richardphibel / rpms / systemd

Forked from rpms/systemd 2 years ago
Clone
923a60
From 573e86d7e9f0038044d5cba2a1a543e24b063a79 Mon Sep 17 00:00:00 2001
923a60
From: Aleksander Adamowski <olo@fb.com>
923a60
Date: Mon, 11 Jan 2016 15:26:41 -0800
923a60
Subject: [PATCH] Fix miscalculated buffer size and uses of size-unlimited
923a60
 sprintf() function.
923a60
923a60
Not sure if this results in an exploitable buffer overflow, probably not
923a60
since the the int value is likely sanitized somewhere earlier and it's
923a60
being put through a bit mask shortly before being used.
923a60
923a60
Cherry-picked from: 13f5402c6b734ed4c2b3e8b7c3d3bf6d815e7661
923a60
Related: #1318994
923a60
---
923a60
 src/journal/journald-syslog.c | 6 +++---
923a60
 1 file changed, 3 insertions(+), 3 deletions(-)
923a60
923a60
diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
923a60
index 8602b4a95d..b499a0d381 100644
923a60
--- a/src/journal/journald-syslog.c
923a60
+++ b/src/journal/journald-syslog.c
923a60
@@ -317,7 +317,7 @@ void server_process_syslog_message(
923a60
         size_t label_len) {
923a60
 
923a60
         char syslog_priority[sizeof("PRIORITY=") + DECIMAL_STR_MAX(int)],
923a60
-             syslog_facility[sizeof("SYSLOG_FACILITY") + DECIMAL_STR_MAX(int)];
923a60
+             syslog_facility[sizeof("SYSLOG_FACILITY=") + DECIMAL_STR_MAX(int)];
923a60
         const char *message = NULL, *syslog_identifier = NULL, *syslog_pid = NULL;
923a60
         struct iovec iovec[N_IOVEC_META_FIELDS + 6];
923a60
         unsigned n = 0;
923a60
@@ -348,11 +348,11 @@ void server_process_syslog_message(
923a60
 
923a60
         IOVEC_SET_STRING(iovec[n++], "_TRANSPORT=syslog");
923a60
 
923a60
-        sprintf(syslog_priority, "PRIORITY=%i", priority & LOG_PRIMASK);
923a60
+        snprintf(syslog_priority, sizeof(syslog_priority), "PRIORITY=%i", priority & LOG_PRIMASK);
923a60
         IOVEC_SET_STRING(iovec[n++], syslog_priority);
923a60
 
923a60
         if (priority & LOG_FACMASK) {
923a60
-                sprintf(syslog_facility, "SYSLOG_FACILITY=%i", LOG_FAC(priority));
923a60
+                snprintf(syslog_facility, sizeof(syslog_facility), "SYSLOG_FACILITY=%i", LOG_FAC(priority));
923a60
                 IOVEC_SET_STRING(iovec[n++], syslog_facility);
923a60
         }
923a60