diff options
author | Daniel Black <dragonheart@gentoo.org> | 2007-02-07 09:13:42 +0000 |
---|---|---|
committer | Daniel Black <dragonheart@gentoo.org> | 2007-02-07 09:13:42 +0000 |
commit | e9cf14d57186bb4e405587c52431d750d790d3b1 (patch) | |
tree | ce418bc4e487ffea3148d9c12eba787c88577181 /app-admin | |
parent | New upstream version (diff) | |
download | gentoo-2-e9cf14d57186bb4e405587c52431d750d790d3b1.tar.gz gentoo-2-e9cf14d57186bb4e405587c52431d750d790d3b1.tar.bz2 gentoo-2-e9cf14d57186bb4e405587c52431d750d790d3b1.zip |
added patch now too. thanks<analyzer> on #gentoo-bugs for bringing it to our attention
(Portage version: 2.1.2-r7)
Diffstat (limited to 'app-admin')
-rw-r--r-- | app-admin/ulogd/ChangeLog | 7 | ||||
-rw-r--r-- | app-admin/ulogd/files/glsa-200701.patch | 873 |
2 files changed, 879 insertions, 1 deletions
diff --git a/app-admin/ulogd/ChangeLog b/app-admin/ulogd/ChangeLog index 90439e3c2e5b..6ec969de10f4 100644 --- a/app-admin/ulogd/ChangeLog +++ b/app-admin/ulogd/ChangeLog @@ -1,6 +1,11 @@ # ChangeLog for app-admin/ulogd # Copyright 2002-2007 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-admin/ulogd/ChangeLog,v 1.42 2007/02/06 16:13:30 antarus Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-admin/ulogd/ChangeLog,v 1.43 2007/02/07 09:13:42 dragonheart Exp $ + + 07 Feb 2007; Daniel Black <dragonheart@gentoo.org> + +files/glsa-200701.patch: + added patch now too. thanks<analyzer> on #gentoo-bugs for bringing it to our + attention *ulogd-1.23-r1 (06 Feb 2007) diff --git a/app-admin/ulogd/files/glsa-200701.patch b/app-admin/ulogd/files/glsa-200701.patch new file mode 100644 index 000000000000..2cf2776d4b36 --- /dev/null +++ b/app-admin/ulogd/files/glsa-200701.patch @@ -0,0 +1,873 @@ +--- extensions/printpkt.c ++++ extensions/printpkt.c 2007/01/08 18:20:04 +@@ -95,13 +95,17 @@ static struct intr_id intr_ids[INTR_IDS] + #define GET_VALUE(x) ulogd_keyh[intr_ids[x].id].interp->result[ulogd_keyh[intr_ids[x].id].offset].value + #define GET_FLAGS(x) ulogd_keyh[intr_ids[x].id].interp->result[ulogd_keyh[intr_ids[x].id].offset].flags + +-int printpkt_print(ulog_iret_t *res, char *buf, int prefix) ++int printpkt_print(ulog_iret_t *res, char *buf, size_t buf_siz, int prefix) + { + char *timestr; + char *tmp; + time_t now; + +- char *buf_cur = buf; ++ if( buf_siz) *buf = '\0'; ++ size_t buf_len = 0; ++ ++#define BUF_ADD(ptr, siz, off, fmt...) \ ++ snprintf(((ptr)+(off)), ((siz) > (off) ? (siz)-(off) : 0), ##fmt) + + if (prefix) { + now = (time_t) GET_VALUE(0).ui32; +@@ -116,127 +120,191 @@ int printpkt_print(ulog_iret_t *res, cha + *tmp = '\0'; + + /* print time and hostname */ +- buf_cur += sprintf(buf_cur, "%.15s %s", timestr, hostname); ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "%.15s %s", timestr, hostname); + } + + if (*(char *) GET_VALUE(1).ptr) +- buf_cur += sprintf(buf_cur, " %s", (char *) GET_VALUE(1).ptr); ++ { ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, " %s", (char *) GET_VALUE(1).ptr); ++ } + +- buf_cur += sprintf(buf_cur," IN=%s OUT=%s ", +- (char *) GET_VALUE(2).ptr, +- (char *) GET_VALUE(3).ptr); ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len," IN=%s OUT=%s ", ++ (char *) GET_VALUE(2).ptr, ++ (char *) GET_VALUE(3).ptr); + + /* FIXME: configurable */ +- buf_cur += sprintf(buf_cur, "MAC=%s ", +- (GET_FLAGS(4) & ULOGD_RETF_VALID) ? (char *) GET_VALUE(4).ptr : ""); +- +- buf_cur += sprintf(buf_cur, "SRC=%s ", +- inet_ntoa((struct in_addr) {htonl(GET_VALUE(5).ui32)})); +- buf_cur += sprintf(buf_cur, "DST=%s ", +- inet_ntoa((struct in_addr) {htonl(GET_VALUE(6).ui32)})); +- +- buf_cur += sprintf(buf_cur,"LEN=%u TOS=%02X PREC=0x%02X TTL=%u ID=%u ", +- GET_VALUE(7).ui16, GET_VALUE(8).ui8 & IPTOS_TOS_MASK, +- GET_VALUE(8).ui8 & IPTOS_PREC_MASK, GET_VALUE(9).ui8, +- GET_VALUE(10).ui16); ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "MAC=%s ", ++ (GET_FLAGS(4) & ULOGD_RETF_VALID) ? (char *) GET_VALUE(4).ptr : ""); ++ ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "SRC=%s ", ++ inet_ntoa((struct in_addr) {htonl(GET_VALUE(5).ui32)})); ++ ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "DST=%s ", ++ inet_ntoa((struct in_addr) {htonl(GET_VALUE(6).ui32)})); ++ ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, ++ "LEN=%u TOS=%02X PREC=0x%02X TTL=%u ID=%u ", ++ GET_VALUE(7).ui16, GET_VALUE(8).ui8 & IPTOS_TOS_MASK, ++ GET_VALUE(8).ui8 & IPTOS_PREC_MASK, GET_VALUE(9).ui8, ++ GET_VALUE(10).ui16); + + if (GET_VALUE(10).ui16 & IP_RF) +- buf_cur += sprintf(buf_cur, "CE "); ++ { ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "CE "); ++ } + + if (GET_VALUE(11).ui16 & IP_DF) +- buf_cur += sprintf(buf_cur, "DF "); ++ { ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "DF "); ++ } + + if (GET_VALUE(11).ui16 & IP_MF) +- buf_cur += sprintf(buf_cur, "MF "); ++ { ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "MF "); ++ } + + if (GET_VALUE(11).ui16 & IP_OFFMASK) +- buf_cur += sprintf(buf_cur, "FRAG:%u ", ++ { ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "FRAG:%u ", + GET_VALUE(11).ui16 & IP_OFFMASK); ++ } + + switch (GET_VALUE(12).ui8) { + + case IPPROTO_TCP: +- buf_cur += sprintf(buf_cur, "PROTO=TCP "); +- buf_cur += sprintf(buf_cur, "SPT=%u DPT=%u ", +- GET_VALUE(13).ui16, GET_VALUE(14).ui16); ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "PROTO=TCP "); ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "SPT=%u DPT=%u ", ++ GET_VALUE(13).ui16, GET_VALUE(14).ui16); + /* FIXME: config */ +- buf_cur += sprintf(buf_cur, "SEQ=%u ACK=%u ", +- GET_VALUE(15).ui32, GET_VALUE(16).ui32); +- +- buf_cur += sprintf(buf_cur, "WINDOW=%u ", GET_VALUE(17).ui16); ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "SEQ=%u ACK=%u ", ++ GET_VALUE(15).ui32, GET_VALUE(16).ui32); ++ ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, ++ "WINDOW=%u ", GET_VALUE(17).ui16); + +-// buf_cur += sprintf(buf_cur, "RES=0x%02x ", ++// buf_len = strlen(buf); ++// BUF_ADD(buf,buf_siz,buf_len, "RES=0x%02x ", + + if (GET_VALUE(18).b) +- buf_cur += sprintf(buf_cur, "URG "); ++ { ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "URG "); ++ } + + if (GET_VALUE(19).b) +- buf_cur += sprintf(buf_cur, "ACK "); ++ { ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "ACK "); ++ } + + if (GET_VALUE(20).b) +- buf_cur += sprintf(buf_cur, "PSH "); ++ { ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "PSH "); ++ } + + if (GET_VALUE(21).b) +- buf_cur += sprintf(buf_cur, "RST "); ++ { ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "RST "); ++ } + + if (GET_VALUE(22).b) +- buf_cur += sprintf(buf_cur, "SYN "); ++ { ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "SYN "); ++ } + + if (GET_VALUE(23).b) +- buf_cur += sprintf(buf_cur, "FIN "); ++ { ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "FIN "); ++ } + +- buf_cur += sprintf(buf_cur, "URGP=%u ", GET_VALUE(24).ui16); ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "URGP=%u ", GET_VALUE(24).ui16); + + break; + case IPPROTO_UDP: + +- buf_cur += sprintf(buf_cur, "PROTO=UDP "); ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "PROTO=UDP "); + +- buf_cur += sprintf(buf_cur, "SPT=%u DPT=%u LEN=%u ", ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "SPT=%u DPT=%u LEN=%u ", + GET_VALUE(25).ui16, GET_VALUE(26).ui16, + GET_VALUE(27).ui16); + break; + case IPPROTO_ICMP: + +- buf_cur += sprintf(buf_cur, "PROTO=ICMP "); ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "PROTO=ICMP "); + +- buf_cur += sprintf(buf_cur, "TYPE=%u CODE=%u ", ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "TYPE=%u CODE=%u ", + GET_VALUE(28).ui8, GET_VALUE(29).ui8); + + switch (GET_VALUE(28).ui8) { + case ICMP_ECHO: + case ICMP_ECHOREPLY: +- buf_cur += sprintf(buf_cur, "ID=%u SEQ=%u ", ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "ID=%u SEQ=%u ", + GET_VALUE(30).ui16, + GET_VALUE(31).ui16); + break; + case ICMP_PARAMETERPROB: +- buf_cur += sprintf(buf_cur, "PARAMETER=%u ", ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "PARAMETER=%u ", + GET_VALUE(32).ui32 >> 24); + break; + case ICMP_REDIRECT: +- buf_cur += sprintf(buf_cur, "GATEWAY=%s ", inet_ntoa((struct in_addr) {htonl(GET_VALUE(32).ui32)})); ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "GATEWAY=%s ", inet_ntoa((struct in_addr) {htonl(GET_VALUE(32).ui32)})); + break; + case ICMP_DEST_UNREACH: + if (GET_VALUE(29).ui8 == ICMP_FRAG_NEEDED) +- buf_cur += sprintf(buf_cur, "MTU=%u ", ++ { ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "MTU=%u ", + GET_VALUE(33).ui16); ++ } + break; + } + break; + case IPPROTO_ESP: + case IPPROTO_AH: +- buf_cur += sprintf(buf_cur, "PROTO=%s ", GET_VALUE(12).ui8 == IPPROTO_ESP ? "ESP" : "AH"); ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "PROTO=%s ", GET_VALUE(12).ui8 == IPPROTO_ESP ? "ESP" : "AH"); + /* FIXME: "INCOMPLETE [%u bytes]" in case of short pkt */ + if (intr_ids[34].id > 0) { +- buf_cur += sprintf(buf_cur, "SPI=0x%x ", GET_VALUE(34).ui32); ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "SPI=0x%x ", GET_VALUE(34).ui32); + } + break; + default: + +- buf_cur += sprintf(buf_cur, "PROTO=%u ", GET_VALUE(11).ui8); ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "PROTO=%u ", GET_VALUE(11).ui8); + } +- strcat(buf_cur, "\n"); ++ buf_len = strlen(buf); ++ BUF_ADD(buf,buf_siz,buf_len, "\n"); ++ ++#undef BUF_ADD + + return 0; + } +--- extensions/printpkt.h ++++ extensions/printpkt.h 2007/01/08 18:20:04 +@@ -1,7 +1,7 @@ + #ifndef _PRINTPKT_H + #define _PRINTPKT_H + +-int printpkt_print(ulog_iret_t *res, char *buf, int prefix); ++int printpkt_print(ulog_iret_t *res, char *buf, size_t buf_siz, int prefix); + int printpkt_init(void); + + #endif +--- extensions/ulogd_BASE.c ++++ extensions/ulogd_BASE.c 2007/01/08 18:20:04 +@@ -65,9 +65,11 @@ static ulog_iret_t *_interp_raw(ulog_int + int i; + char *buf, *oldbuf = NULL; + ulog_iret_t *ret = ip->result; ++ size_t siz; + + if (pkt->mac_len) { +- buf = (char *) malloc(3 * pkt->mac_len + 1); ++ siz = 3 * pkt->mac_len + 1; ++ buf = (char *) malloc(siz); + if (!buf) { + ulogd_log(ULOGD_ERROR, "OOM!!!\n"); + return NULL; +@@ -77,7 +79,7 @@ static ulog_iret_t *_interp_raw(ulog_int + p = pkt->mac; + oldbuf = buf; + for (i = 0; i < pkt->mac_len; i++, p++) +- sprintf(buf, "%s%02x%c", oldbuf, *p, i==pkt->mac_len-1 ? ' ':':'); ++ snprintf(buf, siz, "%s%02x%c", oldbuf, *p, i==pkt->mac_len-1 ? ' ':':'); + ret[0].value.ptr = buf; + ret[0].flags |= ULOGD_RETF_VALID; + } +--- extensions/ulogd_LOGEMU.c ++++ extensions/ulogd_LOGEMU.c 2007/01/08 18:20:04 +@@ -67,7 +67,7 @@ static int _output_logemu(ulog_iret_t *r + { + static char buf[4096]; + +- printpkt_print(res, buf, 1); ++ printpkt_print(res, buf, sizeof(buf), 1); + + fprintf(of, "%s", buf); + +--- extensions/ulogd_PWSNIFF.c ++++ extensions/ulogd_PWSNIFF.c 2007/01/08 18:20:04 +@@ -116,7 +116,7 @@ static ulog_iret_t *_interp_pwsniff(ulog + return NULL; + } + strncpy(ret[0].value.ptr, (const char *)begp, len); +- *((char *)ret[0].value.ptr + len + 1) = '\0'; ++ *((char *)ret[0].value.ptr + len) = '\0'; + } + if (pw_len) { + ret[1].value.ptr = (char *) malloc(pw_len+1); +@@ -126,7 +126,7 @@ static ulog_iret_t *_interp_pwsniff(ulog + return NULL; + } + strncpy(ret[1].value.ptr, (const char *)pw_begp, pw_len); +- *((char *)ret[1].value.ptr + pw_len + 1) = '\0'; ++ *((char *)ret[1].value.ptr + pw_len) = '\0'; + + } + return ret; +--- extensions/ulogd_SYSLOG.c ++++ extensions/ulogd_SYSLOG.c 2007/01/08 18:20:04 +@@ -61,7 +61,7 @@ static int _output_syslog(ulog_iret_t *r + { + static char buf[4096]; + +- printpkt_print(res, buf, 0); ++ printpkt_print(res, buf, sizeof(buf), 0); + syslog(syslog_level|syslog_facility, buf); + + return 0; +--- mysql/ulogd_MYSQL.c ++++ mysql/ulogd_MYSQL.c 2007/01/08 18:20:04 +@@ -39,6 +39,7 @@ + #include <ulogd/ulogd.h> + #include <ulogd/conffile.h> + #include <mysql/mysql.h> ++#include <inttypes.h> + + #ifdef DEBUG_MYSQL + #define DEBUGP(x, args...) fprintf(stderr, x, ## args) +@@ -61,6 +62,9 @@ static struct _field *fields; + /* buffer for our insert statement */ + static char *stmt; + ++/* size of our insert statement buffer */ ++static size_t stmt_siz; ++ + /* pointer to the beginning of the "VALUES" part */ + static char *stmt_val; + +@@ -130,71 +134,85 @@ static int mysql_output(ulog_iret_t *res + + if (!res || !IS_VALID((*res))) { + /* no result, we have to fake something */ +- sprintf(stmt_ins, "NULL,"); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "NULL,"); + stmt_ins = stmt + strlen(stmt); + continue; + } + + switch (res->type) { + case ULOGD_RET_INT8: +- sprintf(stmt_ins, "%d,", res->value.i8); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%d,", res->value.i8); + break; + case ULOGD_RET_INT16: +- sprintf(stmt_ins, "%d,", res->value.i16); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%d,", res->value.i16); + break; + case ULOGD_RET_INT32: +- sprintf(stmt_ins, "%d,", res->value.i32); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%d,", res->value.i32); + break; + case ULOGD_RET_INT64: +- sprintf(stmt_ins, "%lld,", res->value.i64); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%"PRId64",", res->value.i64); + break; + case ULOGD_RET_UINT8: +- sprintf(stmt_ins, "%u,", res->value.ui8); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%u,", res->value.ui8); + break; + case ULOGD_RET_UINT16: +- sprintf(stmt_ins, "%u,", res->value.ui16); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%u,", res->value.ui16); + break; + case ULOGD_RET_IPADDR: + #ifdef IP_AS_STRING + memset(&addr, 0, sizeof(addr)); + addr.s_addr = ntohl(res->value.ui32); +- *stmt_ins++ = '\''; + tmpstr = inet_ntoa(addr); ++ if(stmt_siz > (stmt_ins-stmt)+(strlen(tmpstr)*2)+4) ++ { ++ *stmt_ins++ = '\''; + #ifdef OLD_MYSQL +- mysql_escape_string(stmt_ins, tmpstr, +- strlen(tmpstr)); ++ mysql_escape_string(stmt_ins, tmpstr, ++ strlen(tmpstr)); + #else +- mysql_real_escape_string(dbh, stmt_ins, +- tmpstr, +- strlen(tmpstr)); ++ mysql_real_escape_string(dbh, stmt_ins, ++ tmpstr, ++ strlen(tmpstr)); + #endif /* OLD_MYSQL */ +- stmt_ins = stmt + strlen(stmt); +- sprintf(stmt_ins, "',"); ++ stmt_ins = stmt + strlen(stmt); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "',"); ++ } ++ else ++ { ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "'',"); ++ } + break; + #endif /* IP_AS_STRING */ + /* EVIL: fallthrough when logging IP as + * u_int32_t */ + case ULOGD_RET_UINT32: +- sprintf(stmt_ins, "%u,", res->value.ui32); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%u,", res->value.ui32); + break; + case ULOGD_RET_UINT64: +- sprintf(stmt_ins, "%llu,", res->value.ui64); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%"PRIu64",", res->value.ui64); + break; + case ULOGD_RET_BOOL: +- sprintf(stmt_ins, "'%d',", res->value.b); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "'%d',", res->value.b); + break; + case ULOGD_RET_STRING: +- *stmt_ins++ = '\''; ++ if(stmt_siz > (stmt_ins-stmt)+(strlen(res->value.ptr)*2)+4) ++ { ++ *stmt_ins++ = '\''; + #ifdef OLD_MYSQL +- mysql_escape_string(stmt_ins, res->value.ptr, +- strlen(res->value.ptr)); ++ mysql_escape_string(stmt_ins, res->value.ptr, ++ strlen(res->value.ptr)); + #else +- mysql_real_escape_string(dbh, stmt_ins, +- res->value.ptr, strlen(res->value.ptr)); ++ mysql_real_escape_string(dbh, stmt_ins, ++ res->value.ptr, strlen(res->value.ptr)); + #endif +- stmt_ins = stmt + strlen(stmt); +- sprintf(stmt_ins, "',"); +- /* sprintf(stmt_ins, "'%s',", res->value.ptr); */ ++ stmt_ins = stmt + strlen(stmt); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "',"); ++ } ++ else ++ { ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "'',"); ++ } ++ /* snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "'%s',", res->value.ptr); */ + break; + case ULOGD_RET_RAW: + ulogd_log(ULOGD_NOTICE, +@@ -230,7 +248,7 @@ static int mysql_output(ulog_iret_t *res + static int mysql_createstmt(void) + { + struct _field *f; +- unsigned int size; ++ size_t size; + char buf[ULOGD_MAX_KEYLEN]; + char *underscore; + +@@ -241,7 +259,7 @@ static int mysql_createstmt(void) + } + + /* caclulate the size for the insert statement */ +- size = strlen(MYSQL_INSERTTEMPL) + strlen(table_ce.u.string); ++ size = strlen(MYSQL_INSERTTEMPL) + strlen(table_ce.u.string) + 1; + + for (f = fields; f; f = f->next) { + /* we need space for the key and a comma, as well as +@@ -252,25 +270,26 @@ static int mysql_createstmt(void) + ulogd_log(ULOGD_DEBUG, "allocating %u bytes for statement\n", size); + + stmt = (char *) malloc(size); +- + if (!stmt) { + ulogd_log(ULOGD_ERROR, "OOM!\n"); + return 1; + } ++ stmt_siz = size; + +- sprintf(stmt, "insert into %s (", table_ce.u.string); ++ snprintf(stmt, stmt_siz, "insert into %s (", table_ce.u.string); + stmt_val = stmt + strlen(stmt); + + for (f = fields; f; f = f->next) { +- strncpy(buf, f->name, ULOGD_MAX_KEYLEN); ++ strncpy(buf, f->name, ULOGD_MAX_KEYLEN-1); ++ buf[ULOGD_MAX_KEYLEN-1] = '\0'; + while ((underscore = strchr(buf, '.'))) + *underscore = '_'; +- sprintf(stmt_val, "%s,", buf); ++ snprintf(stmt_val, stmt_siz-(stmt_val-stmt), "%s,", buf); + stmt_val = stmt + strlen(stmt); + } + *(stmt_val - 1) = ')'; + +- sprintf(stmt_val, " values ("); ++ snprintf(stmt_val, stmt_siz-(stmt_val-stmt), " values ("); + stmt_val = stmt + strlen(stmt); + + ulogd_log(ULOGD_DEBUG, "stmt='%s'\n", stmt); +@@ -298,7 +317,8 @@ static int mysql_get_columns(const char + while ((field = mysql_fetch_field(result))) { + + /* replace all underscores with dots */ +- strncpy(buf, field->name, ULOGD_MAX_KEYLEN); ++ strncpy(buf, field->name, ULOGD_MAX_KEYLEN-1); ++ buf[ULOGD_MAX_KEYLEN-1] = '\0'; + while ((underscore = strchr(buf, '_'))) + *underscore = '.'; + +@@ -317,7 +337,8 @@ static int mysql_get_columns(const char + ulogd_log(ULOGD_ERROR, "OOM!\n"); + return 1; + } +- strncpy(f->name, buf, ULOGD_MAX_KEYLEN); ++ strncpy(f->name, buf, ULOGD_MAX_KEYLEN-1); ++ f->name[ULOGD_MAX_KEYLEN-1] = '\0'; + f->id = id; + f->next = fields; + fields = f; +--- pgsql/ulogd_PGSQL.c ++++ pgsql/ulogd_PGSQL.c 2007/01/08 18:20:04 +@@ -39,6 +39,9 @@ static struct _field *fields; + /* buffer for our insert statement */ + static char *stmt; + ++/* size of our insert statement buffer */ ++static size_t stmt_siz; ++ + /* pointer to the beginning of the "VALUES" part */ + static char *stmt_val; + +@@ -120,62 +123,78 @@ static int pgsql_output(ulog_iret_t *res + + if (!res || !IS_VALID((*res))) { + /* no result, we have to fake something */ +- sprintf(stmt_ins, "NULL,"); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "NULL,"); + stmt_ins = stmt + strlen(stmt); + continue; + } + + switch (res->type) { + case ULOGD_RET_INT8: +- sprintf(stmt_ins, "%d,", res->value.i8); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%d,", res->value.i8); + break; + case ULOGD_RET_INT16: +- sprintf(stmt_ins, "%d,", res->value.i16); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%d,", res->value.i16); + break; + case ULOGD_RET_INT32: +- sprintf(stmt_ins, "%d,", res->value.i32); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%d,", res->value.i32); + break; + case ULOGD_RET_INT64: +- sprintf(stmt_ins, "%lld,", res->value.i64); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%lld,", res->value.i64); + break; + case ULOGD_RET_UINT8: +- sprintf(stmt_ins, "%u,", res->value.ui8); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%u,", res->value.ui8); + break; + case ULOGD_RET_UINT16: +- sprintf(stmt_ins, "%u,", res->value.ui16); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%u,", res->value.ui16); + break; + case ULOGD_RET_IPADDR: + #ifdef IP_AS_STRING +- *stmt_ins++ = '\''; + memset(&addr, 0, sizeof(addr)); + addr.s_addr = ntohl(res->value.ui32); + tmpstr = (char *)inet_ntoa(addr); +- PQescapeString(stmt_ins,tmpstr,strlen(tmpstr)); +- stmt_ins = stmt + strlen(stmt); +- sprintf(stmt_ins, "',"); ++ if(stmt_siz > (stmt_ins-stmt)+(strlen(tmpstr)*2)+4) ++ { ++ *stmt_ins++ = '\''; ++ PQescapeString(stmt_ins,tmpstr,strlen(tmpstr)); ++ stmt_ins = stmt + strlen(stmt); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "',"); ++ } ++ else ++ { ++ ulogd_log(ULOGD_NOTICE,"%s: pgsql - no space to add escaped ip string to insert statement\n"); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "'',"); ++ } + break; + #endif /* IP_AS_STRING */ + /* EVIL: fallthrough when logging IP as + * u_int32_t */ + + case ULOGD_RET_UINT32: +- sprintf(stmt_ins, "%u,", res->value.ui32); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%u,", res->value.ui32); + break; + case ULOGD_RET_UINT64: +- sprintf(stmt_ins, "%llu,", res->value.ui64); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%llu,", res->value.ui64); + break; + case ULOGD_RET_BOOL: +- sprintf(stmt_ins, "'%d',", res->value.b); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "'%d',", res->value.b); + break; + case ULOGD_RET_STRING: +- *stmt_ins++ = '\''; +- PQescapeString(stmt_ins,res->value.ptr,strlen(res->value.ptr)); +- stmt_ins = stmt + strlen(stmt); +- sprintf(stmt_ins, "',"); ++ if(stmt_siz > (stmt_ins-stmt)+(strlen(res->value.ptr)*2)+4) ++ { ++ *stmt_ins++ = '\''; ++ PQescapeString(stmt_ins,res->value.ptr,strlen(res->value.ptr)); ++ stmt_ins = stmt + strlen(stmt); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "',"); ++ } ++ else ++ { ++ ulogd_log(ULOGD_NOTICE,"%s: pgsql - no space to add escaped string to insert statement\n"); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "'',"); ++ } + break; + case ULOGD_RET_RAW: + ulogd_log(ULOGD_NOTICE,"%s: pgsql doesn't support type RAW\n",res->key); +- sprintf(stmt_ins, "NULL,"); ++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "NULL,"); + break; + default: + ulogd_log(ULOGD_NOTICE, +@@ -205,12 +224,13 @@ static int pgsql_output(ulog_iret_t *res + /* Determine if server support schemas */ + static int pgsql_namespace(void) { + PGresult *result; +- char pgbuf[strlen(PGSQL_HAVE_NAMESPACE_TEMPLATE)+strlen(schema_ce.u.string)+1]; ++ size_t pgbuf_siz = strlen(PGSQL_HAVE_NAMESPACE_TEMPLATE)+strlen(schema_ce.u.string)+1; ++ char pgbuf[pgbuf_siz]; + + if (!dbh) + return 1; + +- sprintf(pgbuf, PGSQL_HAVE_NAMESPACE_TEMPLATE, schema_ce.u.string); ++ snprintf(pgbuf, pgbuf_siz, PGSQL_HAVE_NAMESPACE_TEMPLATE, schema_ce.u.string); + ulogd_log(ULOGD_DEBUG, "%s\n", pgbuf); + + result = PQexec(dbh, pgbuf); +@@ -265,25 +285,27 @@ static int pgsql_createstmt(void) + ulogd_log(ULOGD_ERROR, "OOM!\n"); + return 1; + } ++ stmt_siz = size; + + if (pgsql_have_schemas) { +- sprintf(stmt, "insert into %s.%s (", schema_ce.u.string, table_ce.u.string); ++ snprintf(stmt, stmt_siz, "insert into %s.%s (", schema_ce.u.string, table_ce.u.string); + } else { +- sprintf(stmt, "insert into %s (", table_ce.u.string); ++ snprintf(stmt, stmt_siz, "insert into %s (", table_ce.u.string); + } + + stmt_val = stmt + strlen(stmt); + + for (f = fields; f; f = f->next) { +- strncpy(buf, f->name, ULOGD_MAX_KEYLEN); ++ strncpy(buf, f->name, ULOGD_MAX_KEYLEN-1); ++ buf[ULOGD_MAX_KEYLEN-1] = '\0'; + while ((underscore = strchr(buf, '.'))) + *underscore = '_'; +- sprintf(stmt_val, "%s,", buf); ++ snprintf(stmt_val, stmt_siz-(stmt_val-stmt), "%s,", buf); + stmt_val = stmt + strlen(stmt); + } + *(stmt_val - 1) = ')'; + +- sprintf(stmt_val, " values ("); ++ snprintf(stmt_val, stmt_siz-(stmt_val-stmt), " values ("); + stmt_val = stmt + strlen(stmt); + + ulogd_log(ULOGD_DEBUG, "stmt='%s'\n", stmt); +@@ -331,7 +353,8 @@ static int pgsql_get_columns(const char + for (intaux=0; intaux<PQntuples(result); intaux++) { + + /* replace all underscores with dots */ +- strncpy(buf, PQgetvalue(result, intaux, 0), ULOGD_MAX_KEYLEN); ++ strncpy(buf, PQgetvalue(result, intaux, 0), ULOGD_MAX_KEYLEN-1); ++ buf[ULOGD_MAX_KEYLEN-1] = '\0'; + while ((underscore = strchr(buf, '_'))) + *underscore = '.'; + +@@ -350,7 +373,8 @@ static int pgsql_get_columns(const char + ulogd_log(ULOGD_ERROR, "OOM!\n"); + return 1; + } +- strncpy(f->name, buf, ULOGD_MAX_KEYLEN); ++ strncpy(f->name, buf, ULOGD_MAX_KEYLEN-1); ++ f->name[ULOGD_MAX_KEYLEN-1] = '\0'; + f->id = id; + f->next = fields; + fields = f; +@@ -384,32 +408,34 @@ static int pgsql_open_db(char *server, i + if (port) + len += 20; + +- connstr = (char *) malloc(len); ++ connstr = (char *) malloc(len+1); + if (!connstr) + return 1; + + if (server) { +- strcpy(connstr, " host="); +- strcat(connstr, server); ++ strncpy(connstr, " host=", len); ++ connstr[len] = '\0'; ++ strncat(connstr, server, len-strlen(connstr)); + } + + if (port) { + char portbuf[20]; + snprintf(portbuf, sizeof(portbuf), " port=%u", port); +- strcat(connstr, portbuf); ++ strncat(connstr, portbuf, len-strlen(connstr)); + } + +- strcat(connstr, " dbname="); +- strcat(connstr, db); +- strcat(connstr, " user="); +- strcat(connstr, user); ++ strncat(connstr, " dbname=", len-strlen(connstr)); ++ strncat(connstr, db, len-strlen(connstr)); ++ strncat(connstr, " user=", len-strlen(connstr)); ++ strncat(connstr, user, len-strlen(connstr)); + + if (pass) { +- strcat(connstr, " password="); +- strcat(connstr, pass); ++ strncat(connstr, " password=", len-strlen(connstr)); ++ strncat(connstr, pass, len-strlen(connstr)); + } + + dbh = PQconnectdb(connstr); ++ free(connstr); + if (PQstatus(dbh)!=CONNECTION_OK) { + exit_nicely(dbh); + return 1; +--- sqlite3/ulogd_SQLITE3.c ++++ sqlite3/ulogd_SQLITE3.c 2007/01/08 18:20:04 +@@ -55,6 +55,9 @@ static struct _field *fields; + /* buffer for our insert statement */ + static char *stmt; + ++/* size of our insert statement buffer */ ++static size_t stmt_siz; ++ + /* pointer to the final prepared statement */ + static sqlite3_stmt *p_stmt; + +@@ -193,7 +196,7 @@ static int _sqlite3_output(ulog_iret_t * + static int _sqlite3_createstmt(void) + { + struct _field *f; +- unsigned int size; ++ size_t size; + char buf[ULOGD_MAX_KEYLEN]; + char *underscore; + char *stmt_pos; +@@ -207,7 +210,7 @@ static int _sqlite3_createstmt(void) + } + + /* caclulate the size for the insert statement */ +- size = strlen(_SQLITE3_INSERTTEMPL) + strlen(table_ce.u.string); ++ size = strlen(_SQLITE3_INSERTTEMPL) + strlen(table_ce.u.string) + 1; + + DEBUGP("initial size: %u\n", size); + +@@ -230,29 +233,31 @@ static int _sqlite3_createstmt(void) + ulogd_log(ULOGD_ERROR, "OOM!\n"); + return 1; + } ++ stmt_siz = size; + +- sprintf(stmt, "insert into %s (", table_ce.u.string); ++ snprintf(stmt, stmt_siz, "insert into %s (", table_ce.u.string); + stmt_pos = stmt + strlen(stmt); + + for (f = fields; f; f = f->next) { +- strncpy(buf, f->name, ULOGD_MAX_KEYLEN); ++ strncpy(buf, f->name, ULOGD_MAX_KEYLEN-1); ++ buf[ULOGD_MAX_KEYLEN-1] = '\0'; + while ((underscore = strchr(buf, '.'))) + *underscore = '_'; +- sprintf(stmt_pos, "%s,", buf); ++ snprintf(stmt_pos, stmt_siz-(stmt_pos-stmt), "%s,", buf); + stmt_pos = stmt + strlen(stmt); + } + + *(stmt_pos - 1) = ')'; + +- sprintf(stmt_pos, " values ("); ++ snprintf(stmt_pos, stmt_siz-(stmt_pos-stmt), " values ("); + stmt_pos = stmt + strlen(stmt); + + for (i = 0; i < col_count - 1; i++) { +- sprintf(stmt_pos,"?,"); ++ snprintf(stmt_pos, stmt_siz-(stmt_pos-stmt), "?,"); + stmt_pos += 2; + } + +- sprintf(stmt_pos, "?)"); ++ snprintf(stmt_pos, stmt_siz-(stmt_pos-stmt), "?)"); + ulogd_log(ULOGD_DEBUG, "stmt='%s'\n", stmt); + + DEBUGP("about to prepare statement.\n"); +@@ -277,7 +282,7 @@ static int _sqlite3_createstmt(void) + static int _sqlite3_get_columns(const char *table) + { + char buf[ULOGD_MAX_KEYLEN]; +- char query[SQLITE_SELECT_LEN + CONFIG_VAL_STRING_LEN] = "select * from \0"; ++ char query[SQLITE_SELECT_LEN + CONFIG_VAL_STRING_LEN + 1] = "select * from \0"; + char *underscore; + struct _field *f; + sqlite3_stmt *schema_stmt; +@@ -288,8 +293,8 @@ static int _sqlite3_get_columns(const ch + if (!dbh) + return 1; + +- strncat(query,table,LINE_LEN); +- ++ strncat(query,table,sizeof(query)-strlen(query)-1); ++ + result = sqlite3_prepare(dbh,query,-1,&schema_stmt,0); + + if (result != SQLITE_OK) +@@ -297,7 +302,8 @@ static int _sqlite3_get_columns(const ch + + for (column = 0; column < sqlite3_column_count(schema_stmt); column++) { + /* replace all underscores with dots */ +- strncpy(buf, sqlite3_column_name(schema_stmt,column), ULOGD_MAX_KEYLEN); ++ strncpy(buf, sqlite3_column_name(schema_stmt,column), ULOGD_MAX_KEYLEN-1); ++ buf[ULOGD_MAX_KEYLEN-1] = '\0'; + while ((underscore = strchr(buf, '_'))) + *underscore = '.'; + +@@ -316,7 +322,8 @@ static int _sqlite3_get_columns(const ch + ulogd_log(ULOGD_ERROR, "OOM!\n"); + return 1; + } +- strncpy(f->name, buf, ULOGD_MAX_KEYLEN); ++ strncpy(f->name, buf, ULOGD_MAX_KEYLEN-1); ++ f->name[ULOGD_MAX_KEYLEN-1] = '\0'; + f->id = id; + f->next = fields; + fields = f; |