bugfix: $ModDir did invalid bounds checking, potential overlow in

    dbgprintf() - thanks to varmojfekoj for the patch

3 files changed, 31 insertions, 15 deletions

diff --git a/ChangeLog b/ChangeLog
index e0602860..3437e683 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,9 @@
 ---------------------------------------------------------------------------
 Version 3.12.5 (rgerhards), 2008-03-??
 - bugfix: QHOUR and HHOUR properties were wrongly calculated
+- bugfix: fixed memory leaks in stream class and imfile
+- bugfix: $ModDir did invalid bounds checking, potential overlow in
+  dbgprintf() - thanks to varmojfekoj for the patch
 ---------------------------------------------------------------------------
 Version 3.12.4 (rgerhards), 2008-03-25
 - Greatly enhanced rsyslogd's file write performance by disabling
diff --git a/debug.c b/debug.c
index 39e7fc4f..3b56eede 100644
--- a/debug.c
+++ b/debug.c
@@ -818,7 +818,7 @@ dbgoprint(obj_t *pObj, char *fmt, ...)
 	lenWriteBuf = vsnprintf(pszWriteBuf, sizeof(pszWriteBuf), fmt, ap);
 	if(lenWriteBuf >= sizeof(pszWriteBuf)) {
 		/* if our buffer was too small, we simply truncate. TODO: maybe something better? */
-		lenWriteBuf--;
+		lenWriteBuf = sizeof(pszWriteBuf) - 1;
 	}
 	va_end(ap);
 	/*
@@ -892,7 +892,7 @@ dbgprintf(char *fmt, ...)
 	lenWriteBuf = vsnprintf(pszWriteBuf, sizeof(pszWriteBuf), fmt, ap);
 	if(lenWriteBuf >= sizeof(pszWriteBuf)) {
 		/* if our buffer was too small, we simply truncate. TODO: maybe something better? */
-		lenWriteBuf--;
+		lenWriteBuf = sizeof(pszWriteBuf) - 1;
 	}
 	va_end(ap);
 	/*
diff --git a/modules.c b/modules.c
index 1ec72773..9104ab7f 100644
--- a/modules.c
+++ b/modules.c
@@ -554,8 +554,8 @@ Load(uchar *pModName)
 {
 	DEFiRet;
 	
-        uchar szPath[512];
-        uchar errMsg[1024];
+	size_t iPathLen;
+	uchar szPath[PATH_MAX];
 	uchar *pModNameBase;
 	uchar *pModNameDup;
 	uchar *pExtension;
@@ -582,12 +582,25 @@ Load(uchar *pModName)
 	/* now build our load module name */
 	if(*pModName == '/') {
 		*szPath = '\0';	/* we do not need to append the path - its already in the module name */
+		iPathLen = 0;
 	} else {
-		strncpy((char *) szPath, (pModDir == NULL) ? _PATH_MODDIR : (char*) pModDir, sizeof(szPath));
+		*szPath = '\0';
+		strncat((char *) szPath, (pModDir == NULL) ? _PATH_MODDIR : (char*) pModDir, sizeof(szPath) - 1);
+		iPathLen = strlen((char*) szPath);
+		if((szPath[iPathLen - 1] != '/')) {
+			if((iPathLen <= sizeof(szPath) - 2)) {
+				szPath[iPathLen++] = '/';
+				szPath[iPathLen] = '\0';
+			} else {
+				errmsg.LogError(NO_ERRCODE, "could not load module '%s', path too long\n", pModName);
+				free(pModNameDup);
+				ABORT_FINALIZE(RS_RET_ERR);
+			}
+		}
 	}
 
 	/* ... add actual name ... */
-	strncat((char *) szPath, (char *) pModName, sizeof(szPath) - strlen((char*) szPath) - 1);
+	strncat((char *) szPath, (char *) pModName, sizeof(szPath) - iPathLen - 1);
 
 	/* now see if we have an extension and, if not, append ".so" */
 	for(pExtension = pModNameBase ; *pExtension && *pExtension != '.' ; ++pExtension)
@@ -600,28 +613,28 @@ Load(uchar *pModName)
 		 */
 		/* ... so now add the extension */
 		strncat((char *) szPath, ".so", sizeof(szPath) - strlen((char*) szPath) - 1);
+		iPathLen += 3;
 	}
 	free(pModNameDup);
 
+	if(iPathLen + strlen((char*) pModName) >= sizeof(szPath)) {
+		errmsg.LogError(NO_ERRCODE, "could not load module '%s', path too long\n", pModName);
+		ABORT_FINALIZE(RS_RET_ERR);
+	}
+
 	/* complete load path constructed, so ... GO! */
 	dbgprintf("loading module '%s'\n", szPath);
 	if(!(pModHdlr = dlopen((char *) szPath, RTLD_NOW))) {
-		snprintf((char *) errMsg, sizeof(errMsg), "could not load module '%s', dlopen: %s\n", szPath, dlerror());
-		errMsg[sizeof(errMsg)/sizeof(uchar) - 1] = '\0';
-		errmsg.LogError(NO_ERRCODE, "%s", errMsg);
+		errmsg.LogError(NO_ERRCODE, "could not load module '%s', dlopen: %s\n", szPath, dlerror());
 		ABORT_FINALIZE(RS_RET_ERR);
 	}
 	if(!(pModInit = dlsym(pModHdlr, "modInit"))) {
-		snprintf((char *) errMsg, sizeof(errMsg), "could not load module '%s', dlsym: %s\n", szPath, dlerror());
-		errMsg[sizeof(errMsg)/sizeof(uchar) - 1] = '\0';
-		errmsg.LogError(NO_ERRCODE, "%s", errMsg);
+		errmsg.LogError(NO_ERRCODE, "could not load module '%s', dlsym: %s\n", szPath, dlerror());
 		dlclose(pModHdlr);
 		ABORT_FINALIZE(RS_RET_ERR);
 	}
 	if((iRet = doModInit(pModInit, (uchar*) pModName, pModHdlr)) != RS_RET_OK) {
-		snprintf((char *) errMsg, sizeof(errMsg), "could not load module '%s', rsyslog error %d\n", szPath, iRet);
-		errMsg[sizeof(errMsg)/sizeof(uchar) - 1] = '\0';
-		errmsg.LogError(NO_ERRCODE, "%s", errMsg);
+		errmsg.LogError(NO_ERRCODE, "could not load module '%s', rsyslog error %d\n", szPath, iRet);
 		dlclose(pModHdlr);
 		ABORT_FINALIZE(RS_RET_ERR);
 	}