diff options
| author | cinap_lenrek <cinap_lenrek@felloff.net> | 2014-11-07 12:51:59 +0100 |
|---|---|---|
| committer | cinap_lenrek <cinap_lenrek@felloff.net> | 2014-11-07 12:51:59 +0100 |
| commit | 797cc13c7053dbdd16c20dc4dee5aee8c92390b0 (patch) | |
| tree | 5aa7a00f0edeb1d2938d2dff116ee37f2570e8a5 /sys/src/cmd/ip/traceroute.c | |
| parent | 5364fa720de3b963a88dc4810ed83b4f2ab11d12 (diff) | |
fix dangerous werrstr() usages
werrstr() takes a format string as its first argument.
a common error is to pass user controlled string buffers
into werrstr() that might contain format string escapes
causing werrstr() to take bogus arguments from the stack
and crash.
so instead of doing:
werrstr(buf);
we want todo:
werrstr("%s", buf);
or if we have a local ERRMAX sized buffer that we can override:
errstr(buf, sizeof buf);
Diffstat (limited to 'sys/src/cmd/ip/traceroute.c')
| -rw-r--r-- | sys/src/cmd/ip/traceroute.c | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/sys/src/cmd/ip/traceroute.c b/sys/src/cmd/ip/traceroute.c index 33b6678b2..3113d6ded 100644 --- a/sys/src/cmd/ip/traceroute.c +++ b/sys/src/cmd/ip/traceroute.c @@ -140,8 +140,7 @@ static int udpprobe(int cfd, int dfd, char *dest, int interval) { int n, i, rv; - char msg[Maxstring]; - char err[Maxstring]; + char msg[Maxstring], err[ERRMAX]; seek(cfd, 0, 0); n = snprint(msg, sizeof msg, "connect %s", dest); @@ -166,12 +165,13 @@ udpprobe(int cfd, int dfd, char *dest, int interval) rv = 0; break; } + *err = 0; errstr(err, sizeof err); - if(strstr(err, "alarm") == 0){ - werrstr(err); + if(strcmp(err, "interrupted") != 0){ + errstr(err, sizeof err); break; } - werrstr(err); + errstr(err, sizeof err); } alarm(0); return rv; @@ -185,7 +185,7 @@ static int icmpprobe(int cfd, int dfd, char *dest, int interval) { int x, i, n, len, rv; - char buf[512], err[Maxstring], msg[Maxstring]; + char buf[512], err[ERRMAX], msg[Maxstring]; Icmphdr *ip; seek(cfd, 0, 0); @@ -212,12 +212,13 @@ icmpprobe(int cfd, int dfd, char *dest, int interval) n = read(dfd, buf, sizeof(buf)); alarm(0); if(n < 0){ + *err = 0; errstr(err, sizeof err); - if(strstr(err, "alarm") == 0){ - werrstr(err); + if(strcmp(err, "interrupted") != 0){ + errstr(err, sizeof err); break; } - werrstr(err); + errstr(err, sizeof err); continue; } x = (ip->seq[1]<<8) | ip->seq[0]; @@ -337,7 +338,7 @@ main(int argc, char **argv) long *t; char *net, *p; char clone[Maxpath], dest[Maxstring], hop[Maxstring], dom[Maxstring]; - char err[Maxstring]; + char err[ERRMAX]; DS ds; buckets = 0; @@ -396,6 +397,7 @@ main(int argc, char **argv) done = 1; continue; } + *err = 0; errstr(err, sizeof err); if(strstr(err, "refused")){ strcpy(hop, dest); |