From f92e692eefa05ddb7b0b2817260b03262f30090e Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 28 Jan 2016 01:44:10 +0000 Subject: [PATCH] Fix potential log forgery via status string We should not include any control characters from the server status message when logging it; in particular if we include '\n' this could result in additional arbitrary log lines. In dhcpv6_log_status_code, replace all control characters with '?'. Signed-off-by: Ben Hutchings --- src/dhcpv6.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/src/dhcpv6.c b/src/dhcpv6.c index 2d8124f..08fe236 100644 --- a/src/dhcpv6.c +++ b/src/dhcpv6.c @@ -23,6 +23,7 @@ #include #include #include +#include #include #include #include @@ -1290,16 +1291,22 @@ static int dhcpv6_calc_refresh_timers(void) static void dhcpv6_log_status_code(const uint16_t code, const char *scope, - const void *status_msg, const int len) + const void *status_msg, int len) { - uint8_t buf[len + 3]; + const char *src = status_msg; + char buf[len + 3]; + char *dst = buf; - memset(buf, 0, sizeof(buf)); if (len) { - buf[0] = '('; - memcpy(&buf[1], status_msg, len); - buf[len + 1] = ')'; + *dst++ = '('; + while (len--) { + *dst = isprint((unsigned char)*src) ? *src : '?'; + src++; + dst++; + } + *dst++ = ')'; } + *dst = 0; syslog(LOG_WARNING, "Server returned %s status %i %s", scope, code, buf); -- 2.39.5