[PATCH] Bug 9076 - Whois using a non working host for queries by default

Vito Mulè mule.vito at gmail.com
Tue Jul 5 08:15:26 UTC 2016 

Hello,
I forgot to send the last patch in, that is attached on the bug. I could
use strdup if you think it's better.

>> stopped using strcpy,
>>Why?

Buffer overflow?

If the destination string of a strcpy() is not large enough, then anything
might happen. Overflowing fixed-length string buffers is a favorite cracker
technique for taking complete control of the machine. Any time a program
reads or copies data into a buffer, the program first needs to check that
there's enough space. This may be unnecessary if you can show that overflow
is impossible, but be careful: programs can get changed over time, in ways
that may make the impossible possible.

> > +       strncpy(str_token, argv_host, query_len+1);
>
> Ignoring the way you've taken 3 lines to say strdup() (and your
> sizeof(char) is only applying to the 1, not query_len+1, but it's ok
> because sizeof(char) is a constant 1 on every system linux has ever
> supported)...

Yeah true, but it helps readability and it's also a good habit to have when
you are using malloc with other types, at least for me.



whois_fix_default_server_V4

Final Patch:
Dealing with names that are too long, respecting the length used by
original whois, to avoid segfaults.

Cheers



Signed-off-by: Vito Mule' <mulevito at gmail.com>
---
 networking/whois.c | 52
+++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 45 insertions(+), 7 deletions(-)

diff --git a/networking/whois.c b/networking/whois.c
index bf33033..b23a40f 100644
--- a/networking/whois.c
+++ b/networking/whois.c
@@ -44,22 +44,60 @@ static void pipe_out(int fd)
        fclose(fp); /* closes fd too */
 }

+void whois_host(char* host, char *argv_host, const char *unqualified_host)
+{
+       char domain[69];
+       char* token;
+       size_t query_len = strlen(argv_host);
+       char *str_token = malloc(query_len+1 * sizeof(char));
+
+       if (strlen(host) >= 1) {
+               memset(&host[0], 0, strlen(host));
+       }
+       strncpy(str_token, argv_host, query_len);
+       token = strtok(str_token, ".");
+       while (token != NULL) {
+               strncpy(domain, token, strlen(token)+1);
+               token = strtok(NULL, ".");
+       }
+       strncpy(host, domain, strlen(domain));
+       strncat(host, unqualified_host, strlen(unqualified_host));
+        free(str_token);
+}
+
 int whois_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
 int whois_main(int argc UNUSED_PARAM, char **argv)
 {
+
+       char *host = malloc(128 * sizeof(char));
        int port = 43;
-       const char *host = "whois-servers.net";
+       const char *unqualified_host = ".whois-servers.net";

        opt_complementary = "-1:p+";
        getopt32(argv, "h:p:", &host, &port);
-
        argv += optind;
-       do {
-               int fd = create_and_connect_stream_or_die(host, port);
-               fdprintf(fd, "%s\r\n", *argv);
-               pipe_out(fd);
+
+       if (strlen(host) < 1) {
+               do {
+                       if (strlen(*argv) >= 67) {
+                               fprintf(stdout, "Invalid request: %s\n",
*argv);
+                               return EXIT_FAILURE;
+                       }
+                       whois_host(host, *argv, unqualified_host);
+                       int fd = create_and_connect_stream_or_die(host,
port);
+                       fdprintf(fd, "%s\r\n", *argv);
+                       pipe_out(fd);
+               }
+               while (*++argv);
+               free(host);
+       } else {
+               do {
+                       int fd = create_and_connect_stream_or_die(host,
port);
+                       fdprintf(fd, "%s\r\n", *argv);
+                       pipe_out(fd);
+               }
+               while (*++argv);
        }
-       while (*++argv);

        return EXIT_SUCCESS;
 }



On 5 July 2016 at 03:36, Rob Landley <rob at landley.net> wrote:

> On 07/04/2016 02:47 PM, Vito Mulè wrote:
> > stopped using strcpy,
>
> Why?
>
> > +    size_t query_len = strlen(argv_host);
> > +       char *str_token = malloc(query_len+1 * sizeof(char));
>
> > +       strncpy(str_token, argv_host, query_len+1);
>
> Ignoring the way you've taken 3 lines to say strdup() (and your
> sizeof(char) is only applying to the 1, not query_len+1, but it's ok
> because sizeof(char) is a constant 1 on every system linux has ever
> supported)...
>
> My question is that you're effectively doing:
>
>   strncpy(str_token, argv_host, strlen(argv_host)+1);
>
> So how is this better than strcpy()?
>
> > +       strncpy(host, domain, strlen(domain));
>
> Here you're literally doing that. Why?
>
> Rob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20160705/941d30a0/attachment-0001.html>

More information about the busybox mailing list