- scanf format length fix (non exploitable?) from Fabian Hugelshofer

<hugelshofer2006@gmx.ch> - URL tag changed to http://net-tools.berlios.de/
2009-07-08 13:28:27 +00:00 · 2009-07-08 13:28:27 +00:00 · bf613f1929
commit bf613f1929
parent a7a4365096
2 changed files with 148 additions and 2 deletions
--- a/net-tools-1.60-scanf-format.patch
+++ b/net-tools-1.60-scanf-format.patch
@ -0,0 +1,140 @@
+diff -up net-tools-1.60/arp.c.scanf-format net-tools-1.60/arp.c
+--- net-tools-1.60/arp.c.scanf-format	2009-07-08 11:17:09.000000000 +0200
+++ net-tools-1.60/arp.c	2009-07-08 11:43:39.000000000 +0200
+@@ -557,7 +557,7 @@ static int arp_show(char *name)
+ 	/* Read the ARP cache entries. */
+ 	for (num = 0; num < entries; num++) {
+ 	    fgets(line, sizeof(line), fp);
+-	    if (sscanf(line, "%s 0x%x 0x%x %100s %100s %100s\n",
+	    if (sscanf(line, "%s 0x%x 0x%x %99s %99s %99s\n",
+ 			 ip, &type, &flags, hwa, mask, dev) < 4)
+ 		break;
+ 
+diff -up net-tools-1.60/lib/inet_gr.c.scanf-format net-tools-1.60/lib/inet_gr.c
+--- net-tools-1.60/lib/inet_gr.c.scanf-format	2000-10-28 12:59:42.000000000 +0200
+++ net-tools-1.60/lib/inet_gr.c	2009-07-08 11:49:59.000000000 +0200
+@@ -38,7 +38,7 @@ extern char *INET_sprintmask(struct sock
+ 
+ int rprint_fib(int ext, int numeric)
+ {
+-    char buff[1024], iface[16], flags[64];
+    char buff[1024], iface[17], flags[64];
+     char gate_addr[128], net_addr[128];
+     char mask_addr[128];
+     int num, iflags, metric, refcnt, use, mss, window, irtt;
+@@ -69,18 +69,18 @@ int rprint_fib(int ext, int numeric)
+ 
+     fmt = proc_gen_fmt(_PATH_PROCNET_ROUTE, 0, fp,
+ 		       "Iface", "%16s",
+-		       "Destination", "%128s",
+-		       "Gateway", "%128s",
+		       "Destination", "%127s",
+		       "Gateway", "%127s",
+ 		       "Flags", "%X",
+ 		       "RefCnt", "%d",
+ 		       "Use", "%d",
+ 		       "Metric", "%d",
+-		       "Mask", "%128s",
+		       "Mask", "%127s",
+ 		       "MTU", "%d",
+ 		       "Window", "%d",
+ 		       "IRTT", "%d",
+ 		       NULL);
+-    /* "%16s %128s %128s %X %d %d %d %128s %d %d %d\n" */
+    /* "%16s %127s %127s %X %d %d %d %127s %d %d %d\n" */
+ 
+     if (!fmt)
+ 	return 1;
+@@ -205,7 +205,7 @@ int rprint_fib(int ext, int numeric)
+ 
+ int rprint_cache(int ext, int numeric)
+ {
+-    char buff[1024], iface[16], flags[64];
+    char buff[1024], iface[17], flags[64];
+     char gate_addr[128], dest_addr[128], specdst[128];
+     char src_addr[128];
+     struct sockaddr snet;
+@@ -269,20 +269,20 @@ int rprint_cache(int ext, int numeric)
+ 
+       fmt = proc_gen_fmt(_PATH_PROCNET_RTCACHE, 0, fp,
+ 		       "Iface", "%16s",
+-		       "Destination", "%128s",
+-		       "Gateway", "%128s",
+		       "Destination", "%127s",
+		       "Gateway", "%127s",
+ 		       "Flags", "%X",
+ 		       "RefCnt", "%d",
+ 		       "Use", "%d",
+ 		       "Metric", "%d",
+-		       "Source", "%128s",
+		       "Source", "%127s",
+ 		       "MTU", "%d",
+ 		       "Window", "%d",
+ 		       "IRTT", "%d",
+ 		       "HH", "%d",
+ 		       "ARP", "%d",
+ 		       NULL);
+-      /* "%16s %128s %128s %X %d %d %d %128s %d %d %d %d %d\n" */
+      /* "%16s %127s %127s %X %d %d %d %127s %d %d %d %d %d\n" */
+     }
+ 
+     if (format == 2) {
+@@ -292,13 +292,13 @@ int rprint_cache(int ext, int numeric)
+ 		 "MSS   Window irtt  TOS HHRef HHUptod     SpecDst\n"));
+         fmt = proc_gen_fmt(_PATH_PROCNET_RTCACHE, 0, fp,
+ 		       "Iface", "%16s",
+-		       "Destination", "%128s",
+-		       "Gateway", "%128s",
+		       "Destination", "%127s",
+		       "Gateway", "%127s",
+ 		       "Flags", "%X",
+ 		       "RefCnt", "%d",
+ 		       "Use", "%d",
+ 		       "Metric", "%d",
+-		       "Source", "%128s",
+		       "Source", "%127s",
+ 		       "MTU", "%d",
+ 		       "Window", "%d",
+ 		       "IRTT", "%d",
+@@ -307,7 +307,7 @@ int rprint_cache(int ext, int numeric)
+ 		       "HHUptod", "%d",
+ 		       "SpecDst", "%128s",
+ 		       NULL);
+-      /* "%16s %128s %128s %X %d %d %d %128s %d %d %d %d %d %128s\n" */
+      /* "%16s %127s %127s %X %d %d %d %127s %d %d %d %d %d %128s\n" */
+     }
+ 
+ 
+diff -up net-tools-1.60/lib/interface.c.scanf-format net-tools-1.60/lib/interface.c
+--- net-tools-1.60/lib/interface.c.scanf-format	2009-07-08 11:17:09.000000000 +0200
+++ net-tools-1.60/lib/interface.c	2009-07-08 11:45:44.000000000 +0200
+@@ -713,7 +713,7 @@ void ife_print_long(struct interface *pt
+ #endif
+ #if HAVE_AFINET6
+     FILE *f;
+-    char addr6[40], devname[20];
+    char addr6[40], devname[21];
+     struct sockaddr_in6 sap;
+     int plen, scope, dad_status, if_idx;
+     extern struct aftype inet6_aftype;
+diff -up net-tools-1.60/netstat.c.scanf-format net-tools-1.60/netstat.c
+--- net-tools-1.60/netstat.c.scanf-format	2009-07-08 11:17:09.000000000 +0200
+++ net-tools-1.60/netstat.c	2009-07-08 11:42:12.000000000 +0200
+@@ -1105,7 +1105,7 @@ static void udp_do_one(int lnr, const ch
+ 
+     more[0] = '\0';
+     num = sscanf(line,
+-		 "%d: %64[0-9A-Fa-f]:%X %64[0-9A-Fa-f]:%X %X %lX:%lX %X:%lX %lX %d %d %lu %512s\n",
+		 "%d: %64[0-9A-Fa-f]:%X %64[0-9A-Fa-f]:%X %X %lX:%lX %X:%lX %lX %d %d %lu %511s\n",
+ 		 &d, local_addr, &local_port,
+ 		 rem_addr, &rem_port, &state,
+ 	  &txq, &rxq, &timer_run, &time_len, &retr, &uid, &timeout, &inode, more);
+@@ -1540,7 +1540,7 @@ static void raw_do_one(int lnr, const ch
+ 
+     more[0] = '\0';
+     num = sscanf(line,
+-		 "%d: %64[0-9A-Fa-f]:%X %64[0-9A-Fa-f]:%X %X %lX:%lX %X:%lX %lX %d %d %lu %512s\n",
+		 "%d: %64[0-9A-Fa-f]:%X %64[0-9A-Fa-f]:%X %X %lX:%lX %X:%lX %lX %d %d %lu %511s\n",
+ 		 &d, local_addr, &local_port, rem_addr, &rem_port, &state,
+ 	  &txq, &rxq, &timer_run, &time_len, &retr, &uid, &timeout, &inode, more);
+ 
--- a/net-tools.spec
+++ b/net-tools.spec
@ -3,10 +3,10 @@
 Summary: Basic networking tools
 Name: net-tools
 Version: 1.60
-Release: 92%{?dist}
+Release: 93%{?dist}
 License: GPL+
 Group: System Environment/Base
-URL: http://www.tazenda.demon.co.uk/phil/net-tools/
+URL: http://net-tools.berlios.de/
 Source0: http://www.tazenda.demon.co.uk/phil/net-tools/net-tools-%{version}.tar.bz2
 Source1: http://www.red-bean.com/~bos/netplug/netplug-%{npversion}.tar.bz2
 Source2: net-tools-%{version}-config.h
@ -82,6 +82,7 @@ Patch68: net-tools-1.60-a-option.patch
 Patch69: net-tools-1.60-clear-flag.patch
 Patch70: net-tools-1.60-metric-tunnel-man.patch
 Patch71: net-tools-1.60-netstat-probe.patch
+Patch72: net-tools-1.60-scanf-format.patch

 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires(post): /sbin/chkconfig
@ -164,6 +165,7 @@ ifconfig, netstat, route, and others.
 %patch69 -p1 -b .clear-flag
 %patch70 -p1 -b .metric-tunnel-man
 %patch71 -p1 -b .probe
+%patch72 -p1 -b .scanf-format

 cp %SOURCE2 ./config.h
 cp %SOURCE3 ./config.make
@ -279,6 +281,10 @@ exit 0
 %{_sysconfdir}/rc.d/init.d/netplugd

 %changelog
+* Wed Jul  8 2009  Jiri Popelka <jpopelka@redhat.com> - 1.60-93
+- scanf format length fix (non exploitable?) from Fabian Hugelshofer <hugelshofer2006@gmx.ch>
+- URL tag changed to http://net-tools.berlios.de/
+
 * Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.60-92
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild