[Fedora-directory-commits] ldapserver/ldap/servers/slapd abandon.c, 1.4, 1.5 auth.c, 1.5, 1.6 csn.c, 1.4, 1.5 csngen.c, 1.5, 1.6 daemon.c, 1.7, 1.8 eventq.c, 1.4, 1.5 filter.c, 1.6, 1.7 log.c, 1.12, 1.13 proto-slap.h, 1.17, 1.18 resourcelimit.c, 1.4, 1.5 result.c, 1.6, 1.7 schema.c, 1.7, 1.8 slapi-plugin.h, 1.9, 1.10 slapi-private.h, 1.9, 1.10

Richard Allen Megginson (rmeggins) fedora-directory-commits at redhat.com
Tue Apr 11 02:14:47 UTC 2006


Author: rmeggins

Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv8136/ldapserver/ldap/servers/slapd

Modified Files:
	abandon.c auth.c csn.c csngen.c daemon.c eventq.c filter.c 
	log.c proto-slap.h resourcelimit.c result.c schema.c 
	slapi-plugin.h slapi-private.h 
Log Message:
Bug(s) fixed: 186280
Bug Description: ldapserver: Close potential security vulnerabilities in CGI code
Reviewed by: Nathan, Noriko, and Pete (Thanks!)
Fix Description: Clean up usage of sprintf, strcpy, fgets instead of
gets, fixed buffer usage, etc., mostly in the CGI code and other user
facing code (i.e. setup).  Also, Steve Grubb told me about a GCC trick
to force it to check printf style varargs functions, to check the format
string against the argument string, for type mismatches, missing
arguments, and too many arguments.
In the CGI form argument parsing code, we needed to be more careful
about checking for bad input - good input is supposed to look like this:
name=value&name=value&.....
&name=value.  I don't think the original code
was checking properly for something like name&name=value.
There was another place where we were not checking to see if a buffer
had enough room before appending a string to it.
I had to change a couple of functions to allow passing in the size of
the buffer.
Fixed some issues raised by Noriko and Nathan.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none



Index: abandon.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/abandon.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- abandon.c	19 Apr 2005 22:07:36 -0000	1.4
+++ abandon.c	11 Apr 2006 02:14:44 -0000	1.5
@@ -158,7 +158,7 @@
 			pb->pb_conn->c_connid, pb->pb_op->o_opid, id );
 	} else {
 		slapi_log_access( LDAP_DEBUG_STATS, "conn=%d op=%d ABANDON"
-			" targetop=%d msgid=%d nentries=%d etime=%d\n",
+			" targetop=%d msgid=%d nentries=%d etime=%ld\n",
 			pb->pb_conn->c_connid, pb->pb_op->o_opid, o->o_opid, id,
 			o->o_results.r.r_search.nentries, current_time() - o->o_time );
 


Index: auth.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/auth.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- auth.c	19 Apr 2005 22:07:36 -0000	1.5
+++ auth.c	11 Apr 2006 02:14:44 -0000	1.6
@@ -445,7 +445,7 @@
 			!= SECSuccess) {
 		PRErrorCode errorCode = PR_GetError();
 		slapi_log_access (LDAP_DEBUG_STATS,
-			"conn=%d SSL failed to obtain cipher info; ",
+			"conn=%d SSL failed to obtain cipher info; "
 			SLAPI_COMPONENT_NAME_NSPR " error %i (%s)\n",
 			conn->c_connid, errorCode, slapd_pr_strerror(errorCode));
 		return;


Index: csn.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/csn.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- csn.c	19 Apr 2005 22:07:36 -0000	1.4
+++ csn.c	11 Apr 2006 02:14:44 -0000	1.5
@@ -372,11 +372,12 @@
 
 int csn_increment_subsequence (CSN *csn)
 {
+	PRUint16 maxsubseq = (PRUint16)0xFFFFFFFF;
 	if (csn == NULL)
 	{
 		return -1;
 	}
-	else if (csn->subseqnum == 0xFFFFFFFF)
+	else if (csn->subseqnum == maxsubseq)
 	{
 		slapi_log_error(SLAPI_LOG_FATAL, NULL, 
 						"csn_increment_subsequence: subsequence overflow\n");


Index: csngen.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/csngen.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- csngen.c	19 Apr 2005 22:07:36 -0000	1.5
+++ csngen.c	11 Apr 2006 02:14:44 -0000	1.6
@@ -338,8 +338,8 @@
 	    	else /* remote_offset > CSN_MAX_TIME_ADJUST */
 			{
 				slapi_log_error (SLAPI_LOG_FATAL, NULL, "csngen_adjust_time: "
-                            "adjustment limit exceeded; value - %d, limit - %d\n",
-                             remote_offset, CSN_MAX_TIME_ADJUST);
+                            "adjustment limit exceeded; value - %ld, limit - %ld\n",
+                             remote_offset, (long)CSN_MAX_TIME_ADJUST);
 				PR_RWLock_Unlock (gen->lock);
 				return CSN_LIMIT_EXCEEDED;
 			}
@@ -427,9 +427,9 @@
         PR_RWLock_Rlock (gen->lock);
         slapi_log_error(SLAPI_LOG_FATAL, NULL, "CSN generator's state:\n");
         slapi_log_error(SLAPI_LOG_FATAL, NULL, "\treplica id: %d\n", gen->state.rid);
-        slapi_log_error(SLAPI_LOG_FATAL, NULL, "\tsampled time: %d\n", gen->state.sampled_time);
-        slapi_log_error(SLAPI_LOG_FATAL, NULL, "\tlocal offset: %d\n", gen->state.local_offset);
-        slapi_log_error(SLAPI_LOG_FATAL, NULL, "\tremote offset: %d\n", gen->state.remote_offset);
+        slapi_log_error(SLAPI_LOG_FATAL, NULL, "\tsampled time: %ld\n", gen->state.sampled_time);
+        slapi_log_error(SLAPI_LOG_FATAL, NULL, "\tlocal offset: %ld\n", gen->state.local_offset);
+        slapi_log_error(SLAPI_LOG_FATAL, NULL, "\tremote offset: %ld\n", gen->state.remote_offset);
         slapi_log_error(SLAPI_LOG_FATAL, NULL, "\tsequence number: %d\n", gen->state.seq_num);
         PR_RWLock_Unlock (gen->lock);
     }


Index: daemon.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/daemon.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- daemon.c	18 Nov 2005 21:07:38 -0000	1.7
+++ daemon.c	11 Apr 2006 02:14:44 -0000	1.8
@@ -2588,7 +2588,7 @@
 			if ( NULL == nspr_layer_fd ) {
 				slapi_log_error( SLAPI_LOG_FATAL, "configure_pr_socket",
 						"Unable to move socket file descriptor %d above %d:"
-						" PR_GetIdentitiesLayer( 0x%x, PR_NSPR_IO_LAYER )"
+						" PR_GetIdentitiesLayer( %p, PR_NSPR_IO_LAYER )"
 						" failed\n", ns, reservedescriptors, *pr_socket );
 				close( newfd );	/* can't fix things up in NSPR -- close copy */
 			} else {


Index: eventq.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/eventq.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- eventq.c	19 Apr 2005 22:07:36 -0000	1.4
+++ eventq.c	11 Apr 2006 02:14:44 -0000	1.5
@@ -143,7 +143,7 @@
 		/* scheduling. Too bad			 */
 
 		slapi_log_error(SLAPI_LOG_HOUSE, NULL,
-				"added one-time event id 0x%x at time %u\n",
+				"added one-time event id %p at time %ld\n",
 				id, when);
 		return(id);
 	}
@@ -175,7 +175,7 @@
 		tmp = eq_new(fn, arg, when, interval);
 		eq_enqueue(tmp);
 		slapi_log_error(SLAPI_LOG_HOUSE, NULL,
-				"added repeating event id 0x%x at time %u, interval %u\n",
+				"added repeating event id %p at time %ld, interval %lu\n",
 				tmp->ec_id, when, interval);
 		return(tmp->ec_id);
 	}
@@ -212,7 +212,7 @@
 		PR_Unlock(eq->eq_lock);
 	}
 	slapi_log_error(SLAPI_LOG_HOUSE, NULL,
-			"cancellation of event id 0x%x requested: %s\n",
+			"cancellation of event id %p requested: %s\n",
 			ctx, found ? "cancellation succeeded" : "event not found");
 	return found;
 }
@@ -306,7 +306,7 @@
 		/* Call the scheduled function */
 		p->ec_fn(p->ec_when, p->ec_arg);
 		slapi_log_error(SLAPI_LOG_HOUSE, NULL,
-				"Event id 0x%x called at %u (scheduled for %u)\n",
+				"Event id %p called at %ld (scheduled for %ld)\n",
 				p->ec_id, current_time(), p->ec_when);
 		if (0UL != p->ec_interval) {
 			/* This is a repeating event. Requeue it. */


Index: filter.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/filter.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- filter.c	23 Feb 2006 20:45:16 -0000	1.6
+++ filter.c	11 Apr 2006 02:14:44 -0000	1.7
@@ -100,14 +100,14 @@
 		logbuf = slapi_ch_malloc(logbufsize);
 		*logbuf = '\0';
 		slapi_log_error( SLAPI_LOG_FATAL, "get_filter", "before optimize: %s\n",
-				slapi_filter_to_string(*filt, logbuf, logbufsize), 0, 0 );
+				slapi_filter_to_string(*filt, logbuf, logbufsize));
 	}
 
 	filter_optimize(*filt);
 
 	if (NULL != logbuf) {
 		slapi_log_error( SLAPI_LOG_FATAL, "get_filter", " after optimize: %s\n",
-				slapi_filter_to_string(*filt, logbuf, logbufsize), 0, 0 );
+				slapi_filter_to_string(*filt, logbuf, logbufsize));
 		slapi_ch_free_string( &logbuf );
 	}
 


Index: log.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/log.c,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- log.c	19 Mar 2006 18:36:40 -0000	1.12
+++ log.c	11 Apr 2006 02:14:44 -0000	1.13
@@ -2269,7 +2269,7 @@
     			   "LOGINFO:End of Log because size exceeded(Max:%d bytes) (Is:%d bytes)\n", maxlogsize, f_size, 0);
     	} else  if ( type == LOG_EXPIRED) {
     		LDAPDebug(LDAP_DEBUG_TRACE,
-    			   "LOGINFO:End of Log because time exceeded(Max:%d secs) (Is:%d secs)\n",
+    			   "LOGINFO:End of Log because time exceeded(Max:%d secs) (Is:%ld secs)\n",
     				rotationtime_secs, curr_time - log_createtime,0);
     	}
     }


Index: proto-slap.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/proto-slap.h,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- proto-slap.h	18 Mar 2006 17:57:39 -0000	1.17
+++ proto-slap.h	11 Apr 2006 02:14:44 -0000	1.18
@@ -557,7 +557,13 @@
  * log.c
  */
 int slapd_log_error_proc( char *subsystem, char *fmt, ... );
-int slapi_log_access( int level, char *fmt, ... );
+
+int slapi_log_access( int level, char *fmt, ... )
+#ifdef __GNUC__ 
+        __attribute__ ((format (printf, 2, 3)));
+#else
+        ;
+#endif
 int slapd_log_audit_proc(char *buffer, int buf_len);
 void log_access_flush();
 


Index: resourcelimit.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/resourcelimit.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- resourcelimit.c	19 Apr 2005 22:07:37 -0000	1.4
+++ resourcelimit.c	11 Apr 2006 02:14:44 -0000	1.5
@@ -474,7 +474,7 @@
 				if ( slapi_valueset_next_value( vs, index, &v ) != -1 ) {
 					char ebuf[ BUFSIZ ];
 					slapi_log_error( SLAPI_LOG_FATAL, SLAPI_RESLIMIT_MODULE,
-							"%s: ignoring multiple values for %s in entry \n",
+							"%s: ignoring multiple values for %s in entry %s\n",
 							fnname, reslimit_map[ i ].rlmap_at,
 							escape_string( slapi_entry_get_dn_const( e ),
 							ebuf ));


Index: result.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/result.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- result.c	19 Apr 2005 22:07:37 -0000	1.6
+++ result.c	11 Apr 2006 02:14:44 -0000	1.7
@@ -1696,7 +1696,7 @@
 			{
 				slapi_log_access( LDAP_DEBUG_STATS,
 								  "conn=%d op=%d RESULT err=%d"
-								  " tag=%d nentries=%d etime=%s%s%s"
+								  " tag=%lu nentries=%d etime=%s%s%s"
 								  ", SASL bind in progress\n",
 								  op->o_connid, 
 								  op->o_opid,
@@ -1708,7 +1708,7 @@
 			{
 				slapi_log_access( LDAP_DEBUG_ARGS,
 								  "conn=%s op=%d RESULT err=%d"
-								  " tag=%d nentries=%d etime=%s%s%s"
+								  " tag=%lu nentries=%d etime=%s%s%s"
 								  ", SASL bind in progress\n",
 									LOG_INTERNAL_OP_CON_ID,
 									LOG_INTERNAL_OP_OP_ID,
@@ -1728,7 +1728,7 @@
 			{
 				slapi_log_access( LDAP_DEBUG_STATS,
 								  "conn=%d op=%d RESULT err=%d"
-								  " tag=%d nentries=%d etime=%s%s%s"
+								  " tag=%lu nentries=%d etime=%s%s%s"
 								  " dn=\"%s\"\n",
 								  op->o_connid, 
 								  op->o_opid,
@@ -1740,7 +1740,7 @@
 			{
 				slapi_log_access( LDAP_DEBUG_ARGS,
 								  "conn=%s op=%d RESULT err=%d"
-								  " tag=%d nentries=%d etime=%s%s%s"
+								  " tag=%lu nentries=%d etime=%s%s%s"
 								  " dn=\"%s\"\n",
 									LOG_INTERNAL_OP_CON_ID,
 									LOG_INTERNAL_OP_OP_ID,	
@@ -1754,7 +1754,7 @@
 			{
 				slapi_log_access( LDAP_DEBUG_STATS,
 								  "conn=%d op=%d RESULT err=%d"
-								  " tag=%d nentries=%d etime=%s%s%s\n",
+								  " tag=%lu nentries=%d etime=%s%s%s\n",
 								  op->o_connid, 
 								  op->o_opid,
 								  err, tag, nentries, 
@@ -1765,7 +1765,7 @@
 			{
 				slapi_log_access( LDAP_DEBUG_ARGS,
 								  "conn=%s op=%d RESULT err=%d"
-								  " tag=%d nentries=%d etime=%s%s%s\n",
+								  " tag=%lu nentries=%d etime=%s%s%s\n",
 									LOG_INTERNAL_OP_CON_ID,
 									LOG_INTERNAL_OP_OP_ID,
 								  err, tag, nentries, 


Index: schema.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/schema.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- schema.c	19 Apr 2005 22:07:37 -0000	1.7
+++ schema.c	11 Apr 2006 02:14:44 -0000	1.8
@@ -151,7 +151,13 @@
 		const char *ignorestr );
 static PRBool schema_type_is_interesting( const char *type );
 static void schema_create_errormsg( char *errorbuf, size_t errorbufsize,
-		const char *prefix, const char *name, const char *fmt, ... );
+		const char *prefix, const char *name, const char *fmt, ... )
+#ifdef __GNUC__ 
+        __attribute__ ((format (printf, 5, 6)));
+#else
+        ;
+#endif
+
 
 /* Some utility functions for dealing with a dynamic buffer */
 
@@ -4066,7 +4072,7 @@
 		{
 			slapi_log_error(SLAPI_LOG_FATAL, "schema", "Could not add"
 				" attribute type \"objectClass\" to the schema: %s\n",
-				errorbuf, 0, 0);
+				errorbuf);
 		}
 
 		rc = dse_read_file(pschemadse, &pb);


Index: slapi-plugin.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-plugin.h,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- slapi-plugin.h	23 Feb 2006 20:47:59 -0000	1.9
+++ slapi-plugin.h	11 Apr 2006 02:14:44 -0000	1.10
@@ -850,7 +850,12 @@
 struct berval*  slapi_ch_bvdup(const struct berval*);
 struct berval** slapi_ch_bvecdup(struct berval**);
 void slapi_ch_bvfree(struct berval** v);
-char * slapi_ch_smprintf(const char *fmt, ...);
+char * slapi_ch_smprintf(const char *fmt, ...)
+#ifdef __GNUC__ 
+        __attribute__ ((format (printf, 1, 2)));
+#else
+        ;
+#endif
 
 /*
  * syntax plugin routines


Index: slapi-private.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-private.h,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- slapi-private.h	12 Aug 2005 05:49:54 -0000	1.9
+++ slapi-private.h	11 Apr 2006 02:14:44 -0000	1.10
@@ -1211,8 +1211,19 @@
 
 int slapi_task_register_handler(const char *name, dseCallbackFn func);
 void slapi_task_status_changed(Slapi_Task *task);
-void slapi_task_log_status(Slapi_Task *task, char *format, ...);
-void slapi_task_log_notice(Slapi_Task *task, char *format, ...);
+void slapi_task_log_status(Slapi_Task *task, char *format, ...)
+#ifdef __GNUC__ 
+        __attribute__ ((format (printf, 2, 3)));
+#else
+        ;
+#endif
+
+void slapi_task_log_notice(Slapi_Task *task, char *format, ...)
+#ifdef __GNUC__ 
+        __attribute__ ((format (printf, 2, 3)));
+#else
+        ;
+#endif
 
 /* End of interface to support online tasks **********************************/
 




More information about the Fedora-directory-commits mailing list