commit 25a6a61ecf6561bdb00e289175989e28d0fb26bb Author: kp@valhallalegends.com Date: Sat May 31 16:37:45 2008 -0500 ASN1: Fix stack variable overwrite when encoding OID. The call to sscanf specifies a format string of "%lu", a long unsigned int. The pointer argument was cast to unsigned long *, but this is wrong for 64 bit systems. On 64 bit systems, unsigned long is 64 bits, but the oid value is a SilcUInt32 on all systems. As a result, sscanf will overwrite a neighboring variable on the stack. Fix this by changing the format string to "%u" and removing the cast. diff --git a/lib/silcasn1/silcasn1_encode.c b/lib/silcasn1/silcasn1_encode.c index 8586a8c..3027129 100644 --- a/lib/silcasn1/silcasn1_encode.c +++ b/lib/silcasn1/silcasn1_encode.c @@ -351,7 +351,7 @@ silc_asn1_encoder(SilcAsn1 asn1, SilcStack stack1, SilcStack stack2, /* Get OID words from the string */ cp = strchr(oidstr, '.'); while (cp) { - if (sscanf(oidstr, "%lu", (unsigned long *)&oid) != 1) { + if (sscanf(oidstr, "%u", &oid) != 1) { SILC_LOG_DEBUG(("Malformed OID string")); goto fail; } @@ -362,7 +362,7 @@ silc_asn1_encoder(SilcAsn1 asn1, SilcStack stack1, SilcStack stack2, cp = strchr(oidstr, '.'); if (!cp) { - if (sscanf(oidstr, "%lu", (unsigned long *)&oid) != 1) { + if (sscanf(oidstr, "%u", &oid) != 1) { SILC_LOG_DEBUG(("Malformed OID string")); goto fail; } commit 9c93e2c6df752c32bcb64335b418523aae331715 Author: Pekka Riikonen Date: Fri Jul 31 22:32:57 2009 +0300 Fixed string format vulnerability in client entry handling. Reported and patch provided by William Cummings. diff --git a/lib/silcclient/client_entry.c b/lib/silcclient/client_entry.c index 4ec2e0a..6d125b5 100644 --- a/lib/silcclient/client_entry.c +++ b/lib/silcclient/client_entry.c @@ -800,10 +800,10 @@ SilcClientEntry silc_client_add_client(SilcClient client, client_entry->server, sizeof(client_entry->server)); if (nickname && client->internal->params->full_nicknames) silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname), - nickname); + "%s", nickname); else if (nickname) silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname), - parsed); + "%s", parsed); silc_parse_userfqdn(username, client_entry->username, sizeof(client_entry->username), @@ -890,10 +890,10 @@ void silc_client_update_client(SilcClient client, client_entry->server, sizeof(client_entry->server)); if (client->internal->params->full_nicknames) silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname), - nickname); + "%s", nickname); else silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname), - parsed); + "%s", parsed); /* Normalize nickname */ nick = silc_identifier_check(parsed, strlen(parsed), @@ -1186,7 +1186,7 @@ SilcClientEntry silc_client_nickname_format(SilcClient client, return NULL; silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname), - cp); + "%s", cp); silc_free(cp); } commit a785cba501a940921d215c18bc410a53bf1b12e8 Author: Pekka Riikonen Date: Fri Aug 7 14:48:46 2009 +0300 More string format fixes in silcd and client libary diff --git a/lib/silcclient/command.c b/lib/silcclient/command.c index a9f9502..71fd348 100644 --- a/lib/silcclient/command.c +++ b/lib/silcclient/command.c @@ -955,7 +955,7 @@ SILC_FSM_STATE(silc_client_command_topic) } if (client->internal->params->full_channel_names) - silc_snprintf(tmp, sizeof(tmp), conn->current_channel->channel_name); + silc_snprintf(tmp, sizeof(tmp), "%s", conn->current_channel->channel_name); else silc_snprintf(tmp, sizeof(tmp), "%s%s%s", conn->current_channel->channel_name, @@ -2143,7 +2143,7 @@ SILC_FSM_STATE(silc_client_command_kick) } if (client->internal->params->full_channel_names) - silc_snprintf(tmp, sizeof(tmp), conn->current_channel->channel_name); + silc_snprintf(tmp, sizeof(tmp), "%s", conn->current_channel->channel_name); else silc_snprintf(tmp, sizeof(tmp), "%s%s%s", conn->current_channel->channel_name, @@ -2553,7 +2553,7 @@ SILC_FSM_STATE(silc_client_command_leave) } if (client->internal->params->full_channel_names) - silc_snprintf(tmp, sizeof(tmp), conn->current_channel->channel_name); + silc_snprintf(tmp, sizeof(tmp), "%s", conn->current_channel->channel_name); else silc_snprintf(tmp, sizeof(tmp), "%s%s%s", conn->current_channel->channel_name, @@ -2620,7 +2620,7 @@ SILC_FSM_STATE(silc_client_command_users) } if (conn->client->internal->params->full_channel_names) - silc_snprintf(tmp, sizeof(tmp), conn->current_channel->channel_name); + silc_snprintf(tmp, sizeof(tmp), "%s", conn->current_channel->channel_name); else silc_snprintf(tmp, sizeof(tmp), "%s%s%s", conn->current_channel->channel_name, commit f9acb085b819a7d0c6b3e9f40bc78f26bc2d429b Author: kp@valhallalegends.com Date: Fri Dec 12 21:38:54 2008 -0600 HTTP: fix stack overwrite due to format string error. On AMD64, %lu refers to a 64-bit unsigned value, but the address passed to sscanf points to a 32-bit unsigned value. This causes an adjoining value on the stack to be overwritten with data from the converted integer. Fix the format string to match the size of the supplied value, and remove the pointer cast. diff --git a/lib/silchttp/silchttpserver.c b/lib/silchttp/silchttpserver.c index fba3ba0..88d6174 100644 --- a/lib/silchttp/silchttpserver.c +++ b/lib/silchttp/silchttpserver.c @@ -194,7 +194,7 @@ static SilcBool silc_http_server_parse(SilcHttpServer httpd, /* Check we have received all data */ cl = silc_mime_get_field(conn->curheaders, "Content-Length"); - if (cl && sscanf(cl, "%lu", (unsigned long *)&cll) == 1) { + if (cl && sscanf(cl, "%u", &cll) == 1) { if (data_len < cll) { /* More data to come */ silc_mime_free(conn->curheaders);