summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'app-admin')
-rw-r--r--app-admin/ulogd/ChangeLog7
-rw-r--r--app-admin/ulogd/files/glsa-200701.patch873
2 files changed, 879 insertions, 1 deletions
diff --git a/app-admin/ulogd/ChangeLog b/app-admin/ulogd/ChangeLog
index 90439e3c2e5b..6ec969de10f4 100644
--- a/app-admin/ulogd/ChangeLog
+++ b/app-admin/ulogd/ChangeLog
@@ -1,6 +1,11 @@
# ChangeLog for app-admin/ulogd
# Copyright 2002-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-admin/ulogd/ChangeLog,v 1.42 2007/02/06 16:13:30 antarus Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-admin/ulogd/ChangeLog,v 1.43 2007/02/07 09:13:42 dragonheart Exp $
+
+ 07 Feb 2007; Daniel Black <dragonheart@gentoo.org>
+ +files/glsa-200701.patch:
+ added patch now too. thanks<analyzer> on #gentoo-bugs for bringing it to our
+ attention
*ulogd-1.23-r1 (06 Feb 2007)
diff --git a/app-admin/ulogd/files/glsa-200701.patch b/app-admin/ulogd/files/glsa-200701.patch
new file mode 100644
index 000000000000..2cf2776d4b36
--- /dev/null
+++ b/app-admin/ulogd/files/glsa-200701.patch
@@ -0,0 +1,873 @@
+--- extensions/printpkt.c
++++ extensions/printpkt.c 2007/01/08 18:20:04
+@@ -95,13 +95,17 @@ static struct intr_id intr_ids[INTR_IDS]
+ #define GET_VALUE(x) ulogd_keyh[intr_ids[x].id].interp->result[ulogd_keyh[intr_ids[x].id].offset].value
+ #define GET_FLAGS(x) ulogd_keyh[intr_ids[x].id].interp->result[ulogd_keyh[intr_ids[x].id].offset].flags
+
+-int printpkt_print(ulog_iret_t *res, char *buf, int prefix)
++int printpkt_print(ulog_iret_t *res, char *buf, size_t buf_siz, int prefix)
+ {
+ char *timestr;
+ char *tmp;
+ time_t now;
+
+- char *buf_cur = buf;
++ if( buf_siz) *buf = '\0';
++ size_t buf_len = 0;
++
++#define BUF_ADD(ptr, siz, off, fmt...) \
++ snprintf(((ptr)+(off)), ((siz) > (off) ? (siz)-(off) : 0), ##fmt)
+
+ if (prefix) {
+ now = (time_t) GET_VALUE(0).ui32;
+@@ -116,127 +120,191 @@ int printpkt_print(ulog_iret_t *res, cha
+ *tmp = '\0';
+
+ /* print time and hostname */
+- buf_cur += sprintf(buf_cur, "%.15s %s", timestr, hostname);
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "%.15s %s", timestr, hostname);
+ }
+
+ if (*(char *) GET_VALUE(1).ptr)
+- buf_cur += sprintf(buf_cur, " %s", (char *) GET_VALUE(1).ptr);
++ {
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, " %s", (char *) GET_VALUE(1).ptr);
++ }
+
+- buf_cur += sprintf(buf_cur," IN=%s OUT=%s ",
+- (char *) GET_VALUE(2).ptr,
+- (char *) GET_VALUE(3).ptr);
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len," IN=%s OUT=%s ",
++ (char *) GET_VALUE(2).ptr,
++ (char *) GET_VALUE(3).ptr);
+
+ /* FIXME: configurable */
+- buf_cur += sprintf(buf_cur, "MAC=%s ",
+- (GET_FLAGS(4) & ULOGD_RETF_VALID) ? (char *) GET_VALUE(4).ptr : "");
+-
+- buf_cur += sprintf(buf_cur, "SRC=%s ",
+- inet_ntoa((struct in_addr) {htonl(GET_VALUE(5).ui32)}));
+- buf_cur += sprintf(buf_cur, "DST=%s ",
+- inet_ntoa((struct in_addr) {htonl(GET_VALUE(6).ui32)}));
+-
+- buf_cur += sprintf(buf_cur,"LEN=%u TOS=%02X PREC=0x%02X TTL=%u ID=%u ",
+- GET_VALUE(7).ui16, GET_VALUE(8).ui8 & IPTOS_TOS_MASK,
+- GET_VALUE(8).ui8 & IPTOS_PREC_MASK, GET_VALUE(9).ui8,
+- GET_VALUE(10).ui16);
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "MAC=%s ",
++ (GET_FLAGS(4) & ULOGD_RETF_VALID) ? (char *) GET_VALUE(4).ptr : "");
++
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "SRC=%s ",
++ inet_ntoa((struct in_addr) {htonl(GET_VALUE(5).ui32)}));
++
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "DST=%s ",
++ inet_ntoa((struct in_addr) {htonl(GET_VALUE(6).ui32)}));
++
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len,
++ "LEN=%u TOS=%02X PREC=0x%02X TTL=%u ID=%u ",
++ GET_VALUE(7).ui16, GET_VALUE(8).ui8 & IPTOS_TOS_MASK,
++ GET_VALUE(8).ui8 & IPTOS_PREC_MASK, GET_VALUE(9).ui8,
++ GET_VALUE(10).ui16);
+
+ if (GET_VALUE(10).ui16 & IP_RF)
+- buf_cur += sprintf(buf_cur, "CE ");
++ {
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "CE ");
++ }
+
+ if (GET_VALUE(11).ui16 & IP_DF)
+- buf_cur += sprintf(buf_cur, "DF ");
++ {
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "DF ");
++ }
+
+ if (GET_VALUE(11).ui16 & IP_MF)
+- buf_cur += sprintf(buf_cur, "MF ");
++ {
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "MF ");
++ }
+
+ if (GET_VALUE(11).ui16 & IP_OFFMASK)
+- buf_cur += sprintf(buf_cur, "FRAG:%u ",
++ {
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "FRAG:%u ",
+ GET_VALUE(11).ui16 & IP_OFFMASK);
++ }
+
+ switch (GET_VALUE(12).ui8) {
+
+ case IPPROTO_TCP:
+- buf_cur += sprintf(buf_cur, "PROTO=TCP ");
+- buf_cur += sprintf(buf_cur, "SPT=%u DPT=%u ",
+- GET_VALUE(13).ui16, GET_VALUE(14).ui16);
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "PROTO=TCP ");
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "SPT=%u DPT=%u ",
++ GET_VALUE(13).ui16, GET_VALUE(14).ui16);
+ /* FIXME: config */
+- buf_cur += sprintf(buf_cur, "SEQ=%u ACK=%u ",
+- GET_VALUE(15).ui32, GET_VALUE(16).ui32);
+-
+- buf_cur += sprintf(buf_cur, "WINDOW=%u ", GET_VALUE(17).ui16);
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "SEQ=%u ACK=%u ",
++ GET_VALUE(15).ui32, GET_VALUE(16).ui32);
++
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len,
++ "WINDOW=%u ", GET_VALUE(17).ui16);
+
+-// buf_cur += sprintf(buf_cur, "RES=0x%02x ",
++// buf_len = strlen(buf);
++// BUF_ADD(buf,buf_siz,buf_len, "RES=0x%02x ",
+
+ if (GET_VALUE(18).b)
+- buf_cur += sprintf(buf_cur, "URG ");
++ {
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "URG ");
++ }
+
+ if (GET_VALUE(19).b)
+- buf_cur += sprintf(buf_cur, "ACK ");
++ {
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "ACK ");
++ }
+
+ if (GET_VALUE(20).b)
+- buf_cur += sprintf(buf_cur, "PSH ");
++ {
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "PSH ");
++ }
+
+ if (GET_VALUE(21).b)
+- buf_cur += sprintf(buf_cur, "RST ");
++ {
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "RST ");
++ }
+
+ if (GET_VALUE(22).b)
+- buf_cur += sprintf(buf_cur, "SYN ");
++ {
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "SYN ");
++ }
+
+ if (GET_VALUE(23).b)
+- buf_cur += sprintf(buf_cur, "FIN ");
++ {
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "FIN ");
++ }
+
+- buf_cur += sprintf(buf_cur, "URGP=%u ", GET_VALUE(24).ui16);
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "URGP=%u ", GET_VALUE(24).ui16);
+
+ break;
+ case IPPROTO_UDP:
+
+- buf_cur += sprintf(buf_cur, "PROTO=UDP ");
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "PROTO=UDP ");
+
+- buf_cur += sprintf(buf_cur, "SPT=%u DPT=%u LEN=%u ",
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "SPT=%u DPT=%u LEN=%u ",
+ GET_VALUE(25).ui16, GET_VALUE(26).ui16,
+ GET_VALUE(27).ui16);
+ break;
+ case IPPROTO_ICMP:
+
+- buf_cur += sprintf(buf_cur, "PROTO=ICMP ");
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "PROTO=ICMP ");
+
+- buf_cur += sprintf(buf_cur, "TYPE=%u CODE=%u ",
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "TYPE=%u CODE=%u ",
+ GET_VALUE(28).ui8, GET_VALUE(29).ui8);
+
+ switch (GET_VALUE(28).ui8) {
+ case ICMP_ECHO:
+ case ICMP_ECHOREPLY:
+- buf_cur += sprintf(buf_cur, "ID=%u SEQ=%u ",
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "ID=%u SEQ=%u ",
+ GET_VALUE(30).ui16,
+ GET_VALUE(31).ui16);
+ break;
+ case ICMP_PARAMETERPROB:
+- buf_cur += sprintf(buf_cur, "PARAMETER=%u ",
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "PARAMETER=%u ",
+ GET_VALUE(32).ui32 >> 24);
+ break;
+ case ICMP_REDIRECT:
+- buf_cur += sprintf(buf_cur, "GATEWAY=%s ", inet_ntoa((struct in_addr) {htonl(GET_VALUE(32).ui32)}));
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "GATEWAY=%s ", inet_ntoa((struct in_addr) {htonl(GET_VALUE(32).ui32)}));
+ break;
+ case ICMP_DEST_UNREACH:
+ if (GET_VALUE(29).ui8 == ICMP_FRAG_NEEDED)
+- buf_cur += sprintf(buf_cur, "MTU=%u ",
++ {
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "MTU=%u ",
+ GET_VALUE(33).ui16);
++ }
+ break;
+ }
+ break;
+ case IPPROTO_ESP:
+ case IPPROTO_AH:
+- buf_cur += sprintf(buf_cur, "PROTO=%s ", GET_VALUE(12).ui8 == IPPROTO_ESP ? "ESP" : "AH");
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "PROTO=%s ", GET_VALUE(12).ui8 == IPPROTO_ESP ? "ESP" : "AH");
+ /* FIXME: "INCOMPLETE [%u bytes]" in case of short pkt */
+ if (intr_ids[34].id > 0) {
+- buf_cur += sprintf(buf_cur, "SPI=0x%x ", GET_VALUE(34).ui32);
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "SPI=0x%x ", GET_VALUE(34).ui32);
+ }
+ break;
+ default:
+
+- buf_cur += sprintf(buf_cur, "PROTO=%u ", GET_VALUE(11).ui8);
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "PROTO=%u ", GET_VALUE(11).ui8);
+ }
+- strcat(buf_cur, "\n");
++ buf_len = strlen(buf);
++ BUF_ADD(buf,buf_siz,buf_len, "\n");
++
++#undef BUF_ADD
+
+ return 0;
+ }
+--- extensions/printpkt.h
++++ extensions/printpkt.h 2007/01/08 18:20:04
+@@ -1,7 +1,7 @@
+ #ifndef _PRINTPKT_H
+ #define _PRINTPKT_H
+
+-int printpkt_print(ulog_iret_t *res, char *buf, int prefix);
++int printpkt_print(ulog_iret_t *res, char *buf, size_t buf_siz, int prefix);
+ int printpkt_init(void);
+
+ #endif
+--- extensions/ulogd_BASE.c
++++ extensions/ulogd_BASE.c 2007/01/08 18:20:04
+@@ -65,9 +65,11 @@ static ulog_iret_t *_interp_raw(ulog_int
+ int i;
+ char *buf, *oldbuf = NULL;
+ ulog_iret_t *ret = ip->result;
++ size_t siz;
+
+ if (pkt->mac_len) {
+- buf = (char *) malloc(3 * pkt->mac_len + 1);
++ siz = 3 * pkt->mac_len + 1;
++ buf = (char *) malloc(siz);
+ if (!buf) {
+ ulogd_log(ULOGD_ERROR, "OOM!!!\n");
+ return NULL;
+@@ -77,7 +79,7 @@ static ulog_iret_t *_interp_raw(ulog_int
+ p = pkt->mac;
+ oldbuf = buf;
+ for (i = 0; i < pkt->mac_len; i++, p++)
+- sprintf(buf, "%s%02x%c", oldbuf, *p, i==pkt->mac_len-1 ? ' ':':');
++ snprintf(buf, siz, "%s%02x%c", oldbuf, *p, i==pkt->mac_len-1 ? ' ':':');
+ ret[0].value.ptr = buf;
+ ret[0].flags |= ULOGD_RETF_VALID;
+ }
+--- extensions/ulogd_LOGEMU.c
++++ extensions/ulogd_LOGEMU.c 2007/01/08 18:20:04
+@@ -67,7 +67,7 @@ static int _output_logemu(ulog_iret_t *r
+ {
+ static char buf[4096];
+
+- printpkt_print(res, buf, 1);
++ printpkt_print(res, buf, sizeof(buf), 1);
+
+ fprintf(of, "%s", buf);
+
+--- extensions/ulogd_PWSNIFF.c
++++ extensions/ulogd_PWSNIFF.c 2007/01/08 18:20:04
+@@ -116,7 +116,7 @@ static ulog_iret_t *_interp_pwsniff(ulog
+ return NULL;
+ }
+ strncpy(ret[0].value.ptr, (const char *)begp, len);
+- *((char *)ret[0].value.ptr + len + 1) = '\0';
++ *((char *)ret[0].value.ptr + len) = '\0';
+ }
+ if (pw_len) {
+ ret[1].value.ptr = (char *) malloc(pw_len+1);
+@@ -126,7 +126,7 @@ static ulog_iret_t *_interp_pwsniff(ulog
+ return NULL;
+ }
+ strncpy(ret[1].value.ptr, (const char *)pw_begp, pw_len);
+- *((char *)ret[1].value.ptr + pw_len + 1) = '\0';
++ *((char *)ret[1].value.ptr + pw_len) = '\0';
+
+ }
+ return ret;
+--- extensions/ulogd_SYSLOG.c
++++ extensions/ulogd_SYSLOG.c 2007/01/08 18:20:04
+@@ -61,7 +61,7 @@ static int _output_syslog(ulog_iret_t *r
+ {
+ static char buf[4096];
+
+- printpkt_print(res, buf, 0);
++ printpkt_print(res, buf, sizeof(buf), 0);
+ syslog(syslog_level|syslog_facility, buf);
+
+ return 0;
+--- mysql/ulogd_MYSQL.c
++++ mysql/ulogd_MYSQL.c 2007/01/08 18:20:04
+@@ -39,6 +39,7 @@
+ #include <ulogd/ulogd.h>
+ #include <ulogd/conffile.h>
+ #include <mysql/mysql.h>
++#include <inttypes.h>
+
+ #ifdef DEBUG_MYSQL
+ #define DEBUGP(x, args...) fprintf(stderr, x, ## args)
+@@ -61,6 +62,9 @@ static struct _field *fields;
+ /* buffer for our insert statement */
+ static char *stmt;
+
++/* size of our insert statement buffer */
++static size_t stmt_siz;
++
+ /* pointer to the beginning of the "VALUES" part */
+ static char *stmt_val;
+
+@@ -130,71 +134,85 @@ static int mysql_output(ulog_iret_t *res
+
+ if (!res || !IS_VALID((*res))) {
+ /* no result, we have to fake something */
+- sprintf(stmt_ins, "NULL,");
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "NULL,");
+ stmt_ins = stmt + strlen(stmt);
+ continue;
+ }
+
+ switch (res->type) {
+ case ULOGD_RET_INT8:
+- sprintf(stmt_ins, "%d,", res->value.i8);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%d,", res->value.i8);
+ break;
+ case ULOGD_RET_INT16:
+- sprintf(stmt_ins, "%d,", res->value.i16);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%d,", res->value.i16);
+ break;
+ case ULOGD_RET_INT32:
+- sprintf(stmt_ins, "%d,", res->value.i32);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%d,", res->value.i32);
+ break;
+ case ULOGD_RET_INT64:
+- sprintf(stmt_ins, "%lld,", res->value.i64);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%"PRId64",", res->value.i64);
+ break;
+ case ULOGD_RET_UINT8:
+- sprintf(stmt_ins, "%u,", res->value.ui8);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%u,", res->value.ui8);
+ break;
+ case ULOGD_RET_UINT16:
+- sprintf(stmt_ins, "%u,", res->value.ui16);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%u,", res->value.ui16);
+ break;
+ case ULOGD_RET_IPADDR:
+ #ifdef IP_AS_STRING
+ memset(&addr, 0, sizeof(addr));
+ addr.s_addr = ntohl(res->value.ui32);
+- *stmt_ins++ = '\'';
+ tmpstr = inet_ntoa(addr);
++ if(stmt_siz > (stmt_ins-stmt)+(strlen(tmpstr)*2)+4)
++ {
++ *stmt_ins++ = '\'';
+ #ifdef OLD_MYSQL
+- mysql_escape_string(stmt_ins, tmpstr,
+- strlen(tmpstr));
++ mysql_escape_string(stmt_ins, tmpstr,
++ strlen(tmpstr));
+ #else
+- mysql_real_escape_string(dbh, stmt_ins,
+- tmpstr,
+- strlen(tmpstr));
++ mysql_real_escape_string(dbh, stmt_ins,
++ tmpstr,
++ strlen(tmpstr));
+ #endif /* OLD_MYSQL */
+- stmt_ins = stmt + strlen(stmt);
+- sprintf(stmt_ins, "',");
++ stmt_ins = stmt + strlen(stmt);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "',");
++ }
++ else
++ {
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "'',");
++ }
+ break;
+ #endif /* IP_AS_STRING */
+ /* EVIL: fallthrough when logging IP as
+ * u_int32_t */
+ case ULOGD_RET_UINT32:
+- sprintf(stmt_ins, "%u,", res->value.ui32);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%u,", res->value.ui32);
+ break;
+ case ULOGD_RET_UINT64:
+- sprintf(stmt_ins, "%llu,", res->value.ui64);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%"PRIu64",", res->value.ui64);
+ break;
+ case ULOGD_RET_BOOL:
+- sprintf(stmt_ins, "'%d',", res->value.b);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "'%d',", res->value.b);
+ break;
+ case ULOGD_RET_STRING:
+- *stmt_ins++ = '\'';
++ if(stmt_siz > (stmt_ins-stmt)+(strlen(res->value.ptr)*2)+4)
++ {
++ *stmt_ins++ = '\'';
+ #ifdef OLD_MYSQL
+- mysql_escape_string(stmt_ins, res->value.ptr,
+- strlen(res->value.ptr));
++ mysql_escape_string(stmt_ins, res->value.ptr,
++ strlen(res->value.ptr));
+ #else
+- mysql_real_escape_string(dbh, stmt_ins,
+- res->value.ptr, strlen(res->value.ptr));
++ mysql_real_escape_string(dbh, stmt_ins,
++ res->value.ptr, strlen(res->value.ptr));
+ #endif
+- stmt_ins = stmt + strlen(stmt);
+- sprintf(stmt_ins, "',");
+- /* sprintf(stmt_ins, "'%s',", res->value.ptr); */
++ stmt_ins = stmt + strlen(stmt);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "',");
++ }
++ else
++ {
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "'',");
++ }
++ /* snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "'%s',", res->value.ptr); */
+ break;
+ case ULOGD_RET_RAW:
+ ulogd_log(ULOGD_NOTICE,
+@@ -230,7 +248,7 @@ static int mysql_output(ulog_iret_t *res
+ static int mysql_createstmt(void)
+ {
+ struct _field *f;
+- unsigned int size;
++ size_t size;
+ char buf[ULOGD_MAX_KEYLEN];
+ char *underscore;
+
+@@ -241,7 +259,7 @@ static int mysql_createstmt(void)
+ }
+
+ /* caclulate the size for the insert statement */
+- size = strlen(MYSQL_INSERTTEMPL) + strlen(table_ce.u.string);
++ size = strlen(MYSQL_INSERTTEMPL) + strlen(table_ce.u.string) + 1;
+
+ for (f = fields; f; f = f->next) {
+ /* we need space for the key and a comma, as well as
+@@ -252,25 +270,26 @@ static int mysql_createstmt(void)
+ ulogd_log(ULOGD_DEBUG, "allocating %u bytes for statement\n", size);
+
+ stmt = (char *) malloc(size);
+-
+ if (!stmt) {
+ ulogd_log(ULOGD_ERROR, "OOM!\n");
+ return 1;
+ }
++ stmt_siz = size;
+
+- sprintf(stmt, "insert into %s (", table_ce.u.string);
++ snprintf(stmt, stmt_siz, "insert into %s (", table_ce.u.string);
+ stmt_val = stmt + strlen(stmt);
+
+ for (f = fields; f; f = f->next) {
+- strncpy(buf, f->name, ULOGD_MAX_KEYLEN);
++ strncpy(buf, f->name, ULOGD_MAX_KEYLEN-1);
++ buf[ULOGD_MAX_KEYLEN-1] = '\0';
+ while ((underscore = strchr(buf, '.')))
+ *underscore = '_';
+- sprintf(stmt_val, "%s,", buf);
++ snprintf(stmt_val, stmt_siz-(stmt_val-stmt), "%s,", buf);
+ stmt_val = stmt + strlen(stmt);
+ }
+ *(stmt_val - 1) = ')';
+
+- sprintf(stmt_val, " values (");
++ snprintf(stmt_val, stmt_siz-(stmt_val-stmt), " values (");
+ stmt_val = stmt + strlen(stmt);
+
+ ulogd_log(ULOGD_DEBUG, "stmt='%s'\n", stmt);
+@@ -298,7 +317,8 @@ static int mysql_get_columns(const char
+ while ((field = mysql_fetch_field(result))) {
+
+ /* replace all underscores with dots */
+- strncpy(buf, field->name, ULOGD_MAX_KEYLEN);
++ strncpy(buf, field->name, ULOGD_MAX_KEYLEN-1);
++ buf[ULOGD_MAX_KEYLEN-1] = '\0';
+ while ((underscore = strchr(buf, '_')))
+ *underscore = '.';
+
+@@ -317,7 +337,8 @@ static int mysql_get_columns(const char
+ ulogd_log(ULOGD_ERROR, "OOM!\n");
+ return 1;
+ }
+- strncpy(f->name, buf, ULOGD_MAX_KEYLEN);
++ strncpy(f->name, buf, ULOGD_MAX_KEYLEN-1);
++ f->name[ULOGD_MAX_KEYLEN-1] = '\0';
+ f->id = id;
+ f->next = fields;
+ fields = f;
+--- pgsql/ulogd_PGSQL.c
++++ pgsql/ulogd_PGSQL.c 2007/01/08 18:20:04
+@@ -39,6 +39,9 @@ static struct _field *fields;
+ /* buffer for our insert statement */
+ static char *stmt;
+
++/* size of our insert statement buffer */
++static size_t stmt_siz;
++
+ /* pointer to the beginning of the "VALUES" part */
+ static char *stmt_val;
+
+@@ -120,62 +123,78 @@ static int pgsql_output(ulog_iret_t *res
+
+ if (!res || !IS_VALID((*res))) {
+ /* no result, we have to fake something */
+- sprintf(stmt_ins, "NULL,");
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "NULL,");
+ stmt_ins = stmt + strlen(stmt);
+ continue;
+ }
+
+ switch (res->type) {
+ case ULOGD_RET_INT8:
+- sprintf(stmt_ins, "%d,", res->value.i8);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%d,", res->value.i8);
+ break;
+ case ULOGD_RET_INT16:
+- sprintf(stmt_ins, "%d,", res->value.i16);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%d,", res->value.i16);
+ break;
+ case ULOGD_RET_INT32:
+- sprintf(stmt_ins, "%d,", res->value.i32);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%d,", res->value.i32);
+ break;
+ case ULOGD_RET_INT64:
+- sprintf(stmt_ins, "%lld,", res->value.i64);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%lld,", res->value.i64);
+ break;
+ case ULOGD_RET_UINT8:
+- sprintf(stmt_ins, "%u,", res->value.ui8);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%u,", res->value.ui8);
+ break;
+ case ULOGD_RET_UINT16:
+- sprintf(stmt_ins, "%u,", res->value.ui16);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%u,", res->value.ui16);
+ break;
+ case ULOGD_RET_IPADDR:
+ #ifdef IP_AS_STRING
+- *stmt_ins++ = '\'';
+ memset(&addr, 0, sizeof(addr));
+ addr.s_addr = ntohl(res->value.ui32);
+ tmpstr = (char *)inet_ntoa(addr);
+- PQescapeString(stmt_ins,tmpstr,strlen(tmpstr));
+- stmt_ins = stmt + strlen(stmt);
+- sprintf(stmt_ins, "',");
++ if(stmt_siz > (stmt_ins-stmt)+(strlen(tmpstr)*2)+4)
++ {
++ *stmt_ins++ = '\'';
++ PQescapeString(stmt_ins,tmpstr,strlen(tmpstr));
++ stmt_ins = stmt + strlen(stmt);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "',");
++ }
++ else
++ {
++ ulogd_log(ULOGD_NOTICE,"%s: pgsql - no space to add escaped ip string to insert statement\n");
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "'',");
++ }
+ break;
+ #endif /* IP_AS_STRING */
+ /* EVIL: fallthrough when logging IP as
+ * u_int32_t */
+
+ case ULOGD_RET_UINT32:
+- sprintf(stmt_ins, "%u,", res->value.ui32);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%u,", res->value.ui32);
+ break;
+ case ULOGD_RET_UINT64:
+- sprintf(stmt_ins, "%llu,", res->value.ui64);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "%llu,", res->value.ui64);
+ break;
+ case ULOGD_RET_BOOL:
+- sprintf(stmt_ins, "'%d',", res->value.b);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "'%d',", res->value.b);
+ break;
+ case ULOGD_RET_STRING:
+- *stmt_ins++ = '\'';
+- PQescapeString(stmt_ins,res->value.ptr,strlen(res->value.ptr));
+- stmt_ins = stmt + strlen(stmt);
+- sprintf(stmt_ins, "',");
++ if(stmt_siz > (stmt_ins-stmt)+(strlen(res->value.ptr)*2)+4)
++ {
++ *stmt_ins++ = '\'';
++ PQescapeString(stmt_ins,res->value.ptr,strlen(res->value.ptr));
++ stmt_ins = stmt + strlen(stmt);
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "',");
++ }
++ else
++ {
++ ulogd_log(ULOGD_NOTICE,"%s: pgsql - no space to add escaped string to insert statement\n");
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "'',");
++ }
+ break;
+ case ULOGD_RET_RAW:
+ ulogd_log(ULOGD_NOTICE,"%s: pgsql doesn't support type RAW\n",res->key);
+- sprintf(stmt_ins, "NULL,");
++ snprintf(stmt_ins, stmt_siz-(stmt_ins-stmt), "NULL,");
+ break;
+ default:
+ ulogd_log(ULOGD_NOTICE,
+@@ -205,12 +224,13 @@ static int pgsql_output(ulog_iret_t *res
+ /* Determine if server support schemas */
+ static int pgsql_namespace(void) {
+ PGresult *result;
+- char pgbuf[strlen(PGSQL_HAVE_NAMESPACE_TEMPLATE)+strlen(schema_ce.u.string)+1];
++ size_t pgbuf_siz = strlen(PGSQL_HAVE_NAMESPACE_TEMPLATE)+strlen(schema_ce.u.string)+1;
++ char pgbuf[pgbuf_siz];
+
+ if (!dbh)
+ return 1;
+
+- sprintf(pgbuf, PGSQL_HAVE_NAMESPACE_TEMPLATE, schema_ce.u.string);
++ snprintf(pgbuf, pgbuf_siz, PGSQL_HAVE_NAMESPACE_TEMPLATE, schema_ce.u.string);
+ ulogd_log(ULOGD_DEBUG, "%s\n", pgbuf);
+
+ result = PQexec(dbh, pgbuf);
+@@ -265,25 +285,27 @@ static int pgsql_createstmt(void)
+ ulogd_log(ULOGD_ERROR, "OOM!\n");
+ return 1;
+ }
++ stmt_siz = size;
+
+ if (pgsql_have_schemas) {
+- sprintf(stmt, "insert into %s.%s (", schema_ce.u.string, table_ce.u.string);
++ snprintf(stmt, stmt_siz, "insert into %s.%s (", schema_ce.u.string, table_ce.u.string);
+ } else {
+- sprintf(stmt, "insert into %s (", table_ce.u.string);
++ snprintf(stmt, stmt_siz, "insert into %s (", table_ce.u.string);
+ }
+
+ stmt_val = stmt + strlen(stmt);
+
+ for (f = fields; f; f = f->next) {
+- strncpy(buf, f->name, ULOGD_MAX_KEYLEN);
++ strncpy(buf, f->name, ULOGD_MAX_KEYLEN-1);
++ buf[ULOGD_MAX_KEYLEN-1] = '\0';
+ while ((underscore = strchr(buf, '.')))
+ *underscore = '_';
+- sprintf(stmt_val, "%s,", buf);
++ snprintf(stmt_val, stmt_siz-(stmt_val-stmt), "%s,", buf);
+ stmt_val = stmt + strlen(stmt);
+ }
+ *(stmt_val - 1) = ')';
+
+- sprintf(stmt_val, " values (");
++ snprintf(stmt_val, stmt_siz-(stmt_val-stmt), " values (");
+ stmt_val = stmt + strlen(stmt);
+
+ ulogd_log(ULOGD_DEBUG, "stmt='%s'\n", stmt);
+@@ -331,7 +353,8 @@ static int pgsql_get_columns(const char
+ for (intaux=0; intaux<PQntuples(result); intaux++) {
+
+ /* replace all underscores with dots */
+- strncpy(buf, PQgetvalue(result, intaux, 0), ULOGD_MAX_KEYLEN);
++ strncpy(buf, PQgetvalue(result, intaux, 0), ULOGD_MAX_KEYLEN-1);
++ buf[ULOGD_MAX_KEYLEN-1] = '\0';
+ while ((underscore = strchr(buf, '_')))
+ *underscore = '.';
+
+@@ -350,7 +373,8 @@ static int pgsql_get_columns(const char
+ ulogd_log(ULOGD_ERROR, "OOM!\n");
+ return 1;
+ }
+- strncpy(f->name, buf, ULOGD_MAX_KEYLEN);
++ strncpy(f->name, buf, ULOGD_MAX_KEYLEN-1);
++ f->name[ULOGD_MAX_KEYLEN-1] = '\0';
+ f->id = id;
+ f->next = fields;
+ fields = f;
+@@ -384,32 +408,34 @@ static int pgsql_open_db(char *server, i
+ if (port)
+ len += 20;
+
+- connstr = (char *) malloc(len);
++ connstr = (char *) malloc(len+1);
+ if (!connstr)
+ return 1;
+
+ if (server) {
+- strcpy(connstr, " host=");
+- strcat(connstr, server);
++ strncpy(connstr, " host=", len);
++ connstr[len] = '\0';
++ strncat(connstr, server, len-strlen(connstr));
+ }
+
+ if (port) {
+ char portbuf[20];
+ snprintf(portbuf, sizeof(portbuf), " port=%u", port);
+- strcat(connstr, portbuf);
++ strncat(connstr, portbuf, len-strlen(connstr));
+ }
+
+- strcat(connstr, " dbname=");
+- strcat(connstr, db);
+- strcat(connstr, " user=");
+- strcat(connstr, user);
++ strncat(connstr, " dbname=", len-strlen(connstr));
++ strncat(connstr, db, len-strlen(connstr));
++ strncat(connstr, " user=", len-strlen(connstr));
++ strncat(connstr, user, len-strlen(connstr));
+
+ if (pass) {
+- strcat(connstr, " password=");
+- strcat(connstr, pass);
++ strncat(connstr, " password=", len-strlen(connstr));
++ strncat(connstr, pass, len-strlen(connstr));
+ }
+
+ dbh = PQconnectdb(connstr);
++ free(connstr);
+ if (PQstatus(dbh)!=CONNECTION_OK) {
+ exit_nicely(dbh);
+ return 1;
+--- sqlite3/ulogd_SQLITE3.c
++++ sqlite3/ulogd_SQLITE3.c 2007/01/08 18:20:04
+@@ -55,6 +55,9 @@ static struct _field *fields;
+ /* buffer for our insert statement */
+ static char *stmt;
+
++/* size of our insert statement buffer */
++static size_t stmt_siz;
++
+ /* pointer to the final prepared statement */
+ static sqlite3_stmt *p_stmt;
+
+@@ -193,7 +196,7 @@ static int _sqlite3_output(ulog_iret_t *
+ static int _sqlite3_createstmt(void)
+ {
+ struct _field *f;
+- unsigned int size;
++ size_t size;
+ char buf[ULOGD_MAX_KEYLEN];
+ char *underscore;
+ char *stmt_pos;
+@@ -207,7 +210,7 @@ static int _sqlite3_createstmt(void)
+ }
+
+ /* caclulate the size for the insert statement */
+- size = strlen(_SQLITE3_INSERTTEMPL) + strlen(table_ce.u.string);
++ size = strlen(_SQLITE3_INSERTTEMPL) + strlen(table_ce.u.string) + 1;
+
+ DEBUGP("initial size: %u\n", size);
+
+@@ -230,29 +233,31 @@ static int _sqlite3_createstmt(void)
+ ulogd_log(ULOGD_ERROR, "OOM!\n");
+ return 1;
+ }
++ stmt_siz = size;
+
+- sprintf(stmt, "insert into %s (", table_ce.u.string);
++ snprintf(stmt, stmt_siz, "insert into %s (", table_ce.u.string);
+ stmt_pos = stmt + strlen(stmt);
+
+ for (f = fields; f; f = f->next) {
+- strncpy(buf, f->name, ULOGD_MAX_KEYLEN);
++ strncpy(buf, f->name, ULOGD_MAX_KEYLEN-1);
++ buf[ULOGD_MAX_KEYLEN-1] = '\0';
+ while ((underscore = strchr(buf, '.')))
+ *underscore = '_';
+- sprintf(stmt_pos, "%s,", buf);
++ snprintf(stmt_pos, stmt_siz-(stmt_pos-stmt), "%s,", buf);
+ stmt_pos = stmt + strlen(stmt);
+ }
+
+ *(stmt_pos - 1) = ')';
+
+- sprintf(stmt_pos, " values (");
++ snprintf(stmt_pos, stmt_siz-(stmt_pos-stmt), " values (");
+ stmt_pos = stmt + strlen(stmt);
+
+ for (i = 0; i < col_count - 1; i++) {
+- sprintf(stmt_pos,"?,");
++ snprintf(stmt_pos, stmt_siz-(stmt_pos-stmt), "?,");
+ stmt_pos += 2;
+ }
+
+- sprintf(stmt_pos, "?)");
++ snprintf(stmt_pos, stmt_siz-(stmt_pos-stmt), "?)");
+ ulogd_log(ULOGD_DEBUG, "stmt='%s'\n", stmt);
+
+ DEBUGP("about to prepare statement.\n");
+@@ -277,7 +282,7 @@ static int _sqlite3_createstmt(void)
+ static int _sqlite3_get_columns(const char *table)
+ {
+ char buf[ULOGD_MAX_KEYLEN];
+- char query[SQLITE_SELECT_LEN + CONFIG_VAL_STRING_LEN] = "select * from \0";
++ char query[SQLITE_SELECT_LEN + CONFIG_VAL_STRING_LEN + 1] = "select * from \0";
+ char *underscore;
+ struct _field *f;
+ sqlite3_stmt *schema_stmt;
+@@ -288,8 +293,8 @@ static int _sqlite3_get_columns(const ch
+ if (!dbh)
+ return 1;
+
+- strncat(query,table,LINE_LEN);
+-
++ strncat(query,table,sizeof(query)-strlen(query)-1);
++
+ result = sqlite3_prepare(dbh,query,-1,&schema_stmt,0);
+
+ if (result != SQLITE_OK)
+@@ -297,7 +302,8 @@ static int _sqlite3_get_columns(const ch
+
+ for (column = 0; column < sqlite3_column_count(schema_stmt); column++) {
+ /* replace all underscores with dots */
+- strncpy(buf, sqlite3_column_name(schema_stmt,column), ULOGD_MAX_KEYLEN);
++ strncpy(buf, sqlite3_column_name(schema_stmt,column), ULOGD_MAX_KEYLEN-1);
++ buf[ULOGD_MAX_KEYLEN-1] = '\0';
+ while ((underscore = strchr(buf, '_')))
+ *underscore = '.';
+
+@@ -316,7 +322,8 @@ static int _sqlite3_get_columns(const ch
+ ulogd_log(ULOGD_ERROR, "OOM!\n");
+ return 1;
+ }
+- strncpy(f->name, buf, ULOGD_MAX_KEYLEN);
++ strncpy(f->name, buf, ULOGD_MAX_KEYLEN-1);
++ f->name[ULOGD_MAX_KEYLEN-1] = '\0';
+ f->id = id;
+ f->next = fields;
+ fields = f;