Fix potential log forgery via status string
authorBen Hutchings <ben@decadent.org.uk>
Thu, 28 Jan 2016 01:44:10 +0000 (01:44 +0000)
committerBen Hutchings <ben@decadent.org.uk>
Thu, 28 Jan 2016 13:40:25 +0000 (13:40 +0000)
We should not include any control characters from the server status
message when logging it; in particular if we include '\n' this could
result in additional arbitrary log lines.  In dhcpv6_log_status_code,
replace all control characters with '?'.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
src/dhcpv6.c

index 2d8124f288171f966e777720254c401d7d3b14ce..08fe236f80db53b2ad785b87760778e38bed26eb 100644 (file)
@@ -23,6 +23,7 @@
 #include <unistd.h>
 #include <syslog.h>
 #include <stdbool.h>
+#include <ctype.h>
 #include <sys/time.h>
 #include <sys/ioctl.h>
 #include <sys/socket.h>
@@ -1290,16 +1291,22 @@ static int dhcpv6_calc_refresh_timers(void)
 
 
 static void dhcpv6_log_status_code(const uint16_t code, const char *scope,
-               const void *status_msg, const int len)
+               const void *status_msg, int len)
 {
-       uint8_t buf[len + 3];
+       const char *src = status_msg;
+       char buf[len + 3];
+       char *dst = buf;
 
-       memset(buf, 0, sizeof(buf));
        if (len) {
-               buf[0] = '(';
-               memcpy(&buf[1], status_msg, len);
-               buf[len + 1] = ')';
+               *dst++ = '(';
+               while (len--) {
+                       *dst = isprint((unsigned char)*src) ? *src : '?';
+                       src++;
+                       dst++;
+               }
+               *dst++ = ')';
        }
+       *dst = 0;
 
        syslog(LOG_WARNING, "Server returned %s status %i %s",
                scope, code, buf);