valeriyvdovin / rpms / systemd

Forked from rpms/systemd 4 years ago
Clone

Blame SOURCES/0391-Fix-miscalculated-buffer-size-and-uses-of-size-unlim.patch

1abbee
From 573e86d7e9f0038044d5cba2a1a543e24b063a79 Mon Sep 17 00:00:00 2001
1abbee
From: Aleksander Adamowski <olo@fb.com>
1abbee
Date: Mon, 11 Jan 2016 15:26:41 -0800
1abbee
Subject: [PATCH] Fix miscalculated buffer size and uses of size-unlimited
1abbee
 sprintf() function.
1abbee
1abbee
Not sure if this results in an exploitable buffer overflow, probably not
1abbee
since the the int value is likely sanitized somewhere earlier and it's
1abbee
being put through a bit mask shortly before being used.
1abbee
1abbee
Cherry-picked from: 13f5402c6b734ed4c2b3e8b7c3d3bf6d815e7661
1abbee
Related: #1318994
1abbee
---
1abbee
 src/journal/journald-syslog.c | 6 +++---
1abbee
 1 file changed, 3 insertions(+), 3 deletions(-)
1abbee
1abbee
diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
1abbee
index 8602b4a..b499a0d 100644
1abbee
--- a/src/journal/journald-syslog.c
1abbee
+++ b/src/journal/journald-syslog.c
1abbee
@@ -317,7 +317,7 @@ void server_process_syslog_message(
1abbee
         size_t label_len) {
1abbee
 
1abbee
         char syslog_priority[sizeof("PRIORITY=") + DECIMAL_STR_MAX(int)],
1abbee
-             syslog_facility[sizeof("SYSLOG_FACILITY") + DECIMAL_STR_MAX(int)];
1abbee
+             syslog_facility[sizeof("SYSLOG_FACILITY=") + DECIMAL_STR_MAX(int)];
1abbee
         const char *message = NULL, *syslog_identifier = NULL, *syslog_pid = NULL;
1abbee
         struct iovec iovec[N_IOVEC_META_FIELDS + 6];
1abbee
         unsigned n = 0;
1abbee
@@ -348,11 +348,11 @@ void server_process_syslog_message(
1abbee
 
1abbee
         IOVEC_SET_STRING(iovec[n++], "_TRANSPORT=syslog");
1abbee
 
1abbee
-        sprintf(syslog_priority, "PRIORITY=%i", priority & LOG_PRIMASK);
1abbee
+        snprintf(syslog_priority, sizeof(syslog_priority), "PRIORITY=%i", priority & LOG_PRIMASK);
1abbee
         IOVEC_SET_STRING(iovec[n++], syslog_priority);
1abbee
 
1abbee
         if (priority & LOG_FACMASK) {
1abbee
-                sprintf(syslog_facility, "SYSLOG_FACILITY=%i", LOG_FAC(priority));
1abbee
+                snprintf(syslog_facility, sizeof(syslog_facility), "SYSLOG_FACILITY=%i", LOG_FAC(priority));
1abbee
                 IOVEC_SET_STRING(iovec[n++], syslog_facility);
1abbee
         }
1abbee