Fix unsafe code

- drop usage of huge sparse array
- fix infinite loop in error case
- missing '\0' termination of mail command option
- missing check for fseek() failure

diff --git a/src/cronnext.c b/src/cronnext.c
index 5718220f8e477fa7d22a30dbefc57ef56c18cf27..ef8a40d70e855a09186062a7384ce0999774bd49 100644 (file)
--- a/src/cronnext.c
+++ b/src/cronnext.c
@@ -71,13 +71,13 @@ void free_security_context(security_context_t *scontext) {
 /*
  * print entry flags
  */
-char *flagname[]= {
-       [MIN_STAR] =    "MIN_STAR",
-       [HR_STAR] =     "HR_STAR",
-       [DOM_STAR] =    "DOM_STAR",
-       [DOW_STAR] =    "DOW_STAR",
-       [WHEN_REBOOT] = "WHEN_REBOOT",
-       [DONT_LOG] =    "DONT_LOG"
+const char *flagname[]= {
+       "MIN_STAR",
+       "HR_STAR",
+       "DOM_STAR",
+       "DOW_STAR",
+       "WHEN_REBOOT",
+       "DONT_LOG"
 };
 
 void printflags(char *indent, int flags) {
@@ -85,8 +85,8 @@ void printflags(char *indent, int flags) {
        int first = 1;
 
        printf("%s    flagnames:", indent);
-       for (f = 1; f < sizeof(flagname);  f = f << 1)
-               if (flags & f) {
+       for (f = 0; f < sizeof(flagname)/sizeof(char *);  f++)
+               if (flags & (int)1 << f) {
                        printf("%s%s", first ? " " : "|", flagname[f]);
                        first = 0;
                }

diff --git a/src/do_command.c b/src/do_command.c
index 9981628b75cfe4c1f2239d8e379fbb83baebf3b9..aeee1d3c8e4d49bc37500e185f66a4774a048ce1 100644 (file)
--- a/src/do_command.c
+++ b/src/do_command.c
@@ -418,7 +418,7 @@ static int child_process(entry * e, char **jobenv) {
                        if (mailto && safe_p(usernm, mailto)
                                && strncmp(MailCmd,"off",3) && !SyslogOutput) {
                                char **env;
-                               char mailcmd[MAX_COMMAND];
+                               char mailcmd[MAX_COMMAND+1]; /* +1 for terminator */
                                char hostname[MAXHOSTNAMELEN];
                                char *content_type = env_get("CONTENT_TYPE", jobenv),
                                        *content_transfer_encoding =
@@ -434,7 +434,7 @@ static int child_process(entry * e, char **jobenv) {
                                        }
                                }
                                else {
-                                       strncpy(mailcmd, MailCmd, MAX_COMMAND);
+                                       strncpy(mailcmd, MailCmd, MAX_COMMAND+1);
                                }
                                if (!(mail = cron_popen(mailcmd, "w", e->pwd, jobenv))) {
                                        perror(mailcmd);

diff --git a/src/env.c b/src/env.c
index 6cf09003304a3fbfc6734e63abcc95b2457e5c86..5fa2e2c3928fa2df38c61bdd15581388326a9a55 100644 (file)
--- a/src/env.c
+++ b/src/env.c
@@ -63,7 +63,7 @@ char **env_copy(char **envp) {
                for (i = 0; i < count; i++)
                        if ((p[i] = strdup(envp[i])) == NULL) {
                                save_errno = errno;
-                               while (--i >= 0)
+                               while (i-- > 0)
                                        free(p[i]);
                                free(p);
                                errno = save_errno;
@@ -263,7 +263,9 @@ int load_env(char *envstr, FILE * f) {
        }
        if (state != FINI && state != EQ2 && !(state == VALUE && !quotechar)) {
                Debug(DPARS, ("load_env, not an env var, state = %d\n", state));
-                       fseek(f, filepos, 0);
+                       if (fseek(f, filepos, 0)) {
+                return ERR;
+           }
                Set_LineNum(fileline);
                return (FALSE);
        }

diff --git a/src/globals.h b/src/globals.h
index e957c9adba6efe719af353a5c85d2040afa4a68b..98a506738edcda00310338eb613618ad25fb5d9f 100644 (file)
--- a/src/globals.h
+++ b/src/globals.h
@@ -77,7 +77,7 @@ XTRN int      SyslogOutput;
 XTRN time_t    StartTime;
 XTRN int       NoFork;
 XTRN int        PermitAnyCrontab;
-XTRN char       MailCmd[MAX_COMMAND];
+XTRN char       MailCmd[MAX_COMMAND+1]; /* +1 for terminator */
 XTRN char       cron_default_mail_charset[MAX_ENVSTR];
 XTRN int        EnableClustering;
 XTRN int       ChangePath;

diff --git a/src/security.c b/src/security.c
index 703733a5c5b2a9c6128ed292e83e98cba7c4f150..d1bdc7f1897ad9ec0936269e23c15e28343b4d38 100644 (file)
--- a/src/security.c
+++ b/src/security.c
@@ -417,7 +417,7 @@ static int cron_change_selinux_range(user * u, security_context_t ucontext) {
                }
        }
 
-       if (strcmp(u->scontext, ucontext)) {
+       if (!ucontext || strcmp(u->scontext, ucontext)) {
                if (!cron_authorize_range(u->scontext, ucontext)) {
                        if (security_getenforce() > 0) {
 # ifdef WITH_AUDIT

diff --git a/src/user.c b/src/user.c
index e950db7c367f2307239c5d095f1c14cadb949ed5..b753f7d21d6cd76b3f2bf9c8c040b6cb1363db8e 100644 (file)
--- a/src/user.c
+++ b/src/user.c
@@ -44,6 +44,10 @@ void
 free_user (user * u) {
        entry *e, *ne;
 
+       if (!u) {
+               return;
+       }
+
        free(u->name);
        free(u->tabname);
        for (e = u->crontab; e != NULL; e = ne) {