possible security fix: do not call slilog with intended message as format string

vMessage would call slilog with part of the intended log message as
the format string.  This is a potential format string vulnerability,
detected by -Wformat-security.

I have not analysed the code in detail to determine in exactly which
circumstances a secnet installation will be vulnerable, but in general
a vulnerability (at least for DOS) will exist in any situation where
an attacker can cause a log message to contain things which look like
printf directives.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

diff --git a/log.c b/log.c
index f4ef8000605c866121031ecb4babf2965c2aa1ff..837ed55acf8c9530a2e4d9f4e87feec3b433449e 100644 (file)
--- a/log.c
+++ b/log.c
@@ -29,7 +29,7 @@ static void vMessage(uint32_t class, const char *message, va_list args)
        /* Each line is sent separately */
        while ((nlp=strchr(buff,'\n'))) {
            *nlp=0;
        /* Each line is sent separately */
        while ((nlp=strchr(buff,'\n'))) {
            *nlp=0;

-           slilog(system_log,class,buff);
+           slilog(system_log,class,"%s",buff);

            memmove(buff,nlp+1,strlen(nlp+1)+1);
        }
     } else {
            memmove(buff,nlp+1,strlen(nlp+1)+1);
        }
     } else {