Ensure that received packets are at least as long as the rwho packet

header before trying to process them. Without this sanity check, rwhod can attempt to byte-swap all of memory when a short packet is received, and so dies with a SIGBUS. While I'm here, change two other syslog messages to be more informative: use dotted quad rather than hex notation for IP addresses, and include the source IP in the 'bad from port' message. PR: bin/14844 Reviewed by: dwmalone
svn path=/head/; revision=70284
2000-12-22 21:30:15 +00:00 · 2000-12-22 21:30:15 +00:00 · 4de932048c · 2020-12-20 02:59:44 +00:00
commit 4de932048c
parent c0f2ef61df
1 changed files with 10 additions and 4 deletions
--- a/usr.sbin/rwhod/rwhod.c
+++ b/usr.sbin/rwhod/rwhod.c
@ -56,6 +56,7 @@ static const char rcsid[] =
 #include <net/if_dl.h>
 #include <net/route.h>
 #include <netinet/in.h>
+#include <arpa/inet.h>
 #include <protocols/rwhod.h>

 #include <ctype.h>
@ -277,8 +278,13 @@ main(argc, argv)
 			continue;
 		}
 		if (from.sin_port != sp->s_port && !insecure_mode) {
-			syslog(LOG_WARNING, "%d: bad from port",
-				ntohs(from.sin_port));
+			syslog(LOG_WARNING, "%d: bad source port from %s",
+			    ntohs(from.sin_port), inet_ntoa(from.sin_addr));
+			continue;
+		}
+		if (cc < WHDRSIZE) {
+			syslog(LOG_WARNING, "short packet from %s",
+			    inet_ntoa(from.sin_addr));
 			continue;
 		}
 		if (wd.wd_vers != WHODVERSION)
@ -286,8 +292,8 @@ main(argc, argv)
 		if (wd.wd_type != WHODTYPE_STATUS)
 			continue;
 		if (!verify(wd.wd_hostname, sizeof wd.wd_hostname)) {
-			syslog(LOG_WARNING, "malformed host name from %x",
-				from.sin_addr);
+			syslog(LOG_WARNING, "malformed host name from %s",
+			    inet_ntoa(from.sin_addr));
 			continue;
 		}
 		(void) snprintf(path, sizeof path, "whod.%s", wd.wd_hostname);