Snort mailing list archives
Possible Issues with strncpy() calls in DAQ-2.0.x and Snort-2.9.5.x
From: Bill Parker <wp02855 () gmail com>
Date: Tue, 13 Aug 2013 09:55:57 -0700
Hello All,
In DAQ-2.0.1, directory 'os-daq-modules', file 'daq_afpacket.c',
I found two instances for calls to strncpy() which are not NULL
terminated (compared to a call to strcpy() which NULL terminates
the resulting string).
The patch file below adds the NULL byte:
--- daq_afpacket.c.orig 2013-08-12 19:07:36.190972370 -0700
+++ daq_afpacket.c 2013-08-12 19:10:11.983969620 -0700
@@ -110,6 +110,7 @@
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
+ ifr.ifr_name[sizeof(ifr.ifr_name)-1] = '\0';
if (ioctl(instance->fd, SIOCGIFINDEX, &ifr) == -1)
return -1;
@@ -151,6 +152,7 @@
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, instance->name, sizeof(ifr.ifr_name));
+ ifr.ifr_name[sizeof(ifr.ifr_name)-1] = '\0';
if (ioctl(instance->fd, SIOCGIFHWADDR, &ifr) == -1)
{
A 'make' and 'make install' result in successful compilation :)
I am attaching the patch file to this email.
I found the same situation in Snort-2.9.5.3, directory
'src/dynamic-preprocessors/ftptelnet', file 'snort_ftptelnet.c'
where calls to strncpy() do NOT appear to be null terminated,
the patch file below addresses this issue:
--- snort_ftptelnet.c.orig 2013-08-12 19:24:10.181973164 -0700
+++ snort_ftptelnet.c 2013-08-12 19:28:09.326970179 -0700
@@ -1558,6 +1558,7 @@
}
strncpy(curr_format, start_ch, curr_len);
+ curr_format[curr_len] = '\0';
CurrFmt->format_string = curr_format;
curr_len = 0;
CurrFmt->optional = OptFmt;
@@ -1584,6 +1585,7 @@
}
strncpy(curr_format, start_ch, curr_len);
+ curr_format[curr_len] = '\0';
CurrFmt->format_string = curr_format;
curr_len = 0;
}
@@ -1611,6 +1613,7 @@
}
strncpy(curr_format, start_ch, curr_len);
+ curr_format[curr_len] = '\0';
CurrFmt->format_string = curr_format;
curr_len = 0;
}
@@ -1668,6 +1671,7 @@
}
strncpy(curr_format, start_ch, curr_len);
+ curr_format[curr_len] = '\0';
CurrFmt->format_string = curr_format;
curr_len = 0;
*format = curr_ch;
@@ -1692,6 +1696,7 @@
}
strncpy(curr_format, start_ch, curr_len);
+ curr_format[curr_len] = '\0';
CurrFmt->format_string = curr_format;
curr_len = 0;
*format = curr_ch;
@@ -1721,6 +1726,7 @@
}
strncpy(curr_format, start_ch, curr_len);
+ curr_format[curr_len] = '\0';
CurrFmt->format_string = curr_format;
start_ch = curr_ch;
curr_len = 0;
A 'make' and 'make install' result in successful compilation :)
I am attaching the patch file to this email.
Bill Parker (wp02855 at gmail dot com)
Attachment:
strncpy-daq_afpacket.c.patch
Description:
Attachment:
strncpy-snort_ftptelnet.c.patch
Description:
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Possible Issues with strncpy() calls in DAQ-2.0.x and Snort-2.9.5.x Bill Parker (Aug 13)
- Re: Possible Issues with strncpy() calls in DAQ-2.0.x and Snort-2.9.5.x Michael Altizer (Aug 16)
- <Possible follow-ups>
- Re: Possible Issues with strncpy() calls in DAQ-2.0.x and Snort-2.9.5.x sockstat (Aug 13)