From: Martin Schulze (joey@infodrom.org)
Date: Mon Jun 23 2003 - 09:09:06 CEST
Michael Buesch wrote:
> Hi.
>
> I've recently seen, that sysklogd makes some ugly
> konversations on the % character.
> If a % is printed to the kernel ring buffer, syslogd
> does log it as two %%.
> This code is doing it:
>
> if( *ptr == '%' ) /* dangerous printf marker */
> {
> delta = 0;
> while (len && *ptr == '%')
> {
> *line++ = *ptr++; /* copy it in */
> space -= 1;
> len -= 1;
> delta++;
> }
> if (delta % 2) /* odd amount of %'s */
> {
> if (space)
> {
> *line++ = '%'; /* so simply add one */
> space -= 1;
> }
> else
> {
> *line++ = '\0'; /* remove the last one / terminate the string */
> }
> }
> }
>
> What's the reason for adding one % if the number of
> % is odd?
> I think there must be a good reason to do so. :)
The reason is to prevent stack overflow problems from malicious
kernel modules and other errors. When the string is consulted
by a printf()-like method any % would mark a location for the
insertion of an argument. A %% is the literal % sign. I guess
this is a security precaution, but maybe it is superflous if
syslogd doesn't use a printf()-like routine afterwards.
Regards,
Joey
-- Let's call it an accidental feature. -- Larry Wall
This archive was generated by hypermail 2.1.7 : Mon Jun 23 2003 - 09:17:08 CEST