[Devel] bug with security concerns
Ron Winacott
ronw at somanetworks.com
Mon Oct 23 18:15:49 CEST 2006
On Monday 23 October 2006 6:41 am, Elias Baixas wrote:
....
> In general, the common advice is not to use neither sprintf nor strcpy
> to avoid this kinds of dangerous bugs, and substitute them for snprintf
> and strncpy (which is almost always the case in openser code), as well
> as %s by %.*s
>
> I hope it helps !
>
> Elias Baixas
Elias, this was a good find! but the issue with sprintf and strcpy is not
limited to just the progress module. Attached is a listing of all places in
the OpenSER code I found unbounded sprintf()'s and strcpy()'s that also need
to be looked at and maybe converted to using the safer bounded snprintf() and
strncpy() functional calls. (this is the dev-cvs tree head as of today)
ronw
--
Ron Winacott - SOMA Networks, Inc.
---
The scientists of today think deeply instead of clearly. One must be sane to
think clearly, but one can think deeply and be quite insane.
- Nikola Tesla
-------------- next part --------------
[-]Search for: sprintf
[-]sip-server/modules/jabber/xjab_jcon.c 6
191: sprintf(msg_buff, JB_CLIENT_OPEN_STREAM, jbc->hostname);
213: sprintf(msg_buff, "%08X", jbc->seq_nr);
271: //sprintf(msg_buff, "%s%s", jbc->stream_id, passwd);
289: sprintf(msg_buff, "%08X", jbc->seq_nr);
385: sprintf(buff, "%08X", jbc->seq_nr);
462: //sprintf(msg_buff, JB_MSG_NORMAL, to, msg);
[-]sip-server/modules/lcr/lcr_mod.c 2
1272: sprintf(at,"%d", strip);
1490: sprintf(at,"%d", strip);
[-]sip-server/modules/mangler/ip_helper.c 2
67: sprintf (hlp2, "%i.", addrp[i]);
70: sprintf (hlp2, "%i", addrp[3]);
[-]sip-server/modules/mediaproxy/functions.h 3
165: len = sprintf(buf, "%.*s%s%.*s", beforeHost.len, beforeHost.s,
168: len = sprintf(buf, "%.*s%s:%.*s", beforeHost.len, beforeHost.s,
171: len = sprintf(buf, "%.*s%s:%d%.*s", beforeHost.len, beforeHost.s,
[-]sip-server/modules/mediaproxy/mediaproxy.c 6
349: sprintf(&result[j], "%02X", (c & 0xff));
1333: sprintf(command, "delete %.*s info=\n", callId.len, callId.s);
1421: count = sprintf(command, "request %.*s", callId.len, callId.s);
1423: count = sprintf(command, "lookup %.*s", callId.len, callId.s);
1427: count = sprintf(ptr, "%c%.*s:%.*s:%.*s", c,
1449: sprintf(info, "from:%.*s,to:%.*s,fromtag:%.*s,totag:%.*s",
[-]sip-server/modules/nathelper/nathelper.c 1
1361: sprintf(cook, "%d_%u ", (int)mypid, myseqn);
[-]sip-server/modules/osp/osp_mod.c 3
202: sprintf(_osp_PRIVATE_KEY, "%spkey.pem", CFG_DIR);
207: sprintf(_osp_LOCAL_CERTIFICATE, "%slocalcert.pem", CFG_DIR);
212: sprintf(_osp_CA_CERTIFICATE, "%scacert_0.pem", CFG_DIR);
[-]sip-server/modules/pa/notify.c 9
599: len += sprintf(body.s + len, "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n");
600: len += sprintf(body.s + len, "<documents xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n");
602: len += sprintf(body.s + len, " <document uri=\"http://%.*s/presence-lists/users/%.*s/presence.xml\">\r\n",
604: len += sprintf(body.s + len, " <change method=\"PUT\">someone at example.com</change>\r\n");
605: len += sprintf(body.s + len, " </document>\r\n");
608: len += sprintf(body.s + len, " <document uri=\"http://%.*s/watcherinfo/users/%.*s/watcherinfo.xml\">\r\n",
610: len += sprintf(body.s + len, " <change method=\"PUT\">someone at example.com</change>\r\n");
611: len += sprintf(body.s + len, " </document>\r\n");
613: len += sprintf(body.s + len, "</documents>\r\n");
[-]sip-server/modules/pa/pidf.c 5
234: priority_len = sprintf(priority_s, "%f", priority);
303: int len = sprintf(buf, "%g", _x);
310: int len = sprintf(buf, "%g", _y);
317: int len = sprintf(buf, "%g", _radius);
330: int prescap_l = sprintf(prescap, " <%s>%s</%s>%s",
[-]sip-server/modules/pa/presentity.c 1
467: tuple->id.len = sprintf(tuple->id.s, "tid%x", r);
[-]sip-server/modules/pa/publish.c 2
114: sprintf(l_uri.s, "%s.%s.%s@%s", room->s, floor->s, site->s, pa_domain.s);
150: sprintf(l_uri.s, "%s.%s.%s@%s", room->s, floor->s, site->s, pa_domain.s);
[-]sip-server/modules/pa/subscribe.c 1
252: offset += sprintf(buf+offset, ":%#06x", *a);
[-]sip-server/modules/pa/watcher.c 1
169: watcher->s_id.len = sprintf(watcher->s_id.s, "SID%08x", h);
[-]sip-server/modules/sms/libsms_getsms.c 4
168: clen=sprintf(command,"AT+CMGR=%i\r",sim);
207: clen = sprintf(command,"AT+CMGD=%i\r",sim);
320: sprintf(sms->date,"%c%c-%c%c-%c%c",start[3],start[4],start[0],start[1],
324: sprintf(sms->time,"%c%c:%c%c:%c%c",start[0],start[1],start[3],start[4],
[-]sip-server/modules/sms/libsms_modem.c 2
229: clen=sprintf(command,"AT+CPIN=\"%s\"\r",mdm->pin);
396: clen=sprintf(command,"AT+CSCA=\"+%s\"\r",smsc);
[-]sip-server/modules/sms/libsms_putsms.c 7
143: pdu_len += sprintf(pdu,"%02X00%02X91%s00%02X%02X",flags,
146: pdu_len += sprintf(pdu,"00%02X00%02X91%s00%02XA7%02X",flags,
201: clen = sprintf(command,"AT+CMGS=%i\r",pdu_len/2);
203: clen = sprintf(command,"AT+CMGS=\"+%.*s\"\r",sms_messg->to.len,
206: clen = sprintf(command,"AT+CMGS=%i\r",pdu_len/2-1);
209: clen2=sprintf(command2,"%.*s\x1A",sms_messg->text.len,
212: clen2=sprintf(command2,"%.*s\x1A",pdu_len,pdu);
[-]sip-server/modules/unixodbc/val.c 1
112: LOG(L_ERR, "int2str: Error in sprintf\n");
[-]sip-server/utils/openserunix/openserunix.c 1
75: sprintf(name, "/tmp/OpenSER.%d.XXXXXX", getpid());
[-]Search for: strcpy
[-]sip-server/cfg.tab.c 2
3721: { mpath=(yyvsp[0].strval); strcpy(mpath_buf, (yyvsp[0].strval));
3746: strcpy(mpath_buf+mpath_len, (yyvsp[0].strval));
[-]sip-server/modules/alias_db/alookup.c 2
131: strcpy(user_s.s,
164: strcpy(user_s.s,
[-]sip-server/modules/avpops/avpops.c 1
277: strcpy(sp->sval.p.val.s,s);
[-]sip-server/modules/cpl-c/cpl.c 1
398: strcpy(cpl_env.orig_tz.s+3,ptr);
[-]sip-server/modules/cpl-c/cpl_nonsig.c 1
237: strcpy( file, log_dir);
[-]sip-server/modules/dbtext/dbt_base.c 1
80: strcpy(dbt_path, CFG_DIR);
[-]sip-server/modules/jabber/jabber.c 2
853: strcpy(_bb, "<h4>SER2Jabber Gateway</h4>");
908: strcpy(_bb, "<h4>Active XMPP connections</h4>");
[-]sip-server/modules/jabber/xjab_jcon.c 3
79: strcpy(jbc->hostname, hostname);
272: strcpy(msg_buff, jbc->stream_id);
332: strcpy(jbc->resource, resource);
[-]sip-server/modules/jabber/xjab_worker.c 3
801: strcpy(lbuf, "{Error sending following message} - ");
805: strcpy(lbuf, "{Error (");
1178: strcpy(buf1,"Content-Type: text/plain"CRLF"Contact: ");
[-]sip-server/modules/jabber/xpool.c 1
197: strcpy(ret,src);
[-]sip-server/modules/jabber/xsnprintf.c 1
425: *len = strlen(strcpy(buf, p));
[-]sip-server/modules/msilo/msilo.c 1
693: strcpy(buf1, CONTACT_PREFIX);
[-]sip-server/modules/nathelper/nathelper.c 1
2071: strcpy(newip, cp);
[-]sip-server/modules/osp/orig_transaction.c 2
178: strcpy(dest->source, source);
179: strcpy(dest->srcdev, sourcedev);
[-]sip-server/modules/osp/term_transaction.c 1
157: strcpy(dest.host, _osp_device_ip);
[-]sip-server/modules/permissions/hash.c 2
161: (void) strcpy(np->pattern, pattern);
177: (void) strcpy(np->tag.s, tag);
[-]sip-server/modules/permissions/parse_config.c 1
124: strcpy(str2, str);
[-]sip-server/modules/permissions/permissions.c 7
230: strcpy(buffer, name);
295: strcpy(buffer, "sip:");
369: strcpy(ruri_str, "sip:");
483: strcpy(buffer, (char*)*param);
488: strcpy(buffer + param_len, deny_suffix);
524: strcpy(buffer, (char*)*param);
529: strcpy(buffer + param_len, deny_suffix);
[-]sip-server/modules/permissions/rule.c 1
133: strcpy(e->value, str);
[-]sip-server/modules/postgres/aug_alloc.c 2
530: strcpy(new, str);
558: strcpy(c, *vec);
[-]sip-server/modules/postgres/aug_util.c 1
123: strcpy(aug_module_name, prog);
[-]sip-server/modules/siptrace/siptrace.c 8
336: strcpy(fromip_buff, ip_addr2a(&msg->rcv.src_ip));
590: strcpy(fromip_buff, ip_addr2a(&msg->rcv.src_ip));
612: strcpy(toip_buff+4, ip_addr2a(&to_ip));
834: strcpy(fromip_buff, ip_addr2a(&msg->rcv.src_ip));
843: strcpy(statusbuf, int2str(ps->code, NULL));
863: strcpy(toip_buff+4, ip_addr2a(&to_ip));
1024: strcpy(statusbuf, int2str(sl_param->code, NULL));
1043: strcpy(toip_buff+4, ip_addr2a(&to_ip));
[-]sip-server/modules/sms/libsms_getsms.c 4
192: strcpy(pdu,beginning);
289: strcpy(sms->ascii,start);
303: strcpy(sms->sender,start);
316: strcpy(sms->name,start);
[-]sip-server/modules/sms/libsms_modem.c 4
298: strcpy(command,"AT+CMGF=0\r");
303: strcpy(command,"AT S7=45 S0=0 L1 V1 X4 &c1 E1 Q0\r");
307: strcpy(command,"AT+CSMP=49,167,0,241\r");
311: strcpy(command,"AT+CNMI=1,1,0,1,0\r");
[-]sip-server/modules/speeddial/sdlookup.c 1
170: strcpy(user_s.s,
[-]sip-server/modules/unixodbc/my_con.c 1
201: if(stret) strcpy( stret, (char*)state );
[-]sip-server/modules/unixodbc/res.c 1
183: strcpy(temp_row[i].s, "NULL");
More information about the Devel
mailing list