possible security fix: do not call slilog with intended message as format string

vMessage would call slilog with part of the intended log message as
the format string.  This is a potential format string vulnerability,
detected by -Wformat-security.

I have not analysed the code in detail to determine in exactly which
circumstances a secnet installation will be vulnerable, but in general
a vulnerability (at least for DOS) will exist in any situation where
an attacker can cause a log message to contain things which look like
printf directives.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
(cherry picked from commit 7908f2c6b5be419f8f4031876139953d4ee8340d)

diff --git a/log.c b/log.c
index 32aed704b06e20e595ef366661426103fac6342f..7fc16c93d517bf172f6dbb4f333af0df2144446c 100644 (file)
--- a/log.c
+++ b/log.c
@@ -28,7 +28,7 @@ static void vMessage(uint32_t class, const char *message, va_list args)
        /* Each line is sent separately */
        while ((nlp=strchr(buff,'\n'))) {
            *nlp=0;
        /* Each line is sent separately */
        while ((nlp=strchr(buff,'\n'))) {
            *nlp=0;

-           slilog(system_log,class,buff);
+           slilog(system_log,class,"%s",buff);

            memmove(buff,nlp+1,strlen(nlp+1)+1);
        }
     } else {
            memmove(buff,nlp+1,strlen(nlp+1)+1);
        }
     } else {