tReally fix the format string exploit against the Win32 server this time, and f… | |
git clone git://src.adamsgaard.dk/vaccinewars | |
Log | |
Files | |
Refs | |
README | |
LICENSE | |
--- | |
commit 30f0d92bee92b1b53dbd636392685c32cd8efe5f | |
parent ebaf2ad8dadfe0f5536c707508a811c8634cd732 | |
Author: Ben Webb <[email protected]> | |
Date: Fri, 30 Dec 2005 21:26:13 +0000 | |
Really fix the format string exploit against the Win32 server this time, | |
and for good measure audit all other uses of the g_print() function. Replace | |
some fprintf calls with fputs for additional safety. | |
Diffstat: | |
M ChangeLog | 4 ++++ | |
M src/configfile.c | 12 ++++++------ | |
M src/dopewars.c | 5 ++--- | |
M src/log.c | 3 +-- | |
M src/serverside.c | 7 ++++--- | |
M src/tstring.c | 2 +- | |
M src/winmain.c | 5 ++--- | |
7 files changed, 20 insertions(+), 18 deletions(-) | |
--- | |
diff --git a/ChangeLog b/ChangeLog | |
t@@ -1,3 +1,7 @@ | |
+1.5.12 30-12-2005 | |
+ - Really fix a potential exploit against the Win32 server when running as | |
+ an NT service (user data was being used as a format string in some cases… | |
+ | |
1.5.11 30-12-2005 | |
- Add example configuration file to the documentation. | |
- Fixed various typos in the German translation (thanks to Jens Seidel | |
diff --git a/src/configfile.c b/src/configfile.c | |
t@@ -119,7 +119,7 @@ static void WriteConfigValue(FILE *fp, Converter *conv, in… | |
*GetGlobalString(GlobalIndex, StructIndex), -1); | |
PrintEscaped(fp, convstr); | |
g_free(convstr); | |
- fprintf(fp, "\"\n"); | |
+ fputs("\"\n", fp); | |
} else if (Globals[GlobalIndex].StringList) { | |
int i; | |
gchar *convstr; | |
t@@ -127,7 +127,7 @@ static void WriteConfigValue(FILE *fp, Converter *conv, in… | |
fprintf(fp, "%s = { ", GlobalName); | |
for (i = 0; i < *Globals[GlobalIndex].MaxIndex; i++) { | |
if (i > 0) | |
- fprintf(fp, ", "); | |
+ fputs(", ", fp); | |
fputc('"', fp); | |
convstr = Conv_ToExternal(conv, | |
(*Globals[GlobalIndex].StringList)[i], -1); | |
t@@ -135,7 +135,7 @@ static void WriteConfigValue(FILE *fp, Converter *conv, in… | |
g_free(convstr); | |
fputc('"', fp); | |
} | |
- fprintf(fp, " }\n"); | |
+ fputs(" }\n", fp); | |
} | |
if (Globals[GlobalIndex].NameStruct[0]) | |
t@@ -182,9 +182,9 @@ static void ReadFileToString(FILE *fp, gchar *str, int mat… | |
rewind(fp); | |
ftruncate(fileno(fp), 0); | |
- fprintf(fp, file->str); | |
+ fputs(file->str, fp); | |
- fprintf(fp, str); | |
+ fputs(str, fp); | |
g_string_free(file, TRUE); | |
} | |
t@@ -201,7 +201,7 @@ static void WriteConfigFile(FILE *fp, gboolean ForceUTF8) | |
if (ForceUTF8 && !IsConfigFileUTF8()) { | |
g_free(LocalCfgEncoding); | |
LocalCfgEncoding = g_strdup("UTF-8"); | |
- fprintf(fp, "encoding \"UTF-8\"\n"); | |
+ fputs("encoding \"UTF-8\"\n", fp); | |
} | |
if (LocalCfgEncoding && LocalCfgEncoding[0]) { | |
diff --git a/src/dopewars.c b/src/dopewars.c | |
t@@ -2157,7 +2157,7 @@ void PrintConfigValue(int GlobalIndex, int StructIndex, | |
} | |
g_string_append(text, " }\n"); | |
- g_print(text->str); | |
+ g_print("%s", text->str); | |
g_string_free(text, TRUE); | |
} | |
} | |
t@@ -2950,8 +2950,7 @@ static void DefaultLogMessage(const gchar *log_domain, | |
text = GetLogString(log_level, message); | |
if (text) { | |
- g_string_append(text, "\n"); | |
- g_print(text->str); | |
+ g_print("%s\n", text->str); | |
g_string_free(text, TRUE); | |
} | |
} | |
diff --git a/src/log.c b/src/log.c | |
t@@ -50,8 +50,7 @@ void dopelog(const int loglevel, const LogFlags flags, | |
return; | |
va_start(args, format); | |
- g_logv(G_LOG_DOMAIN, 1 << (loglevel + G_LOG_LEVEL_USER_SHIFT), format, | |
- args); | |
+ g_logv(G_LOG_DOMAIN, 1 << (loglevel + G_LOG_LEVEL_USER_SHIFT), format, args); | |
va_end(args); | |
#ifdef HAVE_SYSLOG_H | |
diff --git a/src/serverside.c b/src/serverside.c | |
t@@ -737,7 +737,7 @@ void PrintHelpTo(FILE *fp) | |
} | |
fprintf(fp, "%-26s %s\n", VarName->str, _(Globals[i].Help)); | |
} | |
- fprintf(fp, "\n\n"); | |
+ fputs("\n\n", fp); | |
g_string_free(VarName, TRUE); | |
} | |
t@@ -780,8 +780,9 @@ static void ServerReply(const gchar *msg) | |
QueueMessageForSend(reply_netbuf, msgcp); | |
g_free(msgcp); | |
} | |
- } else | |
- g_print(msg); | |
+ } else { | |
+ g_print("%s", msg); | |
+ } | |
} | |
/* | |
diff --git a/src/tstring.c b/src/tstring.c | |
t@@ -277,7 +277,7 @@ void dpg_print(gchar *format, ...) | |
va_start(ap, format); | |
retstr = HandleTFmt(format, ap); | |
va_end(ap); | |
- g_print(retstr); | |
+ g_print("%s", retstr); | |
g_free(retstr); | |
} | |
diff --git a/src/winmain.c b/src/winmain.c | |
t@@ -62,8 +62,7 @@ static void ServerLogMessage(const gchar *log_domain, | |
text = GetLogString(log_level, message); | |
if (text) { | |
- g_string_append(text, "\n"); | |
- g_print(text->str); | |
+ g_print("%s\n", text->str); | |
g_string_free(text, TRUE); | |
} | |
} | |
t@@ -112,7 +111,7 @@ static void LogFileStart() | |
static void LogFilePrintFunc(const gchar *string) | |
{ | |
if (LogFile) { | |
- fprintf(LogFile, "%s", string); | |
+ fputs(string, LogFile); | |
fflush(LogFile); | |
} | |
} |