Subject: [PATCH] r1333: Fixed crashes with very long (revisions) attributes --- debian/changelog | 8 +++++ src/elogd.c | 85 ++++++++++++++++++++++++++++++------------------------ 2 files changed, 56 insertions(+), 37 deletions(-) 6bb233bc624fcb196935dc069238777f06a90cca diff --git a/debian/changelog b/debian/changelog index 6f8e6a7..9f49646 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +elog (2.5.7+r1558-4+sarge1) unstable; urgency=low + + * Security update + * Backport r1333 from upstream's Subversion repository: + "Fixed crashes with very long (revisions) attributes" + + -- Florian Weimer Mon, 23 Jan 2006 15:56:37 +0100 + elog (2.5.7+r1558-3) testing-proposed-updates; urgency=high * Security update. Backport the fix (r1.648) for a buffer overflow: diff --git a/src/elogd.c b/src/elogd.c index 5a5da40..802e1dd 100755 --- a/src/elogd.c +++ b/src/elogd.c @@ -1648,17 +1648,19 @@ size_t strlcat(char *dst, const char *sr /*-------------------------------------------------------------------*/ -void strsubst(char *string, char name[][NAME_LENGTH], char value[][NAME_LENGTH], int n) - /* subsitute "$name" with value corresponding to name */ +void strsubst(char *string, int size, char name[][NAME_LENGTH], char value[][NAME_LENGTH], int n) +/* subsitute "$name" with value corresponding to name */ { int i, j; - char tmp[1000], str[NAME_LENGTH], uattr[NAME_LENGTH], *ps, *pt, *p; + char tmp[2*NAME_LENGTH], str[2*NAME_LENGTH], uattr[2*NAME_LENGTH], *ps, *pt, *p; pt = tmp; ps = string; for (p = strchr(ps, '$'); p != NULL; p = strchr(ps, '$')) { /* copy leading characters */ j = (int) (p - ps); + if (j >= sizeof(tmp)) + return; memcpy(pt, ps, j); pt += j; p++; @@ -1680,7 +1682,7 @@ void strsubst(char *string, char name[][ /* copy value */ if (i < n) { - strcpy(pt, value[i]); + strlcpy(pt, value[i], sizeof(tmp)-((int)pt-(int)tmp)); pt += strlen(pt); ps = p + strlen(uattr); } else { @@ -1690,10 +1692,10 @@ void strsubst(char *string, char name[][ } /* copy remainder */ - strcpy(pt, ps); + strlcpy(pt, ps, sizeof(tmp)-((int)pt-(int)tmp)); /* return result */ - strcpy(string, tmp); + strlcpy(string, tmp, size); } /*------------------------------------------------------------------*/ @@ -3534,7 +3536,7 @@ void retrieve_email_from(LOGBOOK * lbs, if (attrib) { i = build_subst_list(lbs, slist, svalue, attrib, TRUE); - strsubst(str, slist, svalue, i); + strsubst(str, sizeof(str), slist, svalue, i); /* remove possible 'mailto:' */ if ((p = strstr(str, "mailto:")) != NULL) @@ -7446,7 +7448,7 @@ auto-increment tags */ BOOL is_author(LOGBOOK * lbs, char attrib[MAX_N_ATTR][NAME_LENGTH], char *owner) { - char str[1000], preset[1000]; + char str[NAME_LENGTH], preset[NAME_LENGTH]; int i; /* check if current user is admin */ @@ -7553,7 +7555,7 @@ void show_date_selector(int day, int mon void attrib_from_param(int n_attr, char attrib[MAX_N_ATTR][NAME_LENGTH]) { int i, j, first, year, month, day; - char str[1000], ua[NAME_LENGTH]; + char str[NAME_LENGTH], ua[NAME_LENGTH]; time_t ltime; struct tm ts; @@ -7616,7 +7618,7 @@ void show_edit_form(LOGBOOK * lbs, int m { int i, j, n, index, aindex, size, width, height, fh, length, input_size, input_maxlen, format_flags[MAX_N_ATTR], year, month, day, n_attr, n_disp_attr, attr_index[MAX_N_ATTR]; - char str[1000], preset[1000], *p, *pend, star[80], comment[10000], reply_string[256], + char str[2*NAME_LENGTH], preset[2*NAME_LENGTH], *p, *pend, star[80], comment[10000], reply_string[256], list[MAX_N_ATTR][NAME_LENGTH], file_name[256], *buffer, format[256], date[80], attrib[MAX_N_ATTR][NAME_LENGTH], *text, orig_tag[80], reply_tag[MAX_REPLY_TO * 10], att[MAX_ATTACHMENTS][256], encoding[80], @@ -7692,7 +7694,7 @@ void show_edit_form(LOGBOOK * lbs, int m /* do not format date for date attributes */ i = build_subst_list(lbs, slist, svalue, attrib, (attr_flags[index] & AF_DATE) == 0); - strsubst(preset, slist, svalue, i); + strsubst(preset, sizeof(preset), slist, svalue, i); /* check for index substitution */ if (!bedit && strchr(preset, '%')) { @@ -7715,7 +7717,7 @@ void show_edit_form(LOGBOOK * lbs, int m /* do not format date for date attributes */ i = build_subst_list(lbs, slist, svalue, attrib, (attr_flags[index] & AF_DATE) == 0); - strsubst(preset, slist, svalue, i); + strsubst(preset, sizeof(preset), slist, svalue, i); /* check for index substitution */ if (!bedit && strchr(preset, '%')) { @@ -7839,7 +7841,7 @@ void show_edit_form(LOGBOOK * lbs, int m sprintf(str, "%d", message_id); add_subst_list(slist, svalue, "message id", str, &i); add_subst_time(lbs, slist, svalue, "entry time", date, &i); - strsubst(preset, slist, svalue, i); + strsubst(preset, sizeof(preset), slist, svalue, i); strcpy(attrib[index], preset); } } @@ -7859,7 +7861,16 @@ void show_edit_form(LOGBOOK * lbs, int m add_subst_list(slist, svalue, "message id", str, &i); add_subst_time(lbs, slist, svalue, "entry time", date, &i); - strsubst(preset, slist, svalue, i); + strsubst(preset, sizeof(preset), slist, svalue, i); + if (strlen(preset) > NAME_LENGTH - 100) { + if (strstr(preset+100, "
")) { + strlcpy(str, strstr(preset+100, "
"), sizeof(str)); + } else + strlcpy(str, preset+100, sizeof(str)); + + strcpy(preset, "..."); + strlcat(preset, str, sizeof(str)); + } if (strncmp(preset, "
", 4) == 0) strcpy(attrib[index], preset + 4); else @@ -8575,7 +8586,7 @@ void show_edit_form(LOGBOOK * lbs, int m add_subst_time(lbs, slist, svalue, "entry time", date, &j); if (getcfg(lbs->name, "Prepend on edit", str, sizeof(str))) { - strsubst(str, slist, svalue, j); + strsubst(str, sizeof(preset), slist, svalue, j); while (strstr(str, "\\n")) memcpy(strstr(str, "\\n"), "\r\n", 2); rsprintf(str); @@ -8587,7 +8598,7 @@ void show_edit_form(LOGBOOK * lbs, int m if (!bupload) if (getcfg(lbs->name, "Append on edit", str, sizeof(str))) { - strsubst(str, slist, svalue, j); + strsubst(str, sizeof(str), slist, svalue, j); while (strstr(str, "\\n")) memcpy(strstr(str, "\\n"), "\r\n", 2); rsputs3(str); @@ -8602,7 +8613,7 @@ void show_edit_form(LOGBOOK * lbs, int m add_subst_list(slist, svalue, "message id", mid, &j); add_subst_time(lbs, slist, svalue, "entry time", date, &j); - strsubst(str, slist, svalue, j); + strsubst(str, sizeof(str), slist, svalue, j); while (strstr(str, "\\n")) memcpy(strstr(str, "\\n"), "\r\n", 2); rsputs3(str); @@ -8652,7 +8663,7 @@ void show_edit_form(LOGBOOK * lbs, int m sprintf(mid, "%d", message_id); add_subst_list(slist, svalue, "message id", mid, &j); add_subst_time(lbs, slist, svalue, "entry time", date, &j); - strsubst(str, slist, svalue, j); + strsubst(str, sizeof(str), slist, svalue, j); while (strstr(str, "\\n")) memcpy(strstr(str, "\\n"), "\r\n", 2); rsputs3(str); @@ -8685,7 +8696,7 @@ void show_edit_form(LOGBOOK * lbs, int m xfree(buffer); } else { j = build_subst_list(lbs, slist, svalue, attrib, TRUE); - strsubst(str, slist, svalue, j); + strsubst(str, sizeof(str), slist, svalue, j); while (strstr(str, "\\n")) memcpy(strstr(str, "\\n"), "\r\n", 2); rsputs3(str); @@ -13394,7 +13405,7 @@ void display_line(LOGBOOK * lbs, int mes add_subst_time(lbs, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, "entry time", date, &j); - strsubst(display, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, j); + strsubst(display, sizeof(display), (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, j); if (highlight != message_id) rsprintf("", ref); @@ -13457,7 +13468,7 @@ void display_line(LOGBOOK * lbs, int mes add_subst_time(lbs, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, "entry time", date, &j); - strsubst(display, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, j); + strsubst(display, sizeof(display), (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, j); } else sprintf(display, "%d", message_id); @@ -13597,7 +13608,7 @@ void display_line(LOGBOOK * lbs, int mes add_subst_time(lbs, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, "entry time", date, &j); - strsubst(display, (char (*)[NAME_LENGTH]) slist, + strsubst(display, sizeof(display), (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, j); } else @@ -14708,7 +14719,7 @@ void show_rss_feed(LOGBOOK * lbs) add_subst_time(lbs, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, "entry time", date, &i); - strsubst(title, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, i); + strsubst(title, sizeof(title), (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, i); } else { title[0] = 0; @@ -15220,7 +15231,7 @@ void show_elog_list(LOGBOOK * lbs, INT p add_subst_time(lbs, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, "entry time", date, &j); - strsubst(str, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, j); + strsubst(str, sizeof(str), (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, j); setparam(attr_list[i], str); } @@ -15322,7 +15333,7 @@ void show_elog_list(LOGBOOK * lbs, INT p add_subst_time(lbs, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, "entry time", date, &j); - strsubst(str, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, j); + strsubst(str, sizeof(str), (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, j); setparam(attr_list[i], str); } @@ -15495,7 +15506,7 @@ void show_elog_list(LOGBOOK * lbs, INT p if (getcfg(lbs->name, "Summary Page Title", str, sizeof(str))) { i = build_subst_list(lbs, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, NULL, TRUE); - strsubst(str, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, i); + strsubst(str, sizeof(str), (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, i); strip_html(str); } else sprintf(str, "ELOG %s", lbs->name); @@ -16329,7 +16340,7 @@ int compose_email(LOGBOOK * lbs, char *m j = build_subst_list(lbs, slist, svalue, attrib, TRUE); sprintf(str, "%d", message_id); add_subst_list(slist, svalue, "message id", str, &j); - strsubst(subject, slist, svalue, j); + strsubst(subject, sizeof(subject), slist, svalue, j); } else { if (old_mail) strcpy(subject, "Updated ELOG entry"); @@ -16432,7 +16443,7 @@ int execute_shell(LOGBOOK * lbs, int mes i = build_subst_list(lbs, slist, svalue, attrib, TRUE); sprintf(str, "%d", message_id); add_subst_list(slist, svalue, "message id", str, &i); - strsubst(shell_cmd, slist, svalue, i); + strsubst(shell_cmd, sizeof(shell_cmd), slist, svalue, i); write_logfile(lbs, "SHELL \"%s\"", shell_cmd); @@ -16619,7 +16630,7 @@ int set_attributes(LOGBOOK * lbs, char a void submit_elog(LOGBOOK * lbs) { - char str[1000], str2[1000], file_name[256], error[1000], date[80], + char str[NAME_LENGTH], str2[NAME_LENGTH], file_name[256], error[1000], date[80], mail_list[MAX_N_LIST][NAME_LENGTH], list[10000], *p, attrib[MAX_N_ATTR][NAME_LENGTH], subst_str[MAX_PATH_LENGTH], in_reply_to[80], reply_to[MAX_REPLY_TO * 10], user[256], user_email[256], @@ -16855,7 +16866,7 @@ void submit_elog(LOGBOOK * lbs) if (!*getparam("edit_id")) { sprintf(str, "Subst %s", attr_list[i]); if (getcfg(lbs->name, str, subst_str, sizeof(subst_str))) { - strsubst(subst_str, slist, svalue, n); + strsubst(subst_str, sizeof(subst_str), slist, svalue, n); strcpy(attrib[i], subst_str); } } @@ -16987,7 +16998,7 @@ void submit_elog(LOGBOOK * lbs) sprintf(str, "%d", message_id); add_subst_list(slist, svalue, "message id", str, &j); add_subst_time(lbs, slist, svalue, "entry time", date, &j); - strsubst(mail_list[i], slist, svalue, j); + strsubst(mail_list[i], NAME_LENGTH, slist, svalue, j); /* remove possible 'mailto:' */ if ((p = strstr(mail_list[i], "mailto:")) != NULL) @@ -17360,9 +17371,9 @@ void show_elog_entry(LOGBOOK * lbs, char int size, i, j, n, n_log, status, fh, length, message_error, index, n_hidden, message_id, orig_message_id, format_flags[MAX_N_ATTR], att_hide[MAX_ATTACHMENTS], n_attachments, n_lines; - char str[1000], ref[256], file_enc[256], attrib[MAX_N_ATTR][NAME_LENGTH]; + char str[2*NAME_LENGTH], ref[256], file_enc[256], attrib[MAX_N_ATTR][NAME_LENGTH]; char date[80], text[TEXT_SIZE], menu_str[1000], cmd[256], cmd_enc[256], - orig_tag[80], reply_tag[MAX_REPLY_TO * 10], display[256], + orig_tag[80], reply_tag[MAX_REPLY_TO * 10], display[NAME_LENGTH], attachment[MAX_ATTACHMENTS][MAX_PATH_LENGTH], encoding[80], locked_by[256], att[256], lattr[256], mid[80], menu_item[MAX_N_LIST][NAME_LENGTH], format[80], slist[MAX_N_ATTR + 10][NAME_LENGTH], file_name[MAX_PATH_LENGTH], @@ -17537,7 +17548,7 @@ void show_elog_entry(LOGBOOK * lbs, char sprintf(mid, "%d", message_id); add_subst_list(slist, svalue, "message id", mid, &i); add_subst_time(lbs, slist, svalue, "entry time", date, &i); - strsubst(str, slist, svalue, i); + strsubst(str, sizeof(str), slist, svalue, i); strip_html(str); } else strcpy(str, "ELOG"); @@ -17780,7 +17791,7 @@ void show_elog_entry(LOGBOOK * lbs, char add_subst_time(lbs, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, "entry time", date, &j); - strsubst(display, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, j); + strsubst(display, sizeof(display), (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, j); } else sprintf(display, "%d", message_id); @@ -17961,7 +17972,7 @@ void show_elog_entry(LOGBOOK * lbs, char add_subst_time(lbs, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, "entry time", date, &j); - strsubst(display, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, j); + strsubst(display, sizeof(display), (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, j); } else strcpy(display, attrib[i]); @@ -18764,7 +18775,7 @@ void show_logbook_node(LBLIST plb, LBLIS sprintf(mid, "%d", message_id); add_subst_list(slist, svalue, "message id", mid, &j); add_subst_time(&lb_list[index], slist, svalue, "entry time", date, &j); - strsubst(str, slist, svalue, j); + strsubst(str, sizeof(str), slist, svalue, j); rsputs(str); } rsprintf("\n"); -- 1.1.3