45 строки
1.4 KiB
Diff
45 строки
1.4 KiB
Diff
From arpwatch 3.1, backport the fix for the potentially-exploitable buffer
|
|
overflow reported in https://bugzilla.redhat.com/show_bug.cgi?id=1563939.
|
|
|
|
Increase the length of the h field of struct einfo to 64 (63 bytes for a DNS
|
|
name part, and one byte for a null terminator); then, use strncpy() plus
|
|
explicit null termination to ensure that we truncate a longer hostname if we
|
|
manage to get one, without either overflowing the buffer or having an
|
|
unterminated string.
|
|
|
|
diff -Naur arpwatch-2.1a15.original/db.c arpwatch-2.1a15/db.c
|
|
--- arpwatch-2.1a15.original/db.c 2000-09-30 19:39:58.000000000 -0400
|
|
+++ arpwatch-2.1a15/db.c 2020-10-27 12:50:49.803957083 -0400
|
|
@@ -62,7 +62,7 @@
|
|
/* Ethernet info */
|
|
struct einfo {
|
|
u_char e[6]; /* ether address */
|
|
- char h[34]; /* simple hostname */
|
|
+ char h[64]; /* simple hostname */
|
|
time_t t; /* timestamp */
|
|
};
|
|
|
|
@@ -283,8 +283,10 @@
|
|
BCOPY(e, ep->e, 6);
|
|
if (h == NULL && !initializing)
|
|
h = getsname(a);
|
|
- if (h != NULL && !isdigit((int)*h))
|
|
- strcpy(ep->h, h);
|
|
+ if (h != NULL && !isdigit((int)*h)) {
|
|
+ strncpy(ep->h, h, sizeof(ep->h));
|
|
+ ep->h[sizeof(ep->h) - 1] = '\0';
|
|
+ }
|
|
ep->t = t;
|
|
return (ep);
|
|
}
|
|
@@ -304,7 +306,8 @@
|
|
if (!isdigit((int)*h) && strcmp(h, ep->h) != 0) {
|
|
syslog(LOG_INFO, "hostname changed %s %s %s -> %s",
|
|
intoa(ap->a), e2str(ep->e), ep->h, h);
|
|
- strcpy(ep->h, h);
|
|
+ strncpy(ep->h, h, sizeof(ep->h));
|
|
+ ep->h[sizeof(ep->h) - 1] = '\0';
|
|
}
|
|
}
|
|
|