Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix format string vulnerability
Reported by Kapil Anand on ayttm-users:
https://sourceforge.net/p/ayttm/mailman/message/34397158/

This patch does the following two things:

1. Makes sure debug_print is only used in DEBUG mode and not in non-DEBUG mode
2. Since debug_print is basically printf, we don't really need to first
   snprintf into a buffer and then print the buffer.
3. We no longer need debug_buff
  • Loading branch information
Philip Tellis committed Aug 24, 2015
1 parent da8940c commit 40e0468
Showing 1 changed file with 6 additions and 10 deletions.
16 changes: 6 additions & 10 deletions libproxy/proxy.c
Expand Up @@ -294,7 +294,6 @@ int http_connect(int sockfd, const char *host, int port, AyProxyData *proxy)
char cmd[512];
char *inputline = NULL;
char *proxy_auth = NULL;
char debug_buff[512];
int remaining = sizeof(cmd) - 1;

remaining -= snprintf(cmd, sizeof(cmd), "CONNECT %s:%d HTTP/1.1\r\n", host, port);
Expand All @@ -309,17 +308,15 @@ int http_connect(int sockfd, const char *host, int port, AyProxyData *proxy)
remaining -= 2;
}
strncat(cmd, "\r\n", remaining);
#ifndef DEBUG
snprintf(debug_buff, sizeof(debug_buff), "<%s>\n", cmd);
debug_print(debug_buff);
#ifdef DEBUG
debug_print("<%s>\n", cmd);
#endif
if (send(sockfd, cmd, strlen(cmd), 0) < 0)
return AY_CONNECTION_REFUSED;
if (ay_recv_line(sockfd, &inputline) < 0)
return AY_CONNECTION_REFUSED;
#ifndef DEBUG
snprintf(debug_buff, sizeof(debug_buff), "<%s>\n", inputline);
debug_print(debug_buff);
#ifdef DEBUG
debug_print("<%s>\n", inputline);
#endif
if (!strstr(inputline, "200")) {
/* Check if proxy authorization needed */
Expand All @@ -344,9 +341,8 @@ int http_connect(int sockfd, const char *host, int port, AyProxyData *proxy)
if (ay_recv_line(sockfd, &inputline) < 0) {
return AY_CONNECTION_REFUSED;
}
#ifndef DEBUG
snprintf(debug_buff, sizeof(debug_buff), "<%s>\n", inputline);
debug_print(debug_buff);
#ifdef DEBUG
debug_print("<%s>\n", inputline);
#endif
}
free(inputline);
Expand Down

0 comments on commit 40e0468

Please sign in to comment.