From 611140c83aefbd72a8e099dce8595e1d6fc85766 Mon Sep 17 00:00:00 2001 From: Fabrice Bellet <fabrice@bellet.info> Date: Sun, 19 May 2013 16:53:09 +0200 Subject: [PATCH 1/3] check to be sure that %n is not being set as format type (CVE-2012-2090) --- src/Cockpit/panel.cxx | 26 +++++++++++++++++++++++++- src/Environment/fgclouds.cxx | 9 +++++++++ src/Network/generic.cxx | 9 +++++++++ 3 files changed, 43 insertions(+), 1 deletion(-) diff --git a/src/Cockpit/panel.cxx b/src/Cockpit/panel.cxx index 3fbc199..09fb885 100644 --- a/src/Cockpit/panel.cxx +++ b/src/Cockpit/panel.cxx @@ -1174,8 +1174,18 @@ FGTextLayer::Chunk::Chunk (const string &text, const string &fmt) : _type(FGTextLayer::TEXT), _fmt(fmt) { _text = text; - if (_fmt.empty()) + if (_fmt.empty()) { _fmt = "%s"; + } else { + // It is never safe for _fmt.c_str to be %n. + string unsafe ("%n"); + size_t found; + found=_fmt.find(unsafe); + if (found!=string::npos) { + SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s"); + _fmt = "%s"; + } + } } FGTextLayer::Chunk::Chunk (ChunkType type, const SGPropertyNode * node, @@ -1188,6 +1198,20 @@ FGTextLayer::Chunk::Chunk (ChunkType type, const SGPropertyNode * node, _fmt = "%s"; else _fmt = "%.2f"; + } else { + // It is never safe for _fmt.c_str to be %n. + string unsafe ("%n"); + size_t found; + found=_fmt.find(unsafe); + if (found!=string::npos) { + if (type == TEXT_VALUE) { + SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s"); + _fmt = "%s"; + } else { + SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %.2f"); + _fmt = "%.2f"; + } + } } _node = node; } diff --git a/src/Environment/fgclouds.cxx b/src/Environment/fgclouds.cxx index d5db1ed..33b9f42 100644 --- a/src/Environment/fgclouds.cxx +++ b/src/Environment/fgclouds.cxx @@ -224,6 +224,15 @@ void FGClouds::buildLayer(int iLayer, const string& name, double coverage) { tCloudVariety[CloudVarietyCount].count = count; int variety = 0; cloud_name = cloud_name + "-%d"; + // It is never safe for cloud_name.c_str to be %n. + string unsafe ("%n"); + size_t found; + + found=cloud_name.find(unsafe); + if (found!=string::npos) { + SG_LOG(SG_GENERAL, SG_ALERT, "format type contained %n, but this is unsafe , ignore it"); + continue; + } char variety_name[50]; do { variety++; diff --git a/src/Network/generic.cxx b/src/Network/generic.cxx index 21f048c..96f6364 100644 --- a/src/Network/generic.cxx +++ b/src/Network/generic.cxx @@ -206,6 +206,8 @@ bool FGGeneric::gen_message_binary() { bool FGGeneric::gen_message_ascii() { string generic_sentence; + string unsafe ("%n"); + size_t found; char tmp[255]; length = 0; @@ -216,6 +218,13 @@ bool FGGeneric::gen_message_ascii() { generic_sentence += var_separator; } + // It is never safe for _out_message[i].format.c_str to be %n. + found=_out_message[i].format.find(unsafe); + if (found!=string::npos) { + SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s"); + _out_message[i].format = "%s"; + } + switch (_out_message[i].type) { case FG_INT: val = _out_message[i].offset + -- 1.8.1.4