From 974d3a0dd4ddd134033b16bcd9e2fde34302ffd5 Mon Sep 17 00:00:00 2001 From: Dan Wells Date: Tue, 6 Mar 2012 15:08:33 -0500 Subject: [PATCH] Protect gateway from format-string crashes in data As a common security measure, printf-style formatting codes are not allowed to be directly interpreted from a writable segment. The gateway code currently has the following function call: osrfLogActivity( OSRF_LOG_MARK, act->buf ); This is a variadic function which expects the 'act->buf' position to contain a format string and any trailing arguments to be the values passed to the formatter. Since act->buf is the value of what we passed in, some data inadvertantly contains format strings, and since it is a writable segment, the program crashes. Here is an example of a crash-causing call: http://localhost/osrf-gateway-v1?service=test&method=test¶m=%22%251n%22 The param is interpreted as "%1n" and abruptly fails. The simple solution is to include a formatter so that our param gets demoted to being mere data, i.e.: osrfLogActivity( OSRF_LOG_MARK, "%s", act->buf ); Signed-off-by: Dan Wells Signed-off-by: Dan Scott --- src/gateway/osrf_json_gateway.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/gateway/osrf_json_gateway.c b/src/gateway/osrf_json_gateway.c index 5282972..53094e3 100644 --- a/src/gateway/osrf_json_gateway.c +++ b/src/gateway/osrf_json_gateway.c @@ -300,7 +300,7 @@ static int osrf_json_gateway_method_handler (request_rec *r) { } } - osrfLogActivity( OSRF_LOG_MARK, act->buf ); + osrfLogActivity( OSRF_LOG_MARK, "%s", act->buf ); buffer_free(act); /* ----------------------------------------------------------------- */ -- 2.11.0