--- xsupplicant-1.0.1/src/xsup_common.c.stack-smash 2006-10-26 10:17:22.000000000 -0600 +++ xsupplicant-1.0.1/src/xsup_common.c 2006-10-26 10:17:22.000000000 -0600 @@ -0,0 +1,29 @@ +/** + * General routines + * + * Licensed under the dual GPL/BSD license. (See LICENSE file for more info.) + * + * File: xsup_common.c + * + * Authors: Carsten Grohmann + * + * $Id: xsup_common.c,v 1.1 2006/08/25 23:37:18 chessing Exp $ + * $Date: 2006/08/25 23:37:18 $ + * $Log: xsup_common.c,v $ + * Revision 1.1 2006/08/25 23:37:18 chessing + * Numerous patches that have come in over the last month or two. + * + */ + +#include <string.h> + +#ifdef USE_EFENCE +#include <efence.h> +#endif + +char* Strncpy(char *dest, const char *src, size_t n) +{ + strncpy(dest, src, n); + dest[n-1] = 0; + return dest; +} --- xsupplicant-1.0.1/src/eap.c.stack-smash 2004-08-16 17:36:27.000000000 -0600 +++ xsupplicant-1.0.1/src/eap.c 2006-10-26 10:17:40.000000000 -0600 @@ -107,6 +107,7 @@ #include "snmp.h" #include "frame_structs.h" +#include "xsup_common.h" #include "xsup_debug.h" #include "xsup_err.h" #include "config.h" @@ -300,7 +301,7 @@ static int wpa_keying_material(struct in void eap_do_notify(struct interface_data *thisint, char *inframe, int insize) { struct eap_header *myeap; - char myval[255]; + char *myval; if ((!thisint) || (!inframe)) { @@ -310,14 +311,24 @@ void eap_do_notify(struct interface_data myeap = (struct eap_header *)&inframe[OFFSET_TO_EAP]; - bzero(&myval[0], 255); - // We need to determine how long the string that we were returned is. // So, take the EAP length value, and subtract 5 to account for the EAP // header. - strncpy(&myval[0], &inframe[OFFSET_TO_DATA], (ntohs(myeap->eap_length)-5)); - debug_printf(DEBUG_NORMAL, "EAP Notification : %s\n", &myval[0]); + // This will allocate 5 bytes more than we should need. + myval = malloc(ntohs(myeap->eap_length)); + if (myval == NULL) + { + debug_printf(DEBUG_NORMAL, "Couldn't allocate memory to store EAP " + "notification message!\n"); + return; + } + + memset(myval, 0x00, ntohs(myeap->eap_length)); + + Strncpy(myval, (char *) &inframe[OFFSET_TO_DATA], (ntohs(myeap->eap_length)-5)); + + debug_printf(DEBUG_NORMAL, "EAP Notification : %s\n", myval); } /******************************************* --- xsupplicant-1.0.1/src/xsup_common.h.stack-smash 2006-10-26 10:17:22.000000000 -0600 +++ xsupplicant-1.0.1/src/xsup_common.h 2006-10-26 10:17:22.000000000 -0600 @@ -0,0 +1,29 @@ +/** + * + * Licensed under a dual GPL/BSD license. (See LICENSE file for more info.) + * + * File: xsup_common.h + * + * Authors: Chris.Hessing@utah.edu and Carsten Grohmann + * + * $Id: xsup_common.h,v 1.1 2006/08/25 23:37:18 chessing Exp $ + * $Date: 2006/08/25 23:37:18 $ + */ +#ifndef XSUP_COMMON_H_ +#define XSUP_COMMON_H_ + +/** Secure strncpy() replacement + * + * Sets the last position of the buffer to 0. All times. + * All parameters are equal to strncpy(). + */ +char* Strncpy(char *dest, const char *src, size_t n); + +/** Secure free() replacement + * + * Check the pointer before freeing and set it to NULL after the memory + * has been freed + */ +#define FREE(p) if (p != NULL) {free(p); p=NULL;} + +#endif --- xsupplicant-1.0.1/src/xsup_ipc.c.stack-smash 2004-07-14 22:15:35.000000000 -0600 +++ xsupplicant-1.0.1/src/xsup_ipc.c 2006-10-26 10:17:22.000000000 -0600 @@ -82,6 +82,7 @@ #include "profile.h" #include "config.h" #include "xsup_ipc.h" +#include "xsup_common.h" #include "xsup_debug.h" #include "xsup_err.h" #include "ipc_callout.h" --- xsupplicant-1.0.1/src/Makefile.am.stack-smash 2004-08-18 22:11:47.000000000 -0600 +++ xsupplicant-1.0.1/src/Makefile.am 2006-10-26 10:17:22.000000000 -0600 @@ -14,7 +14,7 @@ sbin_PROGRAMS = xsupplicant xsupplicant_SOURCES = xsup_driver.c xsup_debug.c profile.c core.c\ config.c eapol.c statemachine.c eap.c snmp.c wpa.c \ key_statemachine.c eapol_key_type1.c interactive.c \ - eapol_key_type254.c \ + eapol_key_type254.c xsup_common.c \ eap_types/md5/eapmd5.c eap_types/tls/eaptls.c \ eap_types/tls/tls_funcs.c eap_types/ttls/eapttls.c \ eap_types/ttls/ttlsphase2.c eap_types/tls/tls_crypt.c \ --- xsupplicant-1.0.1/src/ipc_callout.c.stack-smash 2004-07-14 22:15:35.000000000 -0600 +++ xsupplicant-1.0.1/src/ipc_callout.c 2006-10-26 10:17:22.000000000 -0600 @@ -170,6 +170,12 @@ void ipc_callout_process_conf(struct int debug_printf(DEBUG_NORMAL, "Incorrect call to ipc_callout_process_conf!\n"); } + if (((cmd->len) + sizeof(struct ipc_cmd)) > bufsize) + { + debug_printf(DEBUG_NORMAL, "Buffer not large enough to hold response!\n"); + return; + } + *bufptr += sizeof(struct ipc_cmd);