_address; if (packet -> hops != 255) packet -> hops = packet -> hops + 1; + + /* ftp://ftp.rfc-editor.org/in-notes/rfc1542.txt + * 4.1.1 BOOTREQUEST Messages + * The relay agent MUST silently discard BOOTREQUEST messages whose + * 'hops' field exceeds the value 16. A configuration option SHOULD be + * provided to set this threshold to a smaller value if desired by the + * network manager. The default setting for a configurable threshold + * SHOULD be 4. + */ + if (packet -> hops >= max_hop_count) + return; /* Otherwise, it's a BOOTREQUEST, so forward it to all the servers. */ @@@@ -470,7 +470,7 @@@@ static void usage () { log_fatal ("Usage: dhcrelay [-p ] [-d] [-D] [-i %s%s%s", - "interface]\n ", + "interface] [-c max_hop_count]\n ", "[-q] [-a] [-A length] [-m append|replace|forward|discard]\n", " [server1 [... serverN]]"); } @ 1.2.4.1 log @MFC: towards SA-2003.012-dhcpd; CAN-2003-0039 @ text @d1 11 a11 53 --- relay/dhcrelay.c-orig Sat Apr 27 05:34:20 2002 +++ relay/dhcrelay.c Wed Feb 19 12:44:19 2003 @@@@ -88,6 +88,7 @@@@ did not match any known circuit ID. */ int missing_circuit_id = 0; /* Circuit ID option in matching RAI option was missing. */ +int max_hop_count = 4; /* Maximum hop count */ /* Maximum size of a packet with agent options added. */ int dhcp_max_agent_option_packet_length = 576; @@@@ -182,6 +183,15 @@@@ quiet_interface_discovery = 1; } else if (!strcmp (argv [i], "-a")) { add_agent_options = 1; + } else if (!strcmp (argv [i], "-c")) { + int hcount; + if (++i == argc) + usage (); + hcount = atoi(argv[i]); + if (hcount <= 16) + max_hop_count = hcount; + else + usage (); } else if (!strcmp (argv [i], "-A")) { if (++i == argc) usage (); @@@@ -425,6 +435,17 @@@@ packet -> giaddr = ip -> primary_address; if (packet -> hops != 255) packet -> hops = packet -> hops + 1; + + /* ftp://ftp.rfc-editor.org/in-notes/rfc1542.txt + * 4.1.1 BOOTREQUEST Messages + * The relay agent MUST silently discard BOOTREQUEST messages whose + * 'hops' field exceeds the value 16. A configuration option SHOULD be + * provided to set this threshold to a smaller value if desired by the + * network manager. The default setting for a configurable threshold + * SHOULD be 4. + */ + if (packet -> hops >= max_hop_count) + return; /* Otherwise, it's a BOOTREQUEST, so forward it to all the servers. */ @@@@ -470,7 +470,7 @@@@ static void usage () { log_fatal ("Usage: dhcrelay [-p ] [-d] [-D] [-i %s%s%s", - "interface]\n ", + "interface] [-c max_hop_count]\n ", "[-q] [-a] [-A length] [-m append|replace|forward|discard]\n", " [server1 [... serverN]]"); } @ 1.2.4.1.2.1 log @SA-2004.031; CAN-2004-0460, CAN-2004-0461 @ text @a53 479 Index: includes/cf/aix.h --- includes/cf/aix.h.orig 2000-03-17 04:59:46 +0100 +++ includes/cf/aix.h 2004-07-08 14:18:17 +0200 @@@@ -85,8 +85,9 @@@@ #define VA_start(list, last) va_start (list) #define va_dcl -#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) -#define NO_SNPRINTF +#ifdef NO_SNPRINTF +# undef NO_SNPRINTF +#endif #define EOL '\n' #define VOIDPTR void * Index: includes/cf/alphaosf.h --- includes/cf/alphaosf.h.orig 2000-03-24 01:23:02 +0100 +++ includes/cf/alphaosf.h 2004-07-08 14:18:17 +0200 @@@@ -100,9 +100,9 @@@@ #define jdref(x) (x) #define jrefproto jmp_buf -/* OSF/1 doesn't support limited sprintfs. */ -#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) -#define NO_SNPRINTF +#ifdef NO_SNPRINTF +# undef NO_SNPRINTF +#endif #define NEED_OSF_PFILT_HACKS #define BPF_FORMAT "/dev/pf/pfilt%d" Index: includes/cf/cygwin32.h --- includes/cf/cygwin32.h.orig 2000-03-17 04:59:47 +0100 +++ includes/cf/cygwin32.h 2004-07-08 14:18:17 +0200 @@@@ -77,8 +77,10 @@@@ #define VA_DOTDOTDOT ... #define va_dcl #define VA_start(list, last) va_start (list, last) -#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) -#define NO_SNPRINTF + +#ifdef NO_SNPRINTF +# undef NO_SNPRINTF +#endif #ifndef _PATH_DHCPD_PID #define _PATH_DHCPD_PID "//e/etc/dhcpd.pid" Index: includes/cf/hpux.h --- includes/cf/hpux.h.orig 2000-03-17 04:59:47 +0100 +++ includes/cf/hpux.h 2004-07-08 14:18:17 +0200 @@@@ -90,8 +90,9 @@@@ #define VA_start(list, last) va_start (list) #endif -#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) -#define NO_SNPRINTF +#ifdef NO_SNPRINTF +# undef NO_SNPRINTF +#endif #define USE_SOCKETS 1 #define EOL '\n' Index: includes/cf/linux.h --- includes/cf/linux.h.orig 2002-04-27 01:41:57 +0200 +++ includes/cf/linux.h 2004-07-08 14:18:17 +0200 @@@@ -105,8 +105,9 @@@@ #define VA_start(list, last) va_start (list, last) #define va_dcl -#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) -#define NO_SNPRINTF +#ifdef NO_SNPRINTF +# undef NO_SNPRINTF +#endif #define VOIDPTR void * Index: includes/cf/qnx.h --- includes/cf/qnx.h.orig 2001-06-26 20:37:40 +0200 +++ includes/cf/qnx.h 2004-07-08 14:18:17 +0200 @@@@ -115,9 +115,8 @@@@ #define USE_SOCKETS #undef AF_LINK -#ifndef __QNXNTO__ -# define NO_SNPRINTF -# define vsnprintf( buf, size, fmt, list ) vsprintf( buf, fbuf, list ) +#ifdef NO_SNPRINTF +# undef NO_SNPRINTF #endif #ifdef __QNXNTO__ Index: includes/cf/sco.h --- includes/cf/sco.h.orig 2001-04-09 03:13:32 +0200 +++ includes/cf/sco.h 2004-07-08 14:18:17 +0200 @@@@ -113,9 +113,9 @@@@ #define VA_start(list, last) va_start (list, last) #define va_dcl -/* SCO doesn't support limited sprintfs. */ -#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) -#define NO_SNPRINTF +#ifdef NO_SNPRINTF +# undef NO_SNPRINTF +#endif /* By default, use BSD Socket API for receiving and sending packets. This actually works pretty well on Solaris, which doesn't censor Index: includes/cf/sunos4.h --- includes/cf/sunos4.h.orig 2001-06-29 01:32:44 +0200 +++ includes/cf/sunos4.h 2004-07-08 14:18:17 +0200 @@@@ -128,9 +128,9 @@@@ #define VA_start(list, last) va_start (list) #endif /* !__GNUC__*/ -/* SunOS doesn't support limited sprintfs. */ -#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) -#define NO_SNPRINTF +#ifdef NO_SNPRINTF +# undef NO_SNPRINTF +#endif /* SunOS doesn't supply strerror... */ #define NO_STRERROR Index: includes/cf/sunos5-5.h --- includes/cf/sunos5-5.h.orig 2000-03-17 04:59:48 +0100 +++ includes/cf/sunos5-5.h 2004-07-08 14:18:17 +0200 @@@@ -116,9 +116,9 @@@@ #define VA_start(list, last) va_start (list) #endif /* !__GNUC__*/ -/* Solaris doesn't support limited sprintfs. */ -#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) -#define NO_SNPRINTF +#ifdef NO_SNPRINTF +# undef NO_SNPRINTF +#endif #define NEED_INET_ATON Index: server/bootp.c --- server/bootp.c.orig 2002-11-17 03:29:30 +0100 +++ server/bootp.c 2004-07-08 14:18:17 +0200 @@@@ -77,7 +77,10 @@@@ if (packet -> raw -> op != BOOTREQUEST) return; - sprintf (msgbuf, "BOOTREQUEST from %s via %s", + /* %Audit% This is log output. %2004.06.17,Safe% + * If we truncate we hope the user can get a hint from the log. + */ + snprintf (msgbuf, sizeof msgbuf, "BOOTREQUEST from %s via %s", print_hw_addr (packet -> raw -> htype, packet -> raw -> hlen, packet -> raw -> chaddr), Index: server/db.c --- server/db.c.orig 2002-11-03 01:28:44 +0100 +++ server/db.c 2004-07-08 14:18:17 +0200 @@@@ -782,7 +782,17 @@@@ /* Make a temporary lease file... */ GET_TIME (&t); - sprintf (newfname, "%s.%d", path_dhcpd_db, (int)t); + + /* %Audit% Truncated filename causes panic. %2004.06.17,Safe% + * This should never happen since the path is a configuration + * variable from build-time or command-line. But if it should, + * either by malice or ignorance, we panic, since the potential + * for havoc is high. + */ + if (snprintf (newfname, sizeof newfname, "%s.%d", + path_dhcpd_db, (int)t) >= sizeof newfname) + log_fatal("new_lease_file: lease file path too long"); + db_fd = open (newfname, O_WRONLY | O_TRUNC | O_CREAT, 0664); if (db_fd < 0) { log_error ("Can't create new lease file: %m"); @@@@ -832,8 +842,17 @@@@ #if defined (TRACING) if (!trace_playback ()) { #endif + /* %Audit% Truncated filename causes panic. %2004.06.17,Safe% + * This should never happen since the path is a configuration + * variable from build-time or command-line. But if it should, + * either by malice or ignorance, we panic, since the potential + * for havoc is too high. + */ + if (snprintf (backfname, sizeof backfname, "%s~", path_dhcpd_db) + >= sizeof backfname) + log_fatal("new_lease_file: backup lease file path too long"); + /* Get the old database out of the way... */ - sprintf (backfname, "%s~", path_dhcpd_db); if (unlink (backfname) < 0 && errno != ENOENT) { log_error ("Can't remove old lease database backup %s: %m", backfname); Index: server/ddns.c --- server/ddns.c.orig 2002-11-17 03:29:30 +0100 +++ server/ddns.c 2004-07-08 14:18:17 +0200 @@@@ -345,6 +345,12 @@@@ &lease -> scope, oc, MDL); if (s1 && s2) { + if (ddns_hostname.len + ddns_domainname.len > 253) { + log_error ("ddns_update: host.domain name too long"); + + goto out; + } + buffer_allocate (&ddns_fwd_name.buffer, ddns_hostname.len + ddns_domainname.len + 2, MDL); @@@@ -449,6 +455,11 @@@@ if (!ddns_fwd_name.len) goto out; + if (ddns_fwd_name.len > 255) { + log_error ("client provided fqdn: too long"); + goto out; + } + /* * Compute the RR TTL. */ @@@@ -480,6 +491,12 @@@@ state -> options, &lease -> scope, oc, MDL); + if (d1.len > 238) { + log_error ("ddns_update: Calculated rev domain name too long."); + s1 = 0; + data_string_forget (&d1, MDL); + } + if (oc && s1) { /* Buffer length: XXX.XXX.XXX.XXX.\0 */ Index: server/dhcp.c --- server/dhcp.c.orig 2002-11-17 03:29:30 +0100 +++ server/dhcp.c 2004-07-08 14:18:17 +0200 @@@@ -268,14 +268,19 @@@@ find_lease (&lease, packet, packet -> shared_network, 0, &allocatedp, (struct lease *)0, MDL); - if (lease && lease -> client_hostname && + if (lease && lease -> client_hostname) { + if ((strlen (lease -> client_hostname) <= 64) && db_printable (lease -> client_hostname)) s = lease -> client_hostname; else + s = "Hostname Unsuitable for Printing"; + } else s = (char *)0; - /* Say what we're doing... */ - sprintf (msgbuf, "DHCPDISCOVER from %s %s%s%svia %s", + /* %Audit% This is log output. %2004.06.17,Safe% + * If we truncate we hope the user can get a hint from the log. + */ + snprintf (msgbuf, sizeof msgbuf, "DHCPDISCOVER from %s %s%s%svia %s", (packet -> raw -> htype ? print_hw_addr (packet -> raw -> htype, packet -> raw -> hlen, @@@@ -446,10 +451,13 @@@@ /* XXX consider using allocatedp arg to find_lease to see XXX that this isn't a compliant DHCPREQUEST. */ - if (lease && lease -> client_hostname && + if (lease && lease -> client_hostname) { + if ((strlen (lease -> client_hostname) <= 64) && db_printable (lease -> client_hostname)) s = lease -> client_hostname; else + s = "Hostname Unsuitable for Printing"; + } else s = (char *)0; oc = lookup_option (&dhcp_universe, packet -> options, @@@@ -463,13 +471,19 @@@@ sip.len = 4; memcpy (sip.iabuf, data.data, 4); data_string_forget (&data, MDL); + /* piaddr() should not return more than a 15 byte string. + * safe. + */ sprintf (smbuf, " (%s)", piaddr (sip)); have_server_identifier = 1; } else smbuf [0] = 0; - /* Say what we're doing... */ - sprintf (msgbuf, "DHCPREQUEST for %s%s from %s %s%s%svia %s", + /* %Audit% This is log output. %2004.06.17,Safe% + * If we truncate we hope the user can get a hint from the log. + */ + snprintf (msgbuf, sizeof msgbuf, + "DHCPREQUEST for %s%s from %s %s%s%svia %s", piaddr (cip), smbuf, (packet -> raw -> htype ? print_hw_addr (packet -> raw -> htype, @@@@ -742,14 +756,23 @@@@ packet -> raw -> chaddr, packet -> raw -> hlen))) lease_dereference (&lease, MDL); - if (lease && lease -> client_hostname && + if (lease && lease -> client_hostname) { + if ((strlen (lease -> client_hostname) <= 64) && db_printable (lease -> client_hostname)) s = lease -> client_hostname; else + s = "Hostname Unsuitable for Printing"; + } else s = (char *)0; - /* Say what we're doing... */ - sprintf (msgbuf, + /* %Audit% Cannot exceed 16 bytes. %2004.06.17,Safe% + * We copy this out to stack because we actually want to log two + * inet_ntoa()'s in this message. + */ + /* %Audit% This is log output. %2004.06.17,Safe% + * If we truncate we hope the user can get a hint from the log. + */ + snprintf (msgbuf, sizeof msgbuf, "DHCPRELEASE of %s from %s %s%s%svia %s (%sfound)", inet_ntoa (packet -> raw -> ciaddr), (packet -> raw -> htype @@@@ -827,13 +850,20 @@@@ data_string_forget (&data, MDL); find_lease_by_ip_addr (&lease, cip, MDL); - if (lease && lease -> client_hostname && + if (lease && lease -> client_hostname) { + if ((strlen (lease -> client_hostname) <= 64) && db_printable (lease -> client_hostname)) s = lease -> client_hostname; else + s = "Hostname Unsuitable for Printing"; + } else s = (char *)0; - sprintf (msgbuf, "DHCPDECLINE of %s from %s %s%s%svia %s", + /* %Audit% This is log output. %2004.06.17,Safe% + * If we truncate we hope the user can get a hint from the log. + */ + snprintf (msgbuf, sizeof msgbuf, + "DHCPDECLINE of %s from %s %s%s%svia %s", piaddr (cip), (packet -> raw -> htype ? print_hw_addr (packet -> raw -> htype, @@@@ -944,7 +974,10 @@@@ memcpy (cip.iabuf, &packet -> raw -> ciaddr, 4); } - sprintf (msgbuf, "DHCPINFORM from %s via %s", + /* %Audit% This is log output. %2004.06.17,Safe% + * If we truncate we hope the user can get a hint from the log. + */ + snprintf (msgbuf, sizeof msgbuf, "DHCPINFORM from %s via %s", piaddr (cip), packet -> interface -> name); /* If the IP source address is zero, don't respond. */ @@@@ -2718,10 +2751,13 @@@@ raw.hops = state -> hops; raw.op = BOOTREPLY; - if (lease -> client_hostname && + if (lease -> client_hostname) { + if ((strlen (lease -> client_hostname) <= 64) && db_printable (lease -> client_hostname)) s = lease -> client_hostname; else + s = "Hostname Unsuitable for Printing"; + } else s = (char *)0; /* Say what we're doing... */ Index: server/failover.c --- server/failover.c.orig 2002-11-17 03:29:31 +0100 +++ server/failover.c 2004-07-08 14:18:17 +0200 @@@@ -3407,14 +3407,17 @@@@ va_list va; char tbuf [256]; + /* %Audit% Truncation causes panic. %2004.06.17,Revisit% + * It is unclear what the effects of truncation here are, or + * how that condition should be handled. It seems that this + * function is used for formatting messages in the failover + * command channel. For now the safest thing is for + * overflow-truncation to cause a fatal log. + */ va_start (va, fmt); -#if defined (HAVE_SNPRINTF) - /* Presumably if we have snprintf, we also have - vsnprintf. */ - vsnprintf (tbuf, sizeof tbuf, fmt, va); -#else - vsprintf (tbuf, fmt, va); -#endif + if (vsnprintf (tbuf, sizeof tbuf, fmt, va) >= sizeof tbuf) + log_fatal ("%s: vsnprintf would truncate", + "dhcp_failover_make_option"); va_end (va); return dhcp_failover_make_option (code, obuf, obufix, obufmax, @@@@ -3515,7 +3518,16 @@@@ putUShort (&option.data [2], size - 4); #if defined (DEBUG_FAILOVER_MESSAGES) - sprintf (tbuf, " (%s<%d>", info -> name, option.count); + /* %Audit% Truncation causes panic. %2004.06.17,Revisit% + * It is unclear what the effects of truncation here are, or + * how that condition should be handled. It seems that this + * message may be sent over the failover command channel. + * For now the safest thing is for overflow-truncation to cause + * a fatal log. + */ + if (snprintf (tbuf, sizeof tbuf, " (%s<%d>", info -> name, + option.count) >= sizeof tbuf) + log_fatal ("dhcp_failover_make_option: tbuf overflow"); failover_print (obuf, obufix, obufmax, tbuf); #endif @@@@ -3576,17 +3588,21 @@@@ break; /* On output, TEXT_OR_BYTES is _always_ text, and always NUL - terminated. Note that the caller should be careful not to - provide a format and data that amount to more than 256 bytes - of data, since it will be truncated on platforms that - support snprintf, and will mung the stack on those platforms - that do not support snprintf. Also, callers should not pass - data acquired from the network without specifically checking - it to make sure it won't bash the stack. */ + terminated. Note that the caller should be careful not + to provide a format and data that amount to more than 256 + bytes of data, since it will cause a fatal error. */ case FT_TEXT_OR_BYTES: case FT_TEXT: #if defined (DEBUG_FAILOVER_MESSAGES) - sprintf (tbuf, "\"%s\"", txt); + /* %Audit% Truncation causes panic. %2004.06.17,Revisit% + * It is unclear what the effects of truncation here are, or + * how that condition should be handled. It seems that this + * function is used for formatting messages in the failover + * command channel. For now the safest thing is for + * overflow-truncation to cause a fatal log. + */ + if (snprintf (tbuf, sizeof tbuf, "\"%s\"", txt) >= sizeof tbuf) + log_fatal ("dhcp_failover_make_option: tbuf overflow"); failover_print (obuf, obufix, obufmax, tbuf); #endif memcpy (&option.data [4], txt, count); @@@@ -4494,19 +4510,15 @@@@ } if (new_binding_state != msg -> binding_status) { char outbuf [100]; -#if !defined (NO_SNPRINTF) - snprintf (outbuf, sizeof outbuf, - "%s: invalid state transition: %s to %s", - piaddr (lease -> ip_addr), - binding_state_print (lease -> binding_state), - binding_state_print (msg -> binding_status)); -#else - sprintf (outbuf, + + if (snprintf (outbuf, sizeof outbuf, "%s: invalid state transition: %s to %s", piaddr (lease -> ip_addr), binding_state_print (lease -> binding_state), - binding_state_print (msg -> binding_status)); -#endif + binding_state_print (msg -> binding_status)) + >= sizeof outbuf) + log_fatal ("%s: impossible outbuf overflow"); + dhcp_failover_send_bind_ack (state, msg, FTR_FATAL_CONFLICT, outbuf); @ 1.2.2.1 log @apply security bugfix @ text @d1 10 a10 63 --- minires/ns_name.c Wed Feb 2 08:28:14 2000 +++ minires/ns_name.c Wed Jan 15 00:15:06 2003 @@@@ -255,6 +255,10 @@@@ dn = dst; eom = dst + dstsiz; + if (dn >= eom) { + errno = EMSGSIZE; + return (-1); + } while ((n = *cp++) != 0) { if ((n & NS_CMPRSFLGS) != 0) { /* Some kind of compression pointer. */ --- minires/ns_samedomain.c Tue Jan 16 23:33:09 2001 +++ minires/ns_samedomain.c Wed Jan 15 00:15:06 2003 @@@@ -168,7 +168,7 @@@@ size_t n = strlen(src); if (n + sizeof "." > dstsize) { - ISC_R_NOSPACE; + return ISC_R_NOSPACE; } strcpy(dst, src); while (n > 0 && dst[n - 1] == '.') /* Ends in "." */ --- minires/ns_sign.c Thu May 17 22:47:33 2001 +++ minires/ns_sign.c Wed Jan 15 00:15:06 2003 @@@@ -87,7 +87,7 @@@@ dst_init(); if (msg == NULL || msglen == NULL || sig == NULL || siglen == NULL) - ISC_R_INVALIDARG; + return ISC_R_INVALIDARG; /* Name. */ if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) @@@@ -118,7 +118,7 @@@@ else n = dn_comp("", cp, (unsigned)(eob - cp), NULL, NULL); if (n < 0) - ISC_R_NOSPACE; + return ISC_R_NOSPACE; alg = cp; cp += n; @@@@ -190,7 +190,7 @@@@ n = dst_sign_data(SIG_MODE_FINAL, key, &ctx, NULL, 0, sig, *siglen); if (n < 0) - ISC_R_BADKEY; + return ISC_R_BADKEY; *siglen = n; } else *siglen = 0; --- minires/res_findzonecut.c Thu May 17 22:47:35 2001 +++ minires/res_findzonecut.c Wed Jan 15 00:15:06 2003 @@@@ -355,7 +355,7 @@@@ while (*dname != '.') { if (*dname == '\\') if (*++dname == '\0') { - ISC_R_NOSPACE; + return ISC_R_NOSPACE; } dname++; @ 1.1 log @fix source code error which is a showstopper under GCC 3.1 @ text @@ 1.1.2.1 log @apply security bugfix @ text @a11 64 --- minires/ns_name.c Wed Feb 2 08:28:14 2000 +++ minires/ns_name.c Wed Jan 15 00:15:06 2003 @@@@ -255,6 +255,10 @@@@ dn = dst; eom = dst + dstsiz; + if (dn >= eom) { + errno = EMSGSIZE; + return (-1); + } while ((n = *cp++) != 0) { if ((n & NS_CMPRSFLGS) != 0) { /* Some kind of compression pointer. */ --- minires/ns_samedomain.c Tue Jan 16 23:33:09 2001 +++ minires/ns_samedomain.c Wed Jan 15 00:15:06 2003 @@@@ -168,7 +168,7 @@@@ size_t n = strlen(src); if (n + sizeof "." > dstsize) { - ISC_R_NOSPACE; + return ISC_R_NOSPACE; } strcpy(dst, src); while (n > 0 && dst[n - 1] == '.') /* Ends in "." */ --- minires/ns_sign.c Thu May 17 22:47:33 2001 +++ minires/ns_sign.c Wed Jan 15 00:15:06 2003 @@@@ -87,7 +87,7 @@@@ dst_init(); if (msg == NULL || msglen == NULL || sig == NULL || siglen == NULL) - ISC_R_INVALIDARG; + return ISC_R_INVALIDARG; /* Name. */ if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) @@@@ -118,7 +118,7 @@@@ else n = dn_comp("", cp, (unsigned)(eob - cp), NULL, NULL); if (n < 0) - ISC_R_NOSPACE; + return ISC_R_NOSPACE; alg = cp; cp += n; @@@@ -190,7 +190,7 @@@@ n = dst_sign_data(SIG_MODE_FINAL, key, &ctx, NULL, 0, sig, *siglen); if (n < 0) - ISC_R_BADKEY; + return ISC_R_BADKEY; *siglen = n; } else *siglen = 0; --- minires/res_findzonecut.c Thu May 17 22:47:35 2001 +++ minires/res_findzonecut.c Wed Jan 15 00:15:06 2003 @@@@ -355,7 +355,7 @@@@ while (*dname != '.') { if (*dname == '\\') if (*++dname == '\0') { - ISC_R_NOSPACE; + return ISC_R_NOSPACE; } dname++; } @ 1.1.2.2 log @MFS: SA-2003.012-dhcpd; CAN-2003-0039 @ text @a75 53 --- relay/dhcrelay.c-orig Sat Apr 27 05:34:20 2002 +++ relay/dhcrelay.c Wed Feb 19 12:44:19 2003 @@@@ -88,6 +88,7 @@@@ did not match any known circuit ID. */ int missing_circuit_id = 0; /* Circuit ID option in matching RAI option was missing. */ +int max_hop_count = 4; /* Maximum hop count */ /* Maximum size of a packet with agent options added. */ int dhcp_max_agent_option_packet_length = 576; @@@@ -182,6 +183,15 @@@@ quiet_interface_discovery = 1; } else if (!strcmp (argv [i], "-a")) { add_agent_options = 1; + } else if (!strcmp (argv [i], "-c")) { + int hcount; + if (++i == argc) + usage (); + hcount = atoi(argv[i]); + if (hcount <= 16) + max_hop_count = hcount; + else + usage (); } else if (!strcmp (argv [i], "-A")) { if (++i == argc) usage (); @@@@ -425,6 +435,17 @@@@ packet -> giaddr = ip -> primary_address; if (packet -> hops != 255) packet -> hops = packet -> hops + 1; + + /* ftp://ftp.rfc-editor.org/in-notes/rfc1542.txt + * 4.1.1 BOOTREQUEST Messages + * The relay agent MUST silently discard BOOTREQUEST messages whose + * 'hops' field exceeds the value 16. A configuration option SHOULD be + * provided to set this threshold to a smaller value if desired by the + * network manager. The default setting for a configurable threshold + * SHOULD be 4. + */ + if (packet -> hops >= max_hop_count) + return; /* Otherwise, it's a BOOTREQUEST, so forward it to all the servers. */ @@@@ -470,7 +470,7 @@@@ static void usage () { log_fatal ("Usage: dhcrelay [-p ] [-d] [-D] [-i %s%s%s", - "interface]\n ", + "interface] [-c max_hop_count]\n ", "[-q] [-a] [-A length] [-m append|replace|forward|discard]\n", " [server1 [... serverN]]"); } @