Bug 211257
| Summary: | net/xmlrpc-c: Fix overflow warning - update to 1.39.10 | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Walter Schwarzenfeld <w.schwarzenfeld> | ||||||||
| Component: | Individual Port(s) | Assignee: | Renato Botelho <garga> | ||||||||
| Status: | Closed FIXED | ||||||||||
| Severity: | Affects Only Me | Keywords: | needs-qa | ||||||||
| Priority: | --- | Flags: | garga:
maintainer-feedback+
garga: merge-quarterly+ |
||||||||
| Version: | Latest | ||||||||||
| Hardware: | Any | ||||||||||
| OS: | Any | ||||||||||
| Attachments: |
|
||||||||||
I think this is the cause:
-#define STRSCAT(A,B) \
- (strncat((A), (B), sizeof(A)-strlen(A)), *((A)+sizeof(A)-1) = '\0')
+#define STRNSCAT(A,B) \
(strncat((A), (B), sizeof(A)-strlen(A)-1), *((A)+sizeof(A)-1) = '\0')
I renamed the STRSCAT macro to STRNSCAT, cause of an "redefined" error message.
It had to changed in include/xmlrpc-c/string_int.h and src/xmlrpc_serialize.c also.
I attached a svn-diff.
Created attachment 173178 [details]
svn-diff_net_xmlrpc-c
I mailed it Bryan Henderson from xmlrpc-c. He confirmed it is a wrong or bad code, and said he will change it, with next stable version in "a few" weeks. Tell me, if I should this PR keep open, or close it. Created attachment 174313 [details]
svn-diff_xmlrpc-c-1.39.10
Fixed upstream with update to 1.39.10. ChangeLog:
Fix possible buffer overrun. Introduced in Xmlrpc-c 1.15 (June 2008).
Build: fix missing thread libraries in libutil++ link.
Install: fix bug: xmlrpc_expat.pc not installed.
portlint ok.
Created attachment 174314 [details]
svn-diff_xmlrpc-c-1.39.10
Overlooked distinfo. Testbuild with poudriere on 103amd64/i386 and 93amd64/i386 ok. Additional to the ChangeLog; 1.39.09 A release by this name was never properly released, but a copy of Release 1.39.08 was accidentally distributed with a filename indicating it was 1.39.09 between mid-July and August 23, 2016. A commit references this bug: Author: garga Date: Mon Sep 5 17:23:11 UTC 2016 New revision: 421381 URL: https://svnweb.freebsd.org/changeset/ports/421381 Log: Update net/xmlrpc to 1.39.10 This version if a buffer overflow in STRSCAT PR: 211257 Submitted by: w.schwarzenfeld@utanet.at MFH: 2016Q3 Changes: head/net/xmlrpc-c/Makefile head/net/xmlrpc-c/distinfo A commit references this bug: Author: garga Date: Tue Sep 6 16:51:49 UTC 2016 New revision: 421442 URL: https://svnweb.freebsd.org/changeset/ports/421442 Log: MFH: r421381 Update net/xmlrpc to 1.39.10 This version if a buffer overflow in STRSCAT PR: 211257 Submitted by: w.schwarzenfeld@utanet.at Approved by: ports-secteam (feld) Changes: _U branches/2016Q3/ branches/2016Q3/net/xmlrpc-c/Makefile branches/2016Q3/net/xmlrpc-c/distinfo |
Don't know if it is realy relevant, but: xmlrpc_datetime.c:164:17: warning: the value of the size argument in 'strncat' is too large, might lead to a buffer overflow [-Wstrncat-size] STRSCAT(dtString, usecString); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ blddir/include/xmlrpc-c/string_int.h:125:24: note: expanded from macro 'STRSCAT' and xmlrpc_serialize.c:308:13: warning: the value of the size argument in 'strncat' is too large, might lead to a buffer overflow [-Wstrncat-size] STRSCAT(dtString, usecString); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ blddir/include/xmlrpc-c/string_int.h:125:24: note: expanded from macro 'STRSCAT' -- macro is defined in net/xmlrpc-c/work/xmlrpc-c-1.39.08/src/blddir/include/xmlrpc-c/string_int.h 124 #define STRSCAT(A,B) \ 125 (strncat((A), (B), sizeof(A)-strlen(A)), *((A)+sizeof(A)-1) = '\0')