From 611140c83aefbd72a8e099dce8595e1d6fc85766 Mon Sep 17 00:00:00 2001
From: Fabrice Bellet <fabrice@bellet.info>
Date: Sun, 19 May 2013 16:53:09 +0200
Subject: [PATCH 1/3] check to be sure that %n is not being set as format type
(CVE-2012-2090)
---
src/Cockpit/panel.cxx | 26 +++++++++++++++++++++++++-
src/Environment/fgclouds.cxx | 9 +++++++++
src/Network/generic.cxx | 9 +++++++++
3 files changed, 43 insertions(+), 1 deletion(-)
diff --git a/src/Cockpit/panel.cxx b/src/Cockpit/panel.cxx
index 3fbc199..09fb885 100644
--- a/src/Cockpit/panel.cxx
+++ b/src/Cockpit/panel.cxx
@@ -1174,8 +1174,18 @@ FGTextLayer::Chunk::Chunk (const string &text, const string &fmt)
: _type(FGTextLayer::TEXT), _fmt(fmt)
{
_text = text;
- if (_fmt.empty())
+ if (_fmt.empty()) {
_fmt = "%s";
+ } else {
+ // It is never safe for _fmt.c_str to be %n.
+ string unsafe ("%n");
+ size_t found;
+ found=_fmt.find(unsafe);
+ if (found!=string::npos) {
+ SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s");
+ _fmt = "%s";
+ }
+ }
}
FGTextLayer::Chunk::Chunk (ChunkType type, const SGPropertyNode * node,
@@ -1188,6 +1198,20 @@ FGTextLayer::Chunk::Chunk (ChunkType type, const SGPropertyNode * node,
_fmt = "%s";
else
_fmt = "%.2f";
+ } else {
+ // It is never safe for _fmt.c_str to be %n.
+ string unsafe ("%n");
+ size_t found;
+ found=_fmt.find(unsafe);
+ if (found!=string::npos) {
+ if (type == TEXT_VALUE) {
+ SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s");
+ _fmt = "%s";
+ } else {
+ SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %.2f");
+ _fmt = "%.2f";
+ }
+ }
}
_node = node;
}
diff --git a/src/Environment/fgclouds.cxx b/src/Environment/fgclouds.cxx
index d5db1ed..33b9f42 100644
--- a/src/Environment/fgclouds.cxx
+++ b/src/Environment/fgclouds.cxx
@@ -224,6 +224,15 @@ void FGClouds::buildLayer(int iLayer, const string& name, double coverage) {
tCloudVariety[CloudVarietyCount].count = count;
int variety = 0;
cloud_name = cloud_name + "-%d";
+ // It is never safe for cloud_name.c_str to be %n.
+ string unsafe ("%n");
+ size_t found;
+
+ found=cloud_name.find(unsafe);
+ if (found!=string::npos) {
+ SG_LOG(SG_GENERAL, SG_ALERT, "format type contained %n, but this is unsafe , ignore it");
+ continue;
+ }
char variety_name[50];
do {
variety++;
diff --git a/src/Network/generic.cxx b/src/Network/generic.cxx
index 21f048c..96f6364 100644
--- a/src/Network/generic.cxx
+++ b/src/Network/generic.cxx
@@ -206,6 +206,8 @@ bool FGGeneric::gen_message_binary() {
bool FGGeneric::gen_message_ascii() {
string generic_sentence;
+ string unsafe ("%n");
+ size_t found;
char tmp[255];
length = 0;
@@ -216,6 +218,13 @@ bool FGGeneric::gen_message_ascii() {
generic_sentence += var_separator;
}
+ // It is never safe for _out_message[i].format.c_str to be %n.
+ found=_out_message[i].format.find(unsafe);
+ if (found!=string::npos) {
+ SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s");
+ _out_message[i].format = "%s";
+ }
+
switch (_out_message[i].type) {
case FG_INT:
val = _out_message[i].offset +
--
1.8.1.4
