[Snort-devel] Possible Issues with strncpy() calls in DAQ-2.0.x and Snort-2.9.5.x

Bill Parker wp02855 at ...2499...
Tue Aug 13 12:55:57 EDT 2013


Hello All,

In DAQ-2.0.1, directory 'os-daq-modules', file 'daq_afpacket.c',
I found two instances for calls to strncpy() which are not NULL
terminated (compared to a call to strcpy() which NULL terminates
the resulting string).

The patch file below adds the NULL byte:

--- daq_afpacket.c.orig 2013-08-12 19:07:36.190972370 -0700
+++ daq_afpacket.c      2013-08-12 19:10:11.983969620 -0700
@@ -110,6 +110,7 @@

     memset(&ifr, 0, sizeof(ifr));
     strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
+    ifr.ifr_name[sizeof(ifr.ifr_name)-1] = '\0';

     if (ioctl(instance->fd, SIOCGIFINDEX, &ifr) == -1)
         return -1;
@@ -151,6 +152,7 @@

     memset(&ifr, 0, sizeof(ifr));
     strncpy(ifr.ifr_name, instance->name, sizeof(ifr.ifr_name));
+    ifr.ifr_name[sizeof(ifr.ifr_name)-1] = '\0';

     if (ioctl(instance->fd, SIOCGIFHWADDR, &ifr) == -1)
     {

A 'make' and 'make install' result in successful compilation :)

I am attaching the patch file to this email.

I found the same situation in Snort-2.9.5.3, directory
'src/dynamic-preprocessors/ftptelnet', file 'snort_ftptelnet.c'
where calls to strncpy() do NOT appear to be null terminated,
the patch file below addresses this issue:

--- snort_ftptelnet.c.orig      2013-08-12 19:24:10.181973164 -0700
+++ snort_ftptelnet.c   2013-08-12 19:28:09.326970179 -0700
@@ -1558,6 +1558,7 @@
                 }

                 strncpy(curr_format, start_ch, curr_len);
+               curr_format[curr_len] = '\0';
                 CurrFmt->format_string = curr_format;
                 curr_len = 0;
                 CurrFmt->optional = OptFmt;
@@ -1584,6 +1585,7 @@
                 }

                 strncpy(curr_format, start_ch, curr_len);
+               curr_format[curr_len] = '\0';
                 CurrFmt->format_string = curr_format;
                 curr_len = 0;
             }
@@ -1611,6 +1613,7 @@
                     }

                     strncpy(curr_format, start_ch, curr_len);
+                   curr_format[curr_len] = '\0';
                     CurrFmt->format_string = curr_format;
                     curr_len = 0;
                 }
@@ -1668,6 +1671,7 @@
                 }

                 strncpy(curr_format, start_ch, curr_len);
+               curr_format[curr_len] = '\0';
                 CurrFmt->format_string = curr_format;
                 curr_len = 0;
                 *format = curr_ch;
@@ -1692,6 +1696,7 @@
                 }

                 strncpy(curr_format, start_ch, curr_len);
+               curr_format[curr_len] = '\0';
                 CurrFmt->format_string = curr_format;
                 curr_len = 0;
                 *format = curr_ch;
@@ -1721,6 +1726,7 @@
         }

         strncpy(curr_format, start_ch, curr_len);
+       curr_format[curr_len] = '\0';
         CurrFmt->format_string = curr_format;
         start_ch = curr_ch;
         curr_len = 0;

A 'make' and 'make install' result in successful compilation :)

I am attaching the patch file to this email.

Bill Parker (wp02855 at gmail dot com)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130813/9d7a7252/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: strncpy-daq_afpacket.c.patch
Type: application/octet-stream
Size: 624 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130813/9d7a7252/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: strncpy-snort_ftptelnet.c.patch
Type: application/octet-stream
Size: 1747 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130813/9d7a7252/attachment-0001.obj>


More information about the Snort-devel mailing list