[ULOGD PATCH 0/6] misc improvements and code cleaning

[ULOGD PATCH 0/6] misc improvements and code cleaning

[Eric Leblond]

Hi,

This patchset contains some light improvement and some code cleaning.

It starts with some build related fixes. The basic idea is to be able
to compile ulogd on a system without libnetfilter_conntrack and/or
libnetfilter_log installed:
 - build: nfct and nflog can be disabled via configure option
 - ulogd.conf: Comment library dependant plugins
Last build related patch adds a debug configure option to be able to
activate some debug related features (like being able to use gdb):
 - build: add debug configure flag

Next significative patches are two code cleaning patches. The only thing
to note is that the second one could have some security implication:
 - filter_MARK: code factorization.
 - ulogd: use snprintf instead of sprintf in printpkt

If no one has problem with these patches, I will push them to the git
repository.

BR,
--
Eric Leblond <eric@inl.fr>

[PATCH 1/6] build: nfct and nflog can be disabled via configure option

[Eric Leblond]

This patch modifies the build system to be able to disable the compilation
of NFCT and NFLOG input plugin. They are dependant of external libraries
which can not be available on the system.
Default is to compile these input plugin which make compilation behaviour
conservative.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
 configure.ac              |   19 ++++++++++++++++---
 input/flow/Makefile.am    |    2 ++
 input/packet/Makefile.am  |    5 +++++
 output/ulogd_output_XML.c |   12 ++++++++++--
 4 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/configure.ac b/configure.ac
index e5a64fe..af14f36 100644
--- a/configure.ac
+++ b/configure.ac
@@ -38,11 +38,21 @@ LIBNFNETLINK_REQUIRED=0.0.39
 LIBNETFILTER_CONNTRACK_REQUIRED=0.0.95
 LIBNETFILTER_LOG_REQUIRED=1.0.0
 
-PKG_CHECK_MODULES(LIBNFNETLINK, libnfnetlink >= $LIBNFNETLINK_REQUIRED,, AC_MSG_ERROR(Cannot find libnfnetlink >= $LIBNFNETLINK_REQUIRED))
+AC_ARG_ENABLE(nfct,   [AC_HELP_STRING(--disable-nfct, Do not build NFCT input plugin)],build_nfct=$enableval, build_nfct="yes")
+AC_ARG_ENABLE(nflog,   [AC_HELP_STRING(--disable-nflog, Do not build NFLOG input plugin)],build_nflog=$enableval, build_nflog="yes")
+if test "${build_nfct}" = "yes" || test "${build_nflog}" = "yes" ; then
+	PKG_CHECK_MODULES(LIBNFNETLINK, libnfnetlink >= $LIBNFNETLINK_REQUIRED,, AC_MSG_ERROR(Cannot find libnfnetlink >= $LIBNFNETLINK_REQUIRED))
+fi
 
-PKG_CHECK_MODULES(LIBNETFILTER_CONNTRACK, libnetfilter_conntrack >= $LIBNETFILTER_CONNTRACK_REQUIRED,, AC_MSG_ERROR(Cannot find libnetfilter_conntrack >= $LIBNETFILTER_CONNTRACK_REQUIRED))
+if test "${build_nfct}" = "yes"; then
+	PKG_CHECK_MODULES(LIBNETFILTER_CONNTRACK, libnetfilter_conntrack >= $LIBNETFILTER_CONNTRACK_REQUIRED,, AC_MSG_ERROR(Cannot find libnetfilter_conntrack >= $LIBNETFILTER_CONNTRACK_REQUIRED))
+	AC_DEFINE_UNQUOTED([HAVE_LIBNETFILTER_CONNTRACK],[1],[libnetfilter_conntrack is available])
+fi
 
-PKG_CHECK_MODULES(LIBNETFILTER_LOG, libnetfilter_log >= $LIBNETFILTER_LOG_REQUIRED,, AC_MSG_ERROR(Cannot find libnetfilter_log >= $LIBNETFILTER_LOG_REQUIRED))
+if test "${build_nflog}" = "yes"; then
+	PKG_CHECK_MODULES(LIBNETFILTER_LOG, libnetfilter_log >= $LIBNETFILTER_LOG_REQUIRED,, AC_MSG_ERROR(Cannot find libnetfilter_log >= $LIBNETFILTER_LOG_REQUIRED))
+	AC_DEFINE_UNQUOTED([HAVE_LIBNETFILTER_LOG],[1],[libnetfilter_log is available])
+fi
 
 
 CT_CHECK_POSTGRES_DB()
@@ -60,6 +70,9 @@ AM_CONDITIONAL(HAVE_DBI, test "x$DBI_LIB" != "x")
 CT_CHECK_PCAP()
 AM_CONDITIONAL(HAVE_PCAP, test "x$PCAP_LIB" != "x")
 
+AM_CONDITIONAL(HAVE_NFCT, test "x$build_nfct" != "xno")
+AM_CONDITIONAL(HAVE_NFLOG, test "x$build_nflog" != "xno")
+
 
 dnl AC_SUBST(DATABASE_DIR)
 dnl AC_SUBST(DATABASE_LIB)
diff --git a/input/flow/Makefile.am b/input/flow/Makefile.am
index 11bf217..5d7bdc4 100644
--- a/input/flow/Makefile.am
+++ b/input/flow/Makefile.am
@@ -2,11 +2,13 @@
 AM_CPPFLAGS = $(all_includes) -I$(top_srcdir)/include
 AM_CFLAGS=-fPIC -Wall
 
+if HAVE_NFCT
 pkglib_LTLIBRARIES = ulogd_inpflow_NFCT.la # ulogd_inpflow_IPFIX.la
 
 ulogd_inpflow_NFCT_la_SOURCES = ulogd_inpflow_NFCT.c
 ulogd_inpflow_NFCT_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
 ulogd_inpflow_NFCT_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
+endif
 
 #ulogd_inpflow_IPFIX_la_SOURCES = ulogd_inpflow_IPFIX.c
 #ulogd_inpflow_IPFIX_la_LDFLAGS = -avoid-version -module
diff --git a/input/packet/Makefile.am b/input/packet/Makefile.am
index e90e46e..44b7442 100644
--- a/input/packet/Makefile.am
+++ b/input/packet/Makefile.am
@@ -3,12 +3,17 @@ AM_CPPFLAGS = $(all_includes) -I$(top_srcdir)/include
 AM_CFLAGS=-fPIC -Wall
 LIBS=
 
+if HAVE_NFLOG
 pkglib_LTLIBRARIES = ulogd_inppkt_NFLOG.la ulogd_inppkt_ULOG.la
 
 ulogd_inppkt_NFLOG_la_SOURCES = ulogd_inppkt_NFLOG.c
 ulogd_inppkt_NFLOG_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_LOG_LIBS)
 ulogd_inppkt_NFLOG_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_LOG_CFLAGS)
 
+else
+pkglib_LTLIBRARIES = ulogd_inppkt_ULOG.la
+endif
+
 ulogd_inppkt_ULOG_la_SOURCES = ulogd_inppkt_ULOG.c
 ulogd_inppkt_ULOG_la_LDFLAGS = -avoid-version -module
 ulogd_inppkt_ULOG_la_LIBADD = ../../libipulog/libipulog.la
diff --git a/output/ulogd_output_XML.c b/output/ulogd_output_XML.c
index 1ec9d8c..55ccd5a 100644
--- a/output/ulogd_output_XML.c
+++ b/output/ulogd_output_XML.c
@@ -18,8 +18,11 @@
  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */
 
+#include <config.h>
 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#ifdef HAVE_LIBNETFILTER_LOG
 #include <libnetfilter_log/libnetfilter_log.h>
+#endif
 #include <ulogd/ulogd.h>
 #include <sys/param.h>
 #include <time.h>
@@ -95,6 +98,7 @@ xml_output_flow(struct ulogd_key *inp, char *buf, ssize_t size)
 	return 0;
 }
 
+#ifdef HAVE_LIBNETFILTER_LOG
 static int
 xml_output_packet(struct ulogd_key *inp, char *buf, ssize_t size)
 {
@@ -107,6 +111,7 @@ xml_output_packet(struct ulogd_key *inp, char *buf, ssize_t size)
 
 	return 0;
 }
+#endif
 
 static int xml_output(struct ulogd_pluginstance *upi)
 {
@@ -117,8 +122,11 @@ static int xml_output(struct ulogd_pluginstance *upi)
 
 	if (pp_is_valid(inp, KEY_CT))
 		ret = xml_output_flow(inp, buf, sizeof(buf));
-	else if (pp_is_valid(inp, KEY_PCKT))
-		ret = xml_output_packet(inp, buf, sizeof(buf));
+	else
+#ifdef HAVE_LIBNETFILTER_LOG
+		if (pp_is_valid(inp, KEY_PCKT))
+			ret = xml_output_packet(inp, buf, sizeof(buf));
+#endif
 
 	if (ret < 0)
 		return ULOGD_IRET_ERR;
-- 
1.6.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/6] build: nfct and nflog can be disabled via configure option

[Pablo Neira Ayuso]

On 22/09/10 02:47, Eric Leblond wrote:
> This patch modifies the build system to be able to disable the compilation
> of NFCT and NFLOG input plugin. They are dependant of external libraries
> which can not be available on the system.
> Default is to compile these input plugin which make compilation behaviour
> conservative.

OK, if you need this go ahead.

[PATCH 2/6] ulogd.conf: Comment library dependant plugins

[Eric Leblond]

Some plugins depend of external library. Thus loading of ulogd2 can
fail if they have not been compiled and are not present on the system.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
 ulogd.conf.in |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ulogd.conf.in b/ulogd.conf.in
index cda5bb9..de5bc11 100644
--- a/ulogd.conf.in
+++ b/ulogd.conf.in
@@ -25,9 +25,9 @@ loglevel=1
 # 2. options for each plugin in seperate section below
 
 
-plugin="@libdir@/ulogd/ulogd_inppkt_NFLOG.so"
+#plugin="@libdir@/ulogd/ulogd_inppkt_NFLOG.so"
 #plugin="@libdir@/ulogd/ulogd_inppkt_ULOG.so"
-plugin="@libdir@/ulogd/ulogd_inpflow_NFCT.so"
+#plugin="@libdir@/ulogd/ulogd_inpflow_NFCT.so"
 plugin="@libdir@/ulogd/ulogd_filter_IFINDEX.so"
 plugin="@libdir@/ulogd/ulogd_filter_IP2STR.so"
 plugin="@libdir@/ulogd/ulogd_filter_IP2BIN.so"
@@ -37,7 +37,7 @@ plugin="@libdir@/ulogd/ulogd_filter_PRINTFLOW.so"
 #plugin="@libdir@/ulogd/ulogd_filter_MARK.so"
 plugin="@libdir@/ulogd/ulogd_output_LOGEMU.so"
 plugin="@libdir@/ulogd/ulogd_output_SYSLOG.so"
-plugin="@libdir@/ulogd/ulogd_output_XML.so"
+#plugin="@libdir@/ulogd/ulogd_output_XML.so"
 #plugin="@libdir@/ulogd/ulogd_output_OPRINT.so"
 #plugin="@libdir@/ulogd/ulogd_output_NACCT.so"
 #plugin="@libdir@/ulogd/ulogd_output_PCAP.so"
-- 
1.6.1

Re: [PATCH 2/6] ulogd.conf: Comment library dependant plugins

[Pablo Neira Ayuso]

On 22/09/10 02:47, Eric Leblond wrote:
> diff --git a/ulogd.conf.in b/ulogd.conf.in
> index cda5bb9..de5bc11 100644
> --- a/ulogd.conf.in
> +++ b/ulogd.conf.in
> @@ -25,9 +25,9 @@ loglevel=1
>  # 2. options for each plugin in seperate section below
>  
>  
> -plugin="@libdir@/ulogd/ulogd_inppkt_NFLOG.so"
> +#plugin="@libdir@/ulogd/ulogd_inppkt_NFLOG.so"
>  #plugin="@libdir@/ulogd/ulogd_inppkt_ULOG.so"
> -plugin="@libdir@/ulogd/ulogd_inpflow_NFCT.so"
> +#plugin="@libdir@/ulogd/ulogd_inpflow_NFCT.so"

I prefer leaving this there. I know that you are doing this because of
the compile time new option that you have inserted. But these are the
main plugins!

Re: [PATCH 2/6] ulogd.conf: Comment library dependant plugins

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 928 bytes --]

Hi,

Le jeudi 30 septembre 2010 à 11:51 +0200, Pablo Neira Ayuso a écrit :
> On 22/09/10 02:47, Eric Leblond wrote:
> > diff --git a/ulogd.conf.in b/ulogd.conf.in
> > index cda5bb9..de5bc11 100644
> > --- a/ulogd.conf.in
> > +++ b/ulogd.conf.in
> > @@ -25,9 +25,9 @@ loglevel=1
> >  # 2. options for each plugin in seperate section below
> >  
> >  
> > -plugin="@libdir@/ulogd/ulogd_inppkt_NFLOG.so"
> > +#plugin="@libdir@/ulogd/ulogd_inppkt_NFLOG.so"
> >  #plugin="@libdir@/ulogd/ulogd_inppkt_ULOG.so"
> > -plugin="@libdir@/ulogd/ulogd_inpflow_NFCT.so"
> > +#plugin="@libdir@/ulogd/ulogd_inpflow_NFCT.so"
> 
> I prefer leaving this there. I know that you are doing this because of
> the compile time new option that you have inserted. But these are the
> main plugins!

I'm ok with that. It may cause more difficulty than solve issue.

BR,
-- 
Eric Leblond <eric@inl.fr>
NuFW: http://www.nufw.org/

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 190 bytes --]

[PATCH 3/6] build: add debug configure flag

[Eric Leblond]

This patch adds a debug option for configure which do some set
compile option useful for debugging.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
 configure.ac    |   11 +++++++++--
 src/Makefile.am |    4 ++++
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index af14f36..0819a17 100644
--- a/configure.ac
+++ b/configure.ac
@@ -31,8 +31,6 @@ dnl Checks for library functions.
 AC_FUNC_VPRINTF
 AC_CHECK_FUNCS(socket strerror)
 
-CFLAGS="$CFLAGS -Wall -Wextra -Wno-unused-parameter"
-
 dnl Check for the right nfnetlink version
 LIBNFNETLINK_REQUIRED=0.0.39
 LIBNETFILTER_CONNTRACK_REQUIRED=0.0.95
@@ -55,6 +53,8 @@ if test "${build_nflog}" = "yes"; then
 fi
 
 
+AC_ARG_ENABLE(debug,   [AC_HELP_STRING(--enable-debug, Do build ulogd in debug mode)],build_debug=$enableval, build_debug="no")
+
 CT_CHECK_POSTGRES_DB()
 AM_CONDITIONAL(HAVE_PGSQL, test "x$PQLIBPATH" != "x")
 
@@ -73,6 +73,13 @@ AM_CONDITIONAL(HAVE_PCAP, test "x$PCAP_LIB" != "x")
 AM_CONDITIONAL(HAVE_NFCT, test "x$build_nfct" != "xno")
 AM_CONDITIONAL(HAVE_NFLOG, test "x$build_nflog" != "xno")
 
+AM_CONDITIONAL(HAVE_DEBUG, test "x$build_debug" != "xno")
+
+if test "${build_debug}" = "yes" ; then
+	CFLAGS="$CFLAGS -O0 -Wall -Wextra -Wno-unused-parameter"
+else
+	CFLAGS="$CFLAGS -Wall -Wextra -Wno-unused-parameter"
+fi
 
 dnl AC_SUBST(DATABASE_DIR)
 dnl AC_SUBST(DATABASE_LIB)
diff --git a/src/Makefile.am b/src/Makefile.am
index aa9a3fa..26e0e53 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -6,4 +6,8 @@ AM_CPPFLAGS = $(all_includes) -I$(top_srcdir)/include \
 sbin_PROGRAMS = ulogd
 
 ulogd_SOURCES = ulogd.c select.c timer.c rbtree.c conffile.c hash.c
+if HAVE_DEBUG
+ulogd_LDFLAGS = -lpthread -export-dynamic
+else
 ulogd_LDFLAGS = -export-dynamic
+endif
-- 
1.6.1

Re: [PATCH 3/6] build: add debug configure flag

[Pablo Neira Ayuso]

On 22/09/10 02:47, Eric Leblond wrote:
> --- a/src/Makefile.am
> +++ b/src/Makefile.am
> @@ -6,4 +6,8 @@ AM_CPPFLAGS = $(all_includes) -I$(top_srcdir)/include \
>  sbin_PROGRAMS = ulogd
>  
>  ulogd_SOURCES = ulogd.c select.c timer.c rbtree.c conffile.c hash.c
> +if HAVE_DEBUG
> +ulogd_LDFLAGS = -lpthread -export-dynamic

Do we still have the gdb pthread issue?

Re: [PATCH 3/6] build: add debug configure flag

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 623 bytes --]

Hi,

Le jeudi 30 septembre 2010 à 11:50 +0200, Pablo Neira Ayuso a écrit :
> On 22/09/10 02:47, Eric Leblond wrote:
> > --- a/src/Makefile.am
> > +++ b/src/Makefile.am
> > @@ -6,4 +6,8 @@ AM_CPPFLAGS = $(all_includes) -I$(top_srcdir)/include \
> >  sbin_PROGRAMS = ulogd
> >  
> >  ulogd_SOURCES = ulogd.c select.c timer.c rbtree.c conffile.c hash.c
> > +if HAVE_DEBUG
> > +ulogd_LDFLAGS = -lpthread -export-dynamic
> 
> Do we still have the gdb pthread issue?

I've got it on my debian "sid" and it seems someone has got it on
bugzilla.

BR,
-- 
Eric Leblond <eric@inl.fr>
NuFW: http://www.nufw.org/

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 190 bytes --]

Re: [PATCH 3/6] build: add debug configure flag

[Jan Engelhardt]

On Thursday 2010-09-30 23:22, Eric Leblond wrote:

>Hi,
>
>Le jeudi 30 septembre 2010 à 11:50 +0200, Pablo Neira Ayuso a écrit :
>> On 22/09/10 02:47, Eric Leblond wrote:
>> > --- a/src/Makefile.am
>> > +++ b/src/Makefile.am
>> > @@ -6,4 +6,8 @@ AM_CPPFLAGS = $(all_includes) -I$(top_srcdir)/include \
>> >  sbin_PROGRAMS = ulogd
>> >  
>> >  ulogd_SOURCES = ulogd.c select.c timer.c rbtree.c conffile.c hash.c
>> > +if HAVE_DEBUG
>> > +ulogd_LDFLAGS = -lpthread -export-dynamic
>> 
>> Do we still have the gdb pthread issue?
>
>I've got it on my debian "sid" and it seems someone has got it on
>bugzilla.

When exactly does it happen? Do you have a testcase?
(I tried `grep -ri pthr .` in ulogd2 but that showed no use of pthr at 
all.)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 3/6] build: add debug configure flag

[Pablo Neira Ayuso]

On 02/10/10 00:22, Jan Engelhardt wrote:
> On Thursday 2010-09-30 23:22, Eric Leblond wrote:
> 
>> Hi,
>>
>> Le jeudi 30 septembre 2010 à 11:50 +0200, Pablo Neira Ayuso a écrit :
>>> On 22/09/10 02:47, Eric Leblond wrote:
>>>> --- a/src/Makefile.am
>>>> +++ b/src/Makefile.am
>>>> @@ -6,4 +6,8 @@ AM_CPPFLAGS = $(all_includes) -I$(top_srcdir)/include \
>>>>  sbin_PROGRAMS = ulogd
>>>>  
>>>>  ulogd_SOURCES = ulogd.c select.c timer.c rbtree.c conffile.c hash.c
>>>> +if HAVE_DEBUG
>>>> +ulogd_LDFLAGS = -lpthread -export-dynamic
>>>
>>> Do we still have the gdb pthread issue?
>>
>> I've got it on my debian "sid" and it seems someone has got it on
>> bugzilla.
> 
> When exactly does it happen? Do you have a testcase?
> (I tried `grep -ri pthr .` in ulogd2 but that showed no use of pthr at 
> all.)

The problem is gdb in debian, which doesn't seem to work if ulogd2 is
not compiled with pthread.

If this is a gdb bug, it should be fixed there, I know that it's
annoying for debugging ulogd2. However, I think this may confuse people
since ulogd2 require no pthreads at all.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 4/6] ulogd.conf: add a complex but useful stack example

[Eric Leblond]

This patch adds a complex but useful stack example. It was
undocumented that multiple output plugin can be used in the
same stack.

This patch change a variable name to fix some example stacks.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
 ulogd.conf.in |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/ulogd.conf.in b/ulogd.conf.in
index de5bc11..75b4880 100644
--- a/ulogd.conf.in
+++ b/ulogd.conf.in
@@ -58,6 +58,9 @@ plugin="@libdir@/ulogd/ulogd_raw2packet_BASE.so"
 # this is a stack for packet-based logging via LOGEMU with filtering on MARK
 #stack=log2:NFLOG,mark1:MARK,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
 
+# this is a stack for packet-based logging via SYSLOG and logging to LOGEMU after filtering on MARK
+#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG,mark1:MARK,emu1:LOGEMU
+
 # this is a stack for flow-based logging via LOGEMU
 #stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU
 
@@ -209,8 +212,8 @@ table="ulog"
 pass="ulog2"
 procedure="INSERT_PACKET_FULL"
 
-[sys2]
-facility=LOG_LOCAL2
+[sys1]
+facility=LOG_LOCAL1
 
 [nacct1]
 sync = 1
-- 
1.6.1

[PATCH 5/6] filter_MARK: code factorization.

[Eric Leblond]

This patch brings a light factorization in the decision making
process.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
 filter/ulogd_filter_MARK.c |   24 +++++++++++-------------
 1 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/filter/ulogd_filter_MARK.c b/filter/ulogd_filter_MARK.c
index 1a7c2fd..85c146c 100644
--- a/filter/ulogd_filter_MARK.c
+++ b/filter/ulogd_filter_MARK.c
@@ -71,20 +71,18 @@ static struct ulogd_key mark_inp[] = {
 static int interp_mark(struct ulogd_pluginstance *pi)
 {
 	struct ulogd_key *inp = pi->input.keys;
-	if (pp_is_valid(inp, KEY_CT_MARK)) {
-		if ((ikey_get_u32(&inp[KEY_CT_MARK]) &
-			pi->config_kset->ces[MARK_MASK].u.value) !=
+	int index = 0;
+	if (pp_is_valid(inp, KEY_CT_MARK))
+		index = KEY_CT_MARK;
+	else if (pp_is_valid(inp, KEY_OOB_MARK))
+		index = KEY_OOB_MARK;
+	else
+		return ULOGD_IRET_OK;
+	if ((ikey_get_u32(&inp[index]) &
+				pi->config_kset->ces[MARK_MASK].u.value) !=
 			(u_int32_t) pi->config_kset->ces[MARK_MARK].u.value
-		   ) {
-			return ULOGD_IRET_STOP;
-		}
-	} else if (pp_is_valid(inp, KEY_OOB_MARK)) {
-		if ((ikey_get_u32(&inp[KEY_OOB_MARK]) &
-			pi->config_kset->ces[MARK_MASK].u.value) !=
-			(u_int32_t) pi->config_kset->ces[MARK_MARK].u.value
-		   ) {
-			return ULOGD_IRET_STOP;
-		}
+	   ) {
+		return ULOGD_IRET_STOP;
 	}
 	return ULOGD_IRET_OK;	
 }
-- 
1.6.1

[PATCH 6/6] ulogd: use snprintf instead of sprintf in printpkt

[Eric Leblond]

This patch modifies printpkt to use snprintf instead of sprintf.
As the buffer size is arbitrary fixed and as printed part include
some user entry it is safer to use snprintf.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
 filter/ulogd_filter_PRINTPKT.c |    4 +-
 include/ulogd/printpkt.h       |    3 +-
 util/printpkt.c                |  166 +++++++++++++++++++++-------------------
 3 files changed, 91 insertions(+), 82 deletions(-)

diff --git a/filter/ulogd_filter_PRINTPKT.c b/filter/ulogd_filter_PRINTPKT.c
index 3313194..16a4741 100644
--- a/filter/ulogd_filter_PRINTPKT.c
+++ b/filter/ulogd_filter_PRINTPKT.c
@@ -34,9 +34,9 @@ static int printpkt_interp(struct ulogd_pluginstance *upi)
 {
 	struct ulogd_key *inp = upi->input.keys;
 	struct ulogd_key *ret = upi->output.keys;
-	static char buf[4096];
+	static char buf[PRINTPKT_BUF_SIZE];
 
-	printpkt_print(inp, buf);
+	printpkt_print(inp, buf, PRINTPKT_BUF_SIZE);
 	okey_set_ptr(&ret[0], buf);
 	return ULOGD_IRET_OK;
 }
diff --git a/include/ulogd/printpkt.h b/include/ulogd/printpkt.h
index a11ce4a..882dbf5 100644
--- a/include/ulogd/printpkt.h
+++ b/include/ulogd/printpkt.h
@@ -67,8 +67,9 @@ enum pkt_keys {
 };
 #define PRINTPKT_KEYS (__PRINTPKT_KEYS)
 
+#define PRINTPKT_BUF_SIZE 4096
 extern struct ulogd_key printpkt_keys[PRINTPKT_KEYS];
 
-int printpkt_print(struct ulogd_key *res, char *buf);
+int printpkt_print(struct ulogd_key *res, char *buf, size_t bufsiz);
 
 #endif
diff --git a/util/printpkt.c b/util/printpkt.c
index 5250792..a800555 100644
--- a/util/printpkt.c
+++ b/util/printpkt.c
@@ -106,91 +106,93 @@ struct ulogd_key printpkt_keys[] = {
 	[KEY_SCTP_DPORT]	= { .name = "sctp.dport", },
 };
 
-static int printpkt_proto(struct ulogd_key *res, char *buf, int protocol)
+static int printpkt_proto(struct ulogd_key *res, char *buf, size_t bufsiz, int protocol)
 {
 	char *buf_cur = buf;
+	char *end_buf = buf + bufsiz;
+
 
 	switch (protocol) {
 	case IPPROTO_TCP:
-		buf_cur += sprintf(buf_cur, "PROTO=TCP ");
+		buf_cur += snprintf(buf_cur, bufsiz, "PROTO=TCP ");
 
 		if (!pp_is_valid(res, KEY_TCP_SPORT)) {
-			buf_cur += sprintf(buf_cur, "INCOMPLETE");
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "INCOMPLETE");
 			break;
 		}
 
-		buf_cur += sprintf(buf_cur, "SPT=%u DPT=%u ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "SPT=%u DPT=%u ",
 				   ikey_get_u16(&res[KEY_TCP_SPORT]),
 				   ikey_get_u16(&res[KEY_TCP_DPORT]));
 		/* FIXME: config */
-		buf_cur += sprintf(buf_cur, "SEQ=%u ACK=%u ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "SEQ=%u ACK=%u ",
 				   ikey_get_u32(&res[KEY_TCP_SEQ]),
 				   ikey_get_u32(&res[KEY_TCP_ACKSEQ]));
 
-		buf_cur += sprintf(buf_cur, "WINDOW=%u ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "WINDOW=%u ",
 				   ikey_get_u16(&res[KEY_TCP_WINDOW]));
 
 //		buf_cur += sprintf(buf_cur, "RES=0x%02x ", 
 		
 		if (ikey_get_u8(&res[KEY_TCP_URG]))
-			buf_cur += sprintf(buf_cur, "URG ");
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "URG ");
 
 		if (ikey_get_u8(&res[KEY_TCP_ACK]))
-			buf_cur += sprintf(buf_cur, "ACK ");
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "ACK ");
 
 		if (ikey_get_u8(&res[KEY_TCP_PSH]))
-			buf_cur += sprintf(buf_cur, "PSH ");
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "PSH ");
 
 		if (ikey_get_u8(&res[KEY_TCP_RST]))
-			buf_cur += sprintf(buf_cur, "RST ");
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "RST ");
 
 		if (ikey_get_u8(&res[KEY_TCP_SYN]))
-			buf_cur += sprintf(buf_cur, "SYN ");
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "SYN ");
 
 		if (ikey_get_u8(&res[KEY_TCP_FIN]))
-			buf_cur += sprintf(buf_cur, "FIN ");
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "FIN ");
 
-		buf_cur += sprintf(buf_cur, "URGP=%u ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "URGP=%u ",
 				   ikey_get_u16(&res[KEY_TCP_URGP]));
 
 		break;
 
 	case IPPROTO_UDP:
-		buf_cur += sprintf(buf_cur, "PROTO=UDP ");
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "PROTO=UDP ");
 
 		if (!pp_is_valid(res, KEY_UDP_SPORT)) {
-			buf_cur += sprintf(buf_cur, "INCOMPLETE");
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "INCOMPLETE");
 			break;
 		}
 
-		buf_cur += sprintf(buf_cur, "SPT=%u DPT=%u LEN=%u ", 
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "SPT=%u DPT=%u LEN=%u ", 
 				   ikey_get_u16(&res[KEY_UDP_SPORT]),
 				   ikey_get_u16(&res[KEY_UDP_DPORT]), 
 				   ikey_get_u16(&res[KEY_UDP_LEN]));
 		break;
 	case IPPROTO_SCTP:
-		buf_cur += sprintf(buf_cur, "PROTO=SCTP ");
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "PROTO=SCTP ");
 
 		if (!pp_is_valid(res, KEY_SCTP_SPORT)) {
-			buf_cur += sprintf(buf_cur, "INCOMPLETE");
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "INCOMPLETE");
 			break;
 		}
 
-		buf_cur += sprintf(buf_cur, "SPT=%u DPT=%u ", 
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "SPT=%u DPT=%u ", 
 				   ikey_get_u16(&res[KEY_SCTP_SPORT]),
 				   ikey_get_u16(&res[KEY_SCTP_DPORT]));
 		break;
 	case IPPROTO_ESP:
 	case IPPROTO_AH:
-		buf_cur += sprintf(buf_cur, "PROTO=%s ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "PROTO=%s ",
 				   ikey_get_u8(&res[KEY_IP_PROTOCOL]) == IPPROTO_ESP ? "ESP" : "AH");
 
 		if (!pp_is_valid(res, KEY_AHESP_SPI)) {
-			buf_cur += sprintf(buf_cur, "INCOMPLETE");
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "INCOMPLETE");
 			break;
 		}
 
-		buf_cur += sprintf(buf_cur, "SPI=0x%x ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "SPI=0x%x ",
 				   ikey_get_u32(&res[KEY_AHESP_SPI]));
 		break;
 	}
@@ -198,22 +200,23 @@ static int printpkt_proto(struct ulogd_key *res, char *buf, int protocol)
 	return buf_cur - buf;
 }
 
-static int printpkt_ipv4(struct ulogd_key *res, char *buf)
+static int printpkt_ipv4(struct ulogd_key *res, char *buf, size_t bufsiz)
 {
 	char *buf_cur = buf;
+	char *end_buf = buf + bufsiz;
 	char tmp[INET_ADDRSTRLEN];
 	u_int32_t paddr;
 
 	if (pp_is_valid(res, KEY_IP_SADDR))
-		buf_cur += sprintf(buf_cur, "SRC=%s ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "SRC=%s ",
 				   (char *) ikey_get_ptr(&res[KEY_IP_SADDR]));
 
 	if (pp_is_valid(res, KEY_IP_DADDR))
-		buf_cur += sprintf(buf_cur, "DST=%s ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "DST=%s ",
 				   (char *) ikey_get_ptr(&res[KEY_IP_DADDR]));
 
 	/* FIXME: add pp_is_valid calls to remainder of file */
-	buf_cur += sprintf(buf_cur,"LEN=%u TOS=%02X PREC=0x%02X TTL=%u ID=%u ", 
+	buf_cur += snprintf(buf_cur, end_buf - buf_cur,"LEN=%u TOS=%02X PREC=0x%02X TTL=%u ID=%u ", 
 			   ikey_get_u16(&res[KEY_IP_TOTLEN]),
 			   ikey_get_u8(&res[KEY_IP_TOS]) & IPTOS_TOS_MASK, 
 			   ikey_get_u8(&res[KEY_IP_TOS]) & IPTOS_PREC_MASK,
@@ -221,16 +224,16 @@ static int printpkt_ipv4(struct ulogd_key *res, char *buf)
 			   ikey_get_u16(&res[KEY_IP_ID]));
 
 	if (ikey_get_u16(&res[KEY_IP_FRAGOFF]) & IP_RF) 
-		buf_cur += sprintf(buf_cur, "CE ");
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "CE ");
 
 	if (ikey_get_u16(&res[KEY_IP_FRAGOFF]) & IP_DF)
-		buf_cur += sprintf(buf_cur, "DF ");
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "DF ");
 
 	if (ikey_get_u16(&res[KEY_IP_FRAGOFF]) & IP_MF)
-		buf_cur += sprintf(buf_cur, "MF ");
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "MF ");
 
 	if (ikey_get_u16(&res[KEY_IP_FRAGOFF]) & IP_OFFMASK)
-		buf_cur += sprintf(buf_cur, "FRAG:%u ", 
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "FRAG:%u ", 
 				   ikey_get_u16(&res[KEY_IP_FRAGOFF]) & IP_OFFMASK);
 
 	switch (ikey_get_u8(&res[KEY_IP_PROTOCOL])) {
@@ -239,86 +242,87 @@ static int printpkt_ipv4(struct ulogd_key *res, char *buf)
 	case IPPROTO_SCTP:
 	case IPPROTO_ESP:
 	case IPPROTO_AH:
-		buf_cur += printpkt_proto(res, buf_cur,
+		buf_cur += printpkt_proto(res, buf_cur, end_buf - buf_cur,
 					  ikey_get_u8(&res[KEY_IP_PROTOCOL]));
 		break;
 
 	case IPPROTO_ICMP:
-		buf_cur += sprintf(buf_cur, "PROTO=ICMP ");
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "PROTO=ICMP ");
 
 		if (!pp_is_valid(res, KEY_ICMP_TYPE)) {
-			buf_cur += sprintf(buf_cur, "INCOMPLETE");
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "INCOMPLETE");
 			break;
 		}
 
-		buf_cur += sprintf(buf_cur, "TYPE=%u CODE=%u ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "TYPE=%u CODE=%u ",
 				   ikey_get_u8(&res[KEY_ICMP_TYPE]),
 				   ikey_get_u8(&res[KEY_ICMP_CODE]));
 
 		switch (ikey_get_u8(&res[KEY_ICMP_CODE])) {
 		case ICMP_ECHO:
 		case ICMP_ECHOREPLY:
-			buf_cur += sprintf(buf_cur, "ID=%u SEQ=%u ", 
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "ID=%u SEQ=%u ", 
 					   ikey_get_u16(&res[KEY_ICMP_ECHOID]),
 					   ikey_get_u16(&res[KEY_ICMP_ECHOSEQ]));
 			break;
 		case ICMP_PARAMETERPROB:
-			buf_cur += sprintf(buf_cur, "PARAMETER=%u ",
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "PARAMETER=%u ",
 					   ikey_get_u32(&res[KEY_ICMP_GATEWAY]) >> 24);
 			break;
 		case ICMP_REDIRECT:
 			paddr = ikey_get_u32(&res[KEY_ICMP_GATEWAY]),
-			buf_cur += sprintf(buf_cur, "GATEWAY=%s ",
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "GATEWAY=%s ",
 					   inet_ntop(AF_INET,
 						     &paddr,
 						     tmp, sizeof(tmp)));
 			break;
 		case ICMP_DEST_UNREACH:
 			if (ikey_get_u8(&res[KEY_ICMP_CODE]) == ICMP_FRAG_NEEDED)
-				buf_cur += sprintf(buf_cur, "MTU=%u ", 
+				buf_cur += snprintf(buf_cur, end_buf - buf_cur, "MTU=%u ", 
 						   ikey_get_u16(&res[KEY_ICMP_FRAGMTU]));
 			break;
 		}
 		break;
 	default:
-		buf_cur += sprintf(buf_cur, "PROTO=%u ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "PROTO=%u ",
 				   ikey_get_u8(&res[KEY_IP_PROTOCOL]));
 	}
 
 	return buf_cur - buf;
 }
 
-static int printpkt_ipv6(struct ulogd_key *res, char *buf)
+static int printpkt_ipv6(struct ulogd_key *res, char *buf, size_t bufsiz)
 {
 	char *buf_cur = buf;
+	char *end_buf = buf + bufsiz;
 
 	if (pp_is_valid(res, KEY_IP_SADDR))
-		buf_cur += sprintf(buf_cur, "SRC=%s ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "SRC=%s ",
 				   (char *) ikey_get_ptr(&res[KEY_IP_SADDR]));
 
 	if (pp_is_valid(res, KEY_IP_DADDR))
-		buf_cur += sprintf(buf_cur, "DST=%s ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "DST=%s ",
 				   (char *) ikey_get_ptr(&res[KEY_IP_DADDR]));
 
 	if (pp_is_valid(res, KEY_IP6_PAYLOAD_LEN))
-		buf_cur += sprintf(buf_cur, "LEN=%Zu ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "LEN=%Zu ",
 				   ikey_get_u16(&res[KEY_IP6_PAYLOAD_LEN]) +
 				   sizeof(struct ip6_hdr));
 
 	if (pp_is_valid(res, KEY_IP6_PRIORITY))
-		buf_cur += sprintf(buf_cur, "TC=%u ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "TC=%u ",
 				   ikey_get_u8(&res[KEY_IP6_PRIORITY]));
 
 	if (pp_is_valid(res, KEY_IP6_HOPLIMIT))
-		buf_cur += sprintf(buf_cur, "HOPLIMIT=%u ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "HOPLIMIT=%u ",
 				   ikey_get_u8(&res[KEY_IP6_HOPLIMIT]));
 	
 	if (pp_is_valid(res, KEY_IP6_FLOWLABEL))
-		buf_cur += sprintf(buf_cur, "FLOWLBL=%u ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "FLOWLBL=%u ",
 				   ikey_get_u32(&res[KEY_IP6_FLOWLABEL]));
 
 	if (pp_is_valid(res, KEY_IP6_FRAG_OFF) && pp_is_valid(res, KEY_IP6_FRAG_ID))
-		buf_cur += sprintf(buf_cur, "FRAG: %u ID: %08x ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "FRAG: %u ID: %08x ",
 				   ikey_get_u16(&res[KEY_IP6_FRAG_OFF]),
 				   ikey_get_u32(&res[KEY_IP6_FRAG_ID]));
 
@@ -328,31 +332,31 @@ static int printpkt_ipv6(struct ulogd_key *res, char *buf)
 	case IPPROTO_SCTP:
 	case IPPROTO_ESP:
 	case IPPROTO_AH:
-		buf_cur += printpkt_proto(res, buf_cur,
+		buf_cur += printpkt_proto(res, buf_cur, bufsiz,
 					  ikey_get_u8(&res[KEY_IP6_NEXTHDR]));
 		break;
 	case IPPROTO_ICMPV6:
-		buf_cur += sprintf(buf_cur, "PROTO=ICMPv6 ");
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "PROTO=ICMPv6 ");
 
 		if (!pp_is_valid(res, KEY_ICMPV6_TYPE)) {
-			buf_cur += sprintf(buf_cur, "INCOMPLETE");
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "INCOMPLETE");
 			break;
 		}
 
 		if (!(pp_is_valid(res, KEY_ICMPV6_TYPE) &&
 		      pp_is_valid(res, KEY_ICMPV6_CODE))) {
-			buf_cur += sprintf(buf_cur, "TRUNCATED");
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "TRUNCATED");
 			break;
 		}
 
-		buf_cur += sprintf(buf_cur, "TYPE=%u CODE=%u ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "TYPE=%u CODE=%u ",
 				   ikey_get_u8(&res[KEY_ICMPV6_TYPE]),
 				   ikey_get_u8(&res[KEY_ICMPV6_CODE]));
 
 		switch (ikey_get_u8(&res[KEY_ICMPV6_TYPE])) {
 		case ICMP6_ECHO_REQUEST:
 		case ICMP6_ECHO_REPLY:
-			buf_cur += sprintf(buf_cur, "ID=%u SEQ=%u ", 
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "ID=%u SEQ=%u ", 
 					   ikey_get_u16(&res[KEY_ICMPV6_ECHOID]),
 					   ikey_get_u16(&res[KEY_ICMPV6_ECHOSEQ]));
 			break;
@@ -363,41 +367,42 @@ static int printpkt_ipv6(struct ulogd_key *res, char *buf)
 	return buf_cur - buf;
 }
 
-int printpkt_arp(struct ulogd_key *res, char *buf)
+int printpkt_arp(struct ulogd_key *res, char *buf, size_t bufsiz)
 {
 	char *buf_cur = buf;
+	char *end_buf = buf + bufsiz;
 	u_int16_t code = 0;
 	u_int8_t *mac;
 
 	if (pp_is_valid(res, KEY_ARP_SPA))
-		buf_cur += sprintf(buf_cur, "SRC=%s ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "SRC=%s ",
 				   (char *) ikey_get_ptr(&res[KEY_ARP_SPA]));
 
 	if (pp_is_valid(res, KEY_ARP_TPA))
-		buf_cur += sprintf(buf_cur, "DST=%s ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "DST=%s ",
 				   (char *) ikey_get_ptr(&res[KEY_ARP_TPA]));
 
-	buf_cur += sprintf(buf_cur, "PROTO=ARP ");
+	buf_cur += snprintf(buf_cur, end_buf - buf_cur, "PROTO=ARP ");
 
 	if (pp_is_valid(res, KEY_ARP_OPCODE)) {
 		code = ikey_get_u16(&res[KEY_ARP_OPCODE]);
 		switch (code) {
 		case ARPOP_REQUEST:
-			buf_cur += sprintf(buf_cur, "REQUEST ");
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "REQUEST ");
 			break;
 		case ARPOP_REPLY:
-			buf_cur += sprintf(buf_cur, "REPLY ");
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "REPLY ");
 			break;
 		case ARPOP_NAK:
-			buf_cur += sprintf(buf_cur, "NAK ");
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "NAK ");
 			break;
 		default:
-			buf_cur += sprintf(buf_cur, "CODE=%u ", code);
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "CODE=%u ", code);
 		}
 
 		if (pp_is_valid(res, KEY_ARP_SHA) && (code == ARPOP_REPLY)) {
 			mac = ikey_get_ptr(&res[KEY_ARP_SHA]);
-			buf_cur += sprintf(buf_cur, "REPLY_MAC="
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur, "REPLY_MAC="
 					   "%02x:%02x:%02x:%02x:%02x:%02x ",
 					   mac[0], mac[1], mac[2],
 					   mac[3], mac[4], mac[5]);
@@ -408,38 +413,40 @@ int printpkt_arp(struct ulogd_key *res, char *buf)
 }
 
 
-int printpkt_bridge(struct ulogd_key *res, char *buf)
+int printpkt_bridge(struct ulogd_key *res, char *buf, size_t bufsiz)
 {
 	char *buf_cur = buf;
+	char *end_buf = buf + bufsiz;
 
 	switch (ikey_get_u16(&res[KEY_OOB_PROTOCOL])) {
 	case ETH_P_IP:
-		buf_cur += printpkt_ipv4(res, buf_cur);
+		buf_cur += printpkt_ipv4(res, buf_cur, bufsiz);
 		break;
 	case ETH_P_IPV6:
-		buf_cur += printpkt_ipv6(res, buf_cur);
+		buf_cur += printpkt_ipv6(res, buf_cur, end_buf - buf_cur);
 		break;
 	case ETH_P_ARP:
-		buf_cur += printpkt_arp(res, buf_cur);
+		buf_cur += printpkt_arp(res, buf_cur, end_buf - buf_cur);
 		break;
 	default:
-		buf_cur += sprintf(buf_cur, "PROTO=%u ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "PROTO=%u ",
 				   ikey_get_u16(&res[KEY_OOB_PROTOCOL]));
 	}
 
 	return buf_cur - buf;
 }
 
-int printpkt_print(struct ulogd_key *res, char *buf)
+int printpkt_print(struct ulogd_key *res, char *buf, size_t bufsiz)
 {
 	char *buf_cur = buf;
+	char *end_buf = buf + bufsiz - 1; /* counting endline added */
 
 	if (pp_is_valid(res, KEY_OOB_PREFIX))
-		buf_cur += sprintf(buf_cur, "%s ",
+		buf_cur += snprintf(buf_cur, bufsiz, "%s ",
 				   (char *) ikey_get_ptr(&res[KEY_OOB_PREFIX]));
 
 	if (pp_is_valid(res, KEY_OOB_IN) && pp_is_valid(res, KEY_OOB_OUT))
-		buf_cur += sprintf(buf_cur, "IN=%s OUT=%s ", 
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "IN=%s OUT=%s ",
 				   (char *) ikey_get_ptr(&res[KEY_OOB_IN]), 
 				   (char *) ikey_get_ptr(&res[KEY_OOB_OUT]));
 
@@ -448,33 +455,34 @@ int printpkt_print(struct ulogd_key *res, char *buf)
 		unsigned char *mac = (unsigned char *) ikey_get_ptr(&res[KEY_RAW_MAC]);
 		int i, len = ikey_get_u16(&res[KEY_RAW_MACLEN]);
 
-		buf_cur += sprintf(buf_cur, "MAC=");
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "MAC=");
 		for (i = 0; i < len; i++)
-			buf_cur += sprintf(buf_cur, "%02x%c", mac[i],
+			buf_cur += snprintf(buf_cur, end_buf - buf_cur,
+					   "%02x%c", mac[i],
 					   i == len - 1 ? ' ' : ':');
 	} else
-		buf_cur += sprintf(buf_cur, "MAC= ");
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "MAC= ");
 
 	switch (ikey_get_u8(&res[KEY_OOB_FAMILY])) {
 	case AF_INET:
-		buf_cur += printpkt_ipv4(res, buf_cur);
+		buf_cur += printpkt_ipv4(res, buf_cur, end_buf - buf_cur);
 		break;
 	case AF_INET6:
-		buf_cur += printpkt_ipv6(res, buf_cur);
+		buf_cur += printpkt_ipv6(res, buf_cur, end_buf - buf_cur);
 		break;
 	case AF_BRIDGE:
-		buf_cur += printpkt_bridge(res, buf_cur);
+		buf_cur += printpkt_bridge(res, buf_cur, end_buf - buf_cur);
 		break;
 	}
 
 	if (pp_is_valid(res, KEY_OOB_UID))
-		buf_cur += sprintf(buf_cur, "UID=%u ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "UID=%u ",
 				   ikey_get_u32(&res[KEY_OOB_UID]));
 	if (pp_is_valid(res, KEY_OOB_GID))
-		buf_cur += sprintf(buf_cur, "GID=%u ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "GID=%u ",
 				   ikey_get_u32(&res[KEY_OOB_GID]));
 	if (pp_is_valid(res, KEY_OOB_MARK))
-		buf_cur += sprintf(buf_cur, "MARK=%x ",
+		buf_cur += snprintf(buf_cur, end_buf - buf_cur, "MARK=%x ",
 				   ikey_get_u32(&res[KEY_OOB_MARK]));
 
 	strcat(buf_cur, "\n");
-- 
1.6.1

Re: [PATCH 6/6] ulogd: use snprintf instead of sprintf in printpkt

[Pablo Neira Ayuso]

Hi Eric,

On 22/09/10 02:47, Eric Leblond wrote:
> diff --git a/util/printpkt.c b/util/printpkt.c
> index 5250792..a800555 100644
> --- a/util/printpkt.c
> +++ b/util/printpkt.c
> @@ -106,91 +106,93 @@ struct ulogd_key printpkt_keys[] = {
>  	[KEY_SCTP_DPORT]	= { .name = "sctp.dport", },
>  };
>  
> -static int printpkt_proto(struct ulogd_key *res, char *buf, int protocol)
> +static int printpkt_proto(struct ulogd_key *res, char *buf, size_t bufsiz, int protocol)
>  {
>  	char *buf_cur = buf;
> +	char *end_buf = buf + bufsiz;
> +
>  
>  	switch (protocol) {
>  	case IPPROTO_TCP:
> -		buf_cur += sprintf(buf_cur, "PROTO=TCP ");
> +		buf_cur += snprintf(buf_cur, bufsiz, "PROTO=TCP ");

If you have to fix this. snprintf can return -1 in case of error.
Moreover, it returns the number of bytes that would have been written if
there's space in the buffer. So you have to check if the return value is
higher that the remaining space in the buffer.

Have a look at the use of snprintf in libnetfilter_queue and
libnetfilter_log in nf*snprintf_xml() function for instance.