potential format string exploits (warning: format not a string literal and no format arguments)

git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@4254 d0543943-73ff-0310-b7d9-9358b9ac24b2
2007-02-14 03:45:10 +00:00 · 2007-02-14 03:45:10 +00:00 · 11a8218db0
parent 711c59a6e0
commit 11a8218db0
5 changed files with 8 additions and 8 deletions
--- a/src/mod/applications/mod_conference/mod_conference.c
+++ b/src/mod/applications/mod_conference/mod_conference.c
@ -2466,7 +2466,7 @@ static switch_status_t conf_api_sub_dtmf(conference_member_t *member, switch_str
        switch_event_add_header(event, SWITCH_STACK_BOTTOM, "Conference-Name", "%s", member->conference->name);
        switch_event_add_header(event, SWITCH_STACK_BOTTOM, "Member-ID", "%u", member->id);
        switch_event_add_header(event, SWITCH_STACK_BOTTOM, "Action", "dtmf-member");
-        switch_event_add_header(event, SWITCH_STACK_BOTTOM, "Digits", dtmf);
+        switch_event_add_header(event, SWITCH_STACK_BOTTOM, "Digits", "%s", dtmf);
        switch_event_fire(&event);
    }

--- a/src/mod/endpoints/mod_dingaling/mod_dingaling.c
+++ b/src/mod/endpoints/mod_dingaling/mod_dingaling.c
@ -628,7 +628,7 @@ static void dl_logger(char *file, const char *func, int line, int level, char *f
 	va_start(ap, fmt);
 	
 	vsnprintf(data, sizeof(data), fmt, ap);
-	switch_log_printf(SWITCH_CHANNEL_ID_LOG, file, func, line, SWITCH_LOG_DEBUG, data);
+	switch_log_printf(SWITCH_CHANNEL_ID_LOG, file, func, line, SWITCH_LOG_DEBUG, "%s", data);

 	va_end(ap);
 }
@ -2427,7 +2427,7 @@ static ldl_status handle_signalling(ldl_handle_t *handle, ldl_session_t *dlsessi
 			switch_event_add_header(event, SWITCH_STACK_BOTTOM, "to", "%s", to);
 			switch_event_add_header(event, SWITCH_STACK_BOTTOM, "subject", "%s", subject);
 			if (msg) {
-				switch_event_add_body(event, msg);
+				switch_event_add_body(event, "%s", msg);
 			}
 			if (switch_core_session_queue_event(tech_pvt->session, &event) != SWITCH_STATUS_SUCCESS) {
 				switch_event_add_header(event, SWITCH_STACK_BOTTOM, "delivery-failure", "true");
--- a/src/mod/endpoints/mod_sofia/mod_sofia.c
+++ b/src/mod/endpoints/mod_sofia/mod_sofia.c
@ -2659,7 +2659,7 @@ static void sip_i_message(int status,
 					switch_event_add_header(event, SWITCH_STACK_BOTTOM, "to", "%s", to_addr);
 					switch_event_add_header(event, SWITCH_STACK_BOTTOM, "subject", "SIMPLE MESSAGE");
 					if (msg) {
-						switch_event_add_body(event, msg);
+						switch_event_add_body(event, "%s", msg);
 					}
 					if (switch_core_session_queue_event(tech_pvt->session, &event) != SWITCH_STATUS_SUCCESS) {
 						switch_event_add_header(event, SWITCH_STACK_BOTTOM, "delivery-failure", "true");
--- a/src/mod/event_handlers/mod_event_socket/mod_event_socket.c
+++ b/src/mod/event_handlers/mod_event_socket/mod_event_socket.c
@ -550,7 +550,7 @@ static void *SWITCH_THREAD_FUNC api_exec(switch_thread_t *thread, void *obj)
        
        if (switch_event_create(&event, SWITCH_EVENT_BACKGROUND_JOB) == SWITCH_STATUS_SUCCESS) {
            switch_event_add_header(event, SWITCH_STACK_BOTTOM, "Job-UUID", "%s", acs->uuid_str);
-            switch_event_add_body(event, reply);
+            switch_event_add_body(event, "%s", reply);
            switch_event_fire(&event);
        }
    } else {
@ -650,7 +650,7 @@ static switch_status_t parse_command(listener_t *listener, switch_event_t *event
                }

            }
-            snprintf(reply, reply_len, val);
+            snprintf(reply, reply_len, "%s", val);
            goto done;
        } else if (!strncasecmp(cmd, "myevents", 8)) {
            listener->event_list[SWITCH_EVENT_CHANNEL_CREATE] = 1;
--- a/src/switch_ivr.c
+++ b/src/switch_ivr.c
@ -807,7 +807,7 @@ static void *SWITCH_THREAD_FUNC speech_thread(switch_thread_t *thread, void *obj
 			if (switch_event_create(&event, SWITCH_EVENT_DETECTED_SPEECH) == SWITCH_STATUS_SUCCESS) {
 				if (status == SWITCH_STATUS_SUCCESS) {
 					switch_event_add_header(event, SWITCH_STACK_BOTTOM, "Speech-Type", "detected-speech");
-					switch_event_add_body(event, xmlstr);
+					switch_event_add_body(event, "%s", xmlstr);
 				} else {
 					switch_event_add_header(event, SWITCH_STACK_BOTTOM, "Speech-Type", "begin-speaking");
 				}
@ -2518,7 +2518,7 @@ SWITCH_DECLARE(switch_status_t) switch_ivr_originate(switch_core_session_t *sess
        for (hi = switch_channel_variable_first(caller_channel, switch_core_session_get_pool(session)); hi; hi = switch_hash_next(hi)) {
            switch_hash_this(hi, &vvar, NULL, &vval);
            if (vvar && vval) {
-                switch_event_add_header(var_event, SWITCH_STACK_BOTTOM, (void *)vvar, vval);
+                switch_event_add_header(var_event, SWITCH_STACK_BOTTOM, (void *)vvar, "%s", (char *)vval);
            }
        }