From 52462e7dbaa8b525f986f43524549ead36e09325 Mon Sep 17 00:00:00 2001 From: Michael Rash Date: Tue, 21 May 2013 22:00:15 -0400 Subject: [PATCH] Use {0} initializer for all stack allocated char arrays Lots of places in the code were already using {0} to initialize stack char arrays, but memset() was being used as well. This commit removes all unnecessary memset() calls against char arrays that are already initialized via {0} (which sets all members to zero for such arrays). --- client/config_init.c | 54 +++++++++++++++++--------------------- client/fwknop.c | 25 ++++++------------ client/getpasswd.c | 2 -- client/http_resolve_host.c | 2 +- client/spa_comm.c | 6 ++--- lib/cipher_funcs.c | 13 +++------ lib/fko_hmac.c | 2 -- lib/hmac.c | 13 --------- server/access.c | 18 ++++++------- server/config_init.c | 4 +-- server/extcmd.c | 2 +- server/fw_util_ipf.c | 4 +-- server/fw_util_ipfw.c | 4 +-- server/fw_util_iptables.c | 14 +++++----- server/fw_util_pf.c | 10 +++---- server/fwknopd_common.h | 9 ++++--- server/incoming_spa.c | 2 +- server/replay_cache.c | 6 ++--- server/tcp_server.c | 2 +- server/utils.c | 3 +-- 20 files changed, 79 insertions(+), 116 deletions(-) diff --git a/client/config_init.c b/client/config_init.c index 23ff3972..d9a1c3b8 100644 --- a/client/config_init.c +++ b/client/config_init.c @@ -278,12 +278,11 @@ static int is_rc_section(const char* line, uint16_t line_size, char* rc_section, uint16_t rc_section_size) { char *ndx, *emark; - char buf[MAX_LINE_LEN]; + char buf[MAX_LINE_LEN] = {0}; int section_found = 0; if (line_size < sizeof(buf)) { - memset (buf, 0, sizeof(buf)); strlcpy(buf, line, sizeof(buf)); ndx = buf; @@ -426,7 +425,7 @@ parse_time_offset(const char *offset_str) int os_len = strlen(offset_str); int is_err; - char offset_digits[MAX_TIME_STR_LEN]; + char offset_digits[MAX_TIME_STR_LEN] = {0}; j=0; for (i=0; i < os_len; i++) { @@ -866,7 +865,7 @@ parse_rc_param(fko_cli_options_t *options, const char *var, char * val) static void add_single_var_to_rc(FILE* fhandle, uint16_t arg_ndx, fko_cli_options_t *options) { - char val[MAX_LINE_LEN] = {0}; + char val[MAX_LINE_LEN] = {0}; if (arg_ndx >= FWKNOP_CLI_ARG_NB) return; @@ -874,10 +873,7 @@ add_single_var_to_rc(FILE* fhandle, uint16_t arg_ndx, fko_cli_options_t *options if (fhandle == NULL) return; - /* Zero the val buffer */ - memset(val, 0, sizeof(val)); - - /* Selecty the argument to add and store its string value into val */ + /* Select the argument to add and store its string value into val */ switch (arg_ndx) { case FWKNOP_CLI_ARG_DIGEST_TYPE : @@ -1033,8 +1029,8 @@ process_rc_section(char *section_name, fko_cli_options_t *options) { FILE *rc; int line_num = 0, do_exit = 0; - char line[MAX_LINE_LEN]; - char rcfile[MAX_PATH_LEN]; + char line[MAX_LINE_LEN] = {0}; + char rcfile[MAX_PATH_LEN] = {0}; char curr_stanza[MAX_LINE_LEN] = {0}; rc_file_param_t param; int rc_section_found = 0; @@ -1131,16 +1127,13 @@ update_rc(fko_cli_options_t *options, uint32_t args_bitmask) int rcfile_fd = -1; int stanza_found = 0; int stanza_updated = 0; - char line[MAX_LINE_LEN]; - char rcfile[MAX_PATH_LEN]; - char rcfile_update[MAX_PATH_LEN]; - char curr_stanza[MAX_LINE_LEN] = {0}; + char line[MAX_LINE_LEN] = {0}; + char rcfile[MAX_PATH_LEN] = {0}; + char rcfile_update[MAX_PATH_LEN] = {0}; + char curr_stanza[MAX_LINE_LEN] = {0}; uint32_t var_bm = 0; /* Bitmask associated to a conf. variable */ rc_file_param_t param; /* Structure to contain a conf. variable name with its value */ - memset(rcfile, 0, MAX_PATH_LEN); - memset(rcfile_update, 0, MAX_PATH_LEN); - set_rc_file(rcfile, options); strlcpy(rcfile_update, rcfile, sizeof(rcfile_update)); @@ -1821,23 +1814,24 @@ usage(void) MY_NAME, MY_VERSION, MY_DESC, HTTP_RESOLVE_HOST); log_msg(LOG_VERBOSITY_NORMAL, "Usage: fwknop -A [-s|-R|-a] -D [options]\n\n" - " -h, --help Print this usage message and exit.\n" - " -A, --access Provide a list of ports/protocols to open\n" - " on the server.\n" - " -B, --save-packet Save the generated packet data to the\n" - " specified file.\n" - " -b, --save-packet-append Append the generated packet data to the\n" - " file specified with the -B option.\n" - " -a, --allow-ip Specify IP address to allow within the SPA\n" - " packet.\n" - " -C, --server-cmd Specify a command that the fwknop server will\n" - " execute on behalf of the fwknop client..\n" - " -D, --destination Specify the IP address of the fwknop server.\n" - " -n, --named-config Specify an named configuration stanza in the\n" + " -n, --named-config Specify a named configuration stanza in the\n" " '$HOME/.fwknoprc' file to provide some of all\n" " of the configuration parameters.\n" " If more arguments are set through the command\n" " line, the configuration is updated accordingly\n" + " -A, --access Provide a list of ports/protocols to open\n" + " on the server (e.g. 'tcp/22').\n" + " -a, --allow-ip Specify IP address to allow within the SPA\n" + " packet (e.g. '123.2.3.4'). If \n" + " -D, --destination Specify the hostname or IP address of the\n" + " fwknop server.\n" + " -h, --help Print this usage message and exit.\n" + " -B, --save-packet Save the generated packet data to the\n" + " specified file.\n" + " -b, --save-packet-append Append the generated packet data to the\n" + " file specified with the -B option.\n" + " -C, --server-cmd Specify a command that the fwknop server will\n" + " execute on behalf of the fwknop client..\n" " -N, --nat-access Gain NAT access to an internal service.\n" " -p, --server-port Set the destination port for outgoing SPA\n" " packet.\n" diff --git a/client/fwknop.c b/client/fwknop.c index 0a74beb3..3d5da850 100644 --- a/client/fwknop.c +++ b/client/fwknop.c @@ -129,12 +129,11 @@ is_ipv6_str(char *str) static int is_hostname_str_with_port(const char *str, char *hostname, size_t hostname_bufsize, int *port) { - int valid = 0; /* Result of the function */ - char buf[MAX_LINE_LEN]; /* Copy of the buffer eg. "hostname,port" */ - char *h; /* Pointer on the hostname string */ - char *p; /* Ponter on the port string */ + int valid = 0; /* Result of the function */ + char buf[MAX_LINE_LEN] = {0}; /* Copy of the buffer eg. "hostname,port" */ + char *h; /* Pointer on the hostname string */ + char *p; /* Ponter on the port string */ - memset(buf, 0, sizeof(buf)); memset(hostname, 0, hostname_bufsize); *port = 0; @@ -185,10 +184,6 @@ main(int argc, char **argv) fko_cli_options_t options; - memset(key, 0x00, MAX_KEY_LEN+1); - memset(hmac_key, 0x00, MAX_KEY_LEN+1); - memset(access_buf, 0x00, MAX_LINE_LEN); - /* Initialize the log module */ log_new(); @@ -659,7 +654,7 @@ static int get_rand_port(fko_ctx_t ctx) { char *rand_val = NULL; - char port_str[MAX_PORT_STR_LEN+1]; + char port_str[MAX_PORT_STR_LEN+1] = {0}; int tmpint, is_err; int port = 0; int res = 0; @@ -742,8 +737,6 @@ set_access_buf(fko_ctx_t ctx, fko_cli_options_t *options, char *access_buf) char *ndx = NULL, tmp_nat_port[MAX_PORT_STR_LEN+1] = {0}; int nat_port = 0; - memset(tmp_nat_port, 0x0, MAX_PORT_STR_LEN+1); - if(options->access_str[0] != 0x0) { if (options->nat_rand_port) @@ -812,15 +805,13 @@ static int set_nat_access(fko_ctx_t ctx, fko_cli_options_t *options, const char * const access_buf) { char nat_access_buf[MAX_LINE_LEN] = {0}; - char tmp_access_port[MAX_PORT_STR_LEN+1], *ndx = NULL; + char tmp_access_port[MAX_PORT_STR_LEN+1] = {0}, *ndx = NULL; int access_port = 0, i = 0, is_err = 0; char dst_ip_str[INET_ADDRSTRLEN] = {0}; char hostname[HOSTNAME_BUFSIZE] = {0}; int port = 0; struct addrinfo hints; - memset(nat_access_buf, 0x0, MAX_LINE_LEN); - memset(tmp_access_port, 0x0, MAX_PORT_STR_LEN+1); memset(&hints, 0 , sizeof(hints)); ndx = strchr(options->access_str, '/'); @@ -938,7 +929,7 @@ prev_exec(fko_cli_options_t *options, int argc, char **argv) static void show_last_command(const char * const args_save_file) { - char args_str[MAX_LINE_LEN] = ""; + char args_str[MAX_LINE_LEN] = {0}; FILE *args_file_ptr = NULL; verify_file_perms_ownership(args_save_file); @@ -1058,7 +1049,7 @@ get_save_file(char *args_save_file) static void save_args(int argc, char **argv, const char * const args_save_file) { - char args_str[MAX_LINE_LEN] = ""; + char args_str[MAX_LINE_LEN] = {0}; int i = 0, args_str_len = 0, args_file_fd = -1; args_file_fd = open(args_save_file, O_WRONLY|O_CREAT, S_IRUSR|S_IWUSR); diff --git a/client/getpasswd.c b/client/getpasswd.c index 81e9a5ac..118a9461 100644 --- a/client/getpasswd.c +++ b/client/getpasswd.c @@ -175,8 +175,6 @@ get_key_file(char *key, int *key_len, const char *key_file, char *lptr; memset(key, 0x00, MAX_KEY_LEN+1); - memset(conf_line_buf, 0x00, MAX_LINE_LEN); - memset(tmp_char_buf, 0x00, MAX_LINE_LEN); if ((pwfile_ptr = fopen(key_file, "r")) == NULL) { diff --git a/client/http_resolve_host.c b/client/http_resolve_host.c index 45c01abf..38360692 100644 --- a/client/http_resolve_host.c +++ b/client/http_resolve_host.c @@ -58,7 +58,7 @@ try_url(struct url *url, fko_cli_options_t *options) int bytes_read = 0, position = 0; int o1, o2, o3, o4; struct addrinfo *result, *rp, hints; - char http_buf[HTTP_MAX_REQUEST_LEN]; + char http_buf[HTTP_MAX_REQUEST_LEN] = {0}; char http_response[HTTP_MAX_RESPONSE_LEN] = {0}; char *ndx; diff --git a/client/spa_comm.c b/client/spa_comm.c index 22384c19..27194543 100644 --- a/client/spa_comm.c +++ b/client/spa_comm.c @@ -35,7 +35,7 @@ static void dump_transmit_options(const fko_cli_options_t *options) { - char proto_str[PROTOCOL_BUFSIZE]; /* Protocol string */ + char proto_str[PROTOCOL_BUFSIZE] = {0}; /* Protocol string */ proto_inttostr(options->spa_proto, proto_str, sizeof(proto_str)); @@ -89,7 +89,7 @@ send_spa_packet_tcp_or_udp(const char *spa_data, const int sd_len, { int sock, res=0, error; struct addrinfo *result, *rp, hints; - char port_str[MAX_PORT_STR_LEN+1]; + char port_str[MAX_PORT_STR_LEN+1] = {0}; if (options->test) { @@ -495,7 +495,7 @@ static int send_spa_packet_http(const char *spa_data, const int sd_len, fko_cli_options_t *options) { - char http_buf[HTTP_MAX_REQUEST_LEN], *spa_data_copy = NULL; + char http_buf[HTTP_MAX_REQUEST_LEN] = {0}, *spa_data_copy = NULL; char *ndx = options->http_proxy; int i, proxy_port = 0, is_err; diff --git a/lib/cipher_funcs.c b/lib/cipher_funcs.c index 2d3c1f51..fed6216a 100644 --- a/lib/cipher_funcs.c +++ b/lib/cipher_funcs.c @@ -118,19 +118,14 @@ static void rij_salt_and_iv(RIJNDAEL_context *ctx, const char *key, const int key_len, const unsigned char *data, const int mode_flag) { - char pw_buf[RIJNDAEL_MAX_KEYSIZE]; - unsigned char tmp_buf[MD5_DIGEST_LEN+RIJNDAEL_MAX_KEYSIZE+RIJNDAEL_BLOCKSIZE]; - unsigned char kiv_buf[RIJNDAEL_MAX_KEYSIZE+RIJNDAEL_BLOCKSIZE]; /* Key and IV buffer */ - unsigned char md5_buf[MD5_DIGEST_LEN]; /* Buffer for computed md5 hash */ + char pw_buf[RIJNDAEL_MAX_KEYSIZE] = {0}; + unsigned char tmp_buf[MD5_DIGEST_LEN+RIJNDAEL_MAX_KEYSIZE+RIJNDAEL_BLOCKSIZE] = {0}; + unsigned char kiv_buf[RIJNDAEL_MAX_KEYSIZE+RIJNDAEL_BLOCKSIZE] = {0}; /* Key and IV buffer */ + unsigned char md5_buf[MD5_DIGEST_LEN] = {0}; /* Buffer for computed md5 hash */ int final_key_len = 0; size_t kiv_len = 0; - memset(pw_buf, 0x00, RIJNDAEL_MAX_KEYSIZE); - memset(tmp_buf, 0x00, MD5_DIGEST_LEN+RIJNDAEL_MAX_KEYSIZE+RIJNDAEL_BLOCKSIZE); - memset(kiv_buf, 0x00, RIJNDAEL_MAX_KEYSIZE+RIJNDAEL_BLOCKSIZE); - memset(md5_buf, 0x00, MD5_DIGEST_LEN); - if(mode_flag == FKO_ENC_MODE_CBC_LEGACY_IV) { /* Pad the pw with '0' chars up to the minimum Rijndael key size. diff --git a/lib/fko_hmac.c b/lib/fko_hmac.c index b1d9d53c..e3664cb8 100644 --- a/lib/fko_hmac.c +++ b/lib/fko_hmac.c @@ -209,8 +209,6 @@ int fko_set_spa_hmac(fko_ctx_t ctx, if(hmac_key_len > MAX_DIGEST_BLOCK_LEN) return(FKO_ERROR_INVALID_HMAC_KEY_LEN); - memset(hmac, 0x00, SHA512_DIGEST_STR_LEN); - if(ctx->hmac_type == FKO_HMAC_MD5) { hmac_md5(ctx->encrypted_msg, diff --git a/lib/hmac.c b/lib/hmac.c index 259fe05a..5963978d 100644 --- a/lib/hmac.c +++ b/lib/hmac.c @@ -103,9 +103,6 @@ hmac_md5_init(hmac_md5_ctx *ctx, const char *key, const int key_len) unsigned char init_key[MAX_DIGEST_BLOCK_LEN] = {0}; int final_len = key_len; - memset(final_key, 0x00, MAX_DIGEST_BLOCK_LEN); - memset(init_key, 0x00, MAX_DIGEST_BLOCK_LEN); - if(key_len > MAX_DIGEST_BLOCK_LEN) final_len = MAX_DIGEST_BLOCK_LEN; @@ -177,9 +174,6 @@ hmac_sha1_init(hmac_sha1_ctx *ctx, const char *key, const int key_len) unsigned char init_key[MAX_DIGEST_BLOCK_LEN] = {0}; int final_len = key_len; - memset(final_key, 0x00, MAX_DIGEST_BLOCK_LEN); - memset(init_key, 0x00, MAX_DIGEST_BLOCK_LEN); - if(key_len > MAX_DIGEST_BLOCK_LEN) final_len = MAX_DIGEST_BLOCK_LEN; @@ -251,9 +245,6 @@ hmac_sha256_init(hmac_sha256_ctx *ctx, const char *key, const int key_len) unsigned char init_key[MAX_DIGEST_BLOCK_LEN] = {0}; int final_len = key_len; - memset(final_key, 0x00, MAX_DIGEST_BLOCK_LEN); - memset(init_key, 0x00, MAX_DIGEST_BLOCK_LEN); - if(key_len > MAX_DIGEST_BLOCK_LEN) final_len = MAX_DIGEST_BLOCK_LEN; @@ -324,8 +315,6 @@ hmac_sha384_init(hmac_sha384_ctx *ctx, const char *key, const int key_len) unsigned char final_key[MAX_DIGEST_BLOCK_LEN] = {0}; int final_len = key_len; - memset(final_key, 0x00, MAX_DIGEST_BLOCK_LEN); - if(key_len > MAX_DIGEST_BLOCK_LEN) final_len = MAX_DIGEST_BLOCK_LEN; @@ -388,8 +377,6 @@ hmac_sha512_init(hmac_sha512_ctx *ctx, const char *key, const int key_len) unsigned char final_key[MAX_DIGEST_BLOCK_LEN] = {0}; int final_len = key_len; - memset(final_key, 0x00, MAX_DIGEST_BLOCK_LEN); - if(key_len > MAX_DIGEST_BLOCK_LEN) final_len = MAX_DIGEST_BLOCK_LEN; diff --git a/server/access.c b/server/access.c index 30408633..024cc9b4 100644 --- a/server/access.c +++ b/server/access.c @@ -300,7 +300,7 @@ static int expand_acc_source(fko_srv_options_t *opts, acc_stanza_t *acc) { char *ndx, *start; - char buf[ACCESS_BUF_LEN]; + char buf[ACCESS_BUF_LEN] = {0}; int res = 1; start = acc->source; @@ -346,7 +346,7 @@ static int parse_proto_and_port(char *pstr, int *proto, int *port) { char *ndx; - char proto_str[ACCESS_BUF_LEN]; + char proto_str[ACCESS_BUF_LEN] = {0}; int is_err; /* Parse the string into its components. @@ -493,7 +493,7 @@ int expand_acc_port_list(acc_port_list_t **plist, char *plist_str) { char *ndx, *start; - char buf[ACCESS_BUF_LEN]; + char buf[ACCESS_BUF_LEN] = {0}; start = plist_str; @@ -540,7 +540,7 @@ static int expand_acc_string_list(acc_string_list_t **stlist, char *stlist_str) { char *ndx, *start; - char buf[1024]; + char buf[MAX_LINE_LEN] = {0}; start = stlist_str; @@ -553,7 +553,7 @@ expand_acc_string_list(acc_string_list_t **stlist, char *stlist_str) while(isspace(*start)) start++; - if(((ndx-start)+1) >= 1024) + if(((ndx-start)+1) >= MAX_LINE_LEN) return 0; strlcpy(buf, start, (ndx-start)+1); @@ -567,7 +567,7 @@ expand_acc_string_list(acc_string_list_t **stlist, char *stlist_str) while(isspace(*start)) start++; - if(((ndx-start)+1) >= 1024) + if(((ndx-start)+1) >= MAX_LINE_LEN) return 0; strlcpy(buf, start, (ndx-start)+1); @@ -914,8 +914,8 @@ parse_access_file(fko_srv_options_t *opts) unsigned int num_lines = 0; char access_line_buf[MAX_LINE_LEN] = {0}; - char var[MAX_LINE_LEN] = {0}; - char val[MAX_LINE_LEN] = {0}; + char var[MAX_LINE_LEN] = {0}; + char val[MAX_LINE_LEN] = {0}; struct passwd *pw; struct stat st; @@ -1370,7 +1370,7 @@ acc_check_port_access(acc_stanza_t *acc, char *port_str) { int res = 1, ctr = 0; - char buf[ACCESS_BUF_LEN]; + char buf[ACCESS_BUF_LEN] = {0}; char *ndx, *start; acc_port_list_t *o_pl = acc->oport_list; diff --git a/server/config_init.c b/server/config_init.c index b51e85ec..e3a14f06 100644 --- a/server/config_init.c +++ b/server/config_init.c @@ -298,7 +298,7 @@ parse_config_file(fko_srv_options_t *opts, const char *config_file) static void validate_options(fko_srv_options_t *opts) { - char tmp_path[MAX_PATH_LEN]; + char tmp_path[MAX_PATH_LEN] = {0}; /* If no conf dir is set in the config file, use the default. */ @@ -650,7 +650,7 @@ config_init(fko_srv_options_t *opts, int argc, char **argv) int cmd_arg, index, is_err; unsigned char got_conf_file = 0, got_override_config = 0; - char override_file[MAX_LINE_LEN]; + char override_file[MAX_LINE_LEN] = {0}; char *ndx, *cmrk; /* Zero out options and opts_track. diff --git a/server/extcmd.c b/server/extcmd.c index 0cb49b4f..ffb72f8c 100644 --- a/server/extcmd.c +++ b/server/extcmd.c @@ -94,7 +94,7 @@ _run_extcmd(uid_t user_uid, const char *cmd, char *so_buf, const size_t so_buf_s { FILE *ipt; int retval = 0; - char so_read_buf[IO_READ_BUF_LEN]; + char so_read_buf[IO_READ_BUF_LEN] = {0}; pid_t pid; int res; diff --git a/server/fw_util_ipf.c b/server/fw_util_ipf.c index 9e8c7831..fe621e1c 100644 --- a/server/fw_util_ipf.c +++ b/server/fw_util_ipf.c @@ -152,8 +152,8 @@ check_firewall_rules(const fko_srv_options_t *opts) /* TODO: Implement me */ - char exp_str[12]; - char rule_num_str[6]; + char exp_str[12] = {0}; + char rule_num_str[6] = {0}; char *ndx, *rn_start, *rn_end, *tmp_mark; int i, res, rn_offset; diff --git a/server/fw_util_ipfw.c b/server/fw_util_ipfw.c index 5f893ccc..5344793f 100644 --- a/server/fw_util_ipfw.c +++ b/server/fw_util_ipfw.c @@ -592,8 +592,8 @@ process_spa_request(const fko_srv_options_t * const opts, void check_firewall_rules(const fko_srv_options_t * const opts) { - char exp_str[12]; - char rule_num_str[6]; + char exp_str[12] = {0}; + char rule_num_str[6] = {0}; char *ndx, *rn_start, *rn_end, *tmp_mark; int i=0, res=0, is_err; diff --git a/server/fw_util_iptables.c b/server/fw_util_iptables.c index 9afd0d19..e5537bf9 100644 --- a/server/fw_util_iptables.c +++ b/server/fw_util_iptables.c @@ -191,8 +191,8 @@ static int jump_rule_exists(const fko_srv_options_t * const opts, const int chain_num) { int num, pos = 0; - char cmd_buf[CMD_BUFSIZE] = {0}; - char target[CMD_BUFSIZE] = {0}; + char cmd_buf[CMD_BUFSIZE] = {0}; + char target[CMD_BUFSIZE] = {0}; char line_buf[CMD_BUFSIZE] = {0}; FILE *ipt; @@ -459,8 +459,8 @@ static void set_fw_chain_conf(const int type, const char * const conf_str) { int i, j, is_err; - char tbuf[1024] = {0}; - const char *ndx = conf_str; + char tbuf[MAX_LINE_LEN] = {0}; + const char *ndx = conf_str; char *chain_fields[FW_NUM_CHAIN_FIELDS]; @@ -713,8 +713,8 @@ process_spa_request(const fko_srv_options_t * const opts, { char nat_ip[MAX_IPV4_STR_LEN] = {0}; char snat_target[SNAT_TARGET_BUFSIZE] = {0}; + char rule_buf[CMD_BUFSIZE] = {0}; char *ndx; - char rule_buf[CMD_BUFSIZE]; unsigned int nat_port = 0; @@ -1076,8 +1076,8 @@ process_spa_request(const fko_srv_options_t * const opts, void check_firewall_rules(const fko_srv_options_t * const opts) { - char exp_str[12]; - char rule_num_str[6]; + char exp_str[12] = {0}; + char rule_num_str[6] = {0}; char *ndx, *rn_start, *rn_end, *tmp_mark; int i, res, rn_offset, rule_num, is_err; diff --git a/server/fw_util_pf.c b/server/fw_util_pf.c index e59f888a..67c22d75 100644 --- a/server/fw_util_pf.c +++ b/server/fw_util_pf.c @@ -194,8 +194,8 @@ int process_spa_request(const fko_srv_options_t * const opts, const acc_stanza_t * const acc, spa_data_t * const spadat) { - char new_rule[MAX_PF_NEW_RULE_LEN]; - char write_cmd[CMD_BUFSIZE]; + char new_rule[MAX_PF_NEW_RULE_LEN] = {0}; + char write_cmd[CMD_BUFSIZE] = {0}; FILE *pfctl_fd = NULL; @@ -339,9 +339,9 @@ process_spa_request(const fko_srv_options_t * const opts, void check_firewall_rules(const fko_srv_options_t * const opts) { - char exp_str[12]; - char anchor_rules_copy[STANDARD_CMD_OUT_BUFSIZE]; - char write_cmd[CMD_BUFSIZE]; + char exp_str[12] = {0}; + char anchor_rules_copy[STANDARD_CMD_OUT_BUFSIZE] = {0}; + char write_cmd[CMD_BUFSIZE] = {0}; char *ndx, *tmp_mark, *tmp_ndx, *newline_tmp_ndx; time_t now, rule_exp, min_exp=0; diff --git a/server/fwknopd_common.h b/server/fwknopd_common.h index 2f6a10ad..7ae67f25 100644 --- a/server/fwknopd_common.h +++ b/server/fwknopd_common.h @@ -163,10 +163,11 @@ /* fwknopd-specific limits */ -#define MAX_PCAP_FILTER_LEN 1024 -#define MAX_IFNAME_LEN 128 -#define MAX_SPA_PACKET_LEN 1500 /* --DSS check this? */ -#define MAX_HOSTNAME_LEN 64 +#define MAX_PCAP_FILTER_LEN 1024 +#define MAX_IFNAME_LEN 128 +#define MAX_SPA_PACKET_LEN 1500 /* --DSS check this? */ +#define MAX_HOSTNAME_LEN 64 +#define MAX_DECRYPTED_SPA_LEN 1024 /* The minimum possible valid SPA data size. */ diff --git a/server/incoming_spa.c b/server/incoming_spa.c index 2403360a..58b2cb06 100644 --- a/server/incoming_spa.c +++ b/server/incoming_spa.c @@ -647,7 +647,7 @@ incoming_spa(fko_srv_options_t *opts) break; } - strlcpy(spadat.spa_message_remain, spa_ip_demark+1, 1024); + strlcpy(spadat.spa_message_remain, spa_ip_demark+1, MAX_DECRYPTED_SPA_LEN); /* If use source IP was requested (embedded IP of 0.0.0.0), make sure it * is allowed. diff --git a/server/replay_cache.c b/server/replay_cache.c index 80c17d2e..9dd4f822 100644 --- a/server/replay_cache.c +++ b/server/replay_cache.c @@ -143,10 +143,10 @@ replay_warning(fko_srv_options_t *opts, digest_cache_info_t *digest_info) { char src_ip[INET_ADDRSTRLEN+1] = {0}; char orig_src_ip[INET_ADDRSTRLEN+1] = {0}; - char created[DATE_LEN]; + char created[DATE_LEN] = {0}; #if ! USE_FILE_CACHE - char first[DATE_LEN], last[DATE_LEN]; + char first[DATE_LEN] = {0}, last[DATE_LEN] = {0}; #endif /* Convert the IPs to a human readable form @@ -234,7 +234,7 @@ replay_file_cache_init(fko_srv_options_t *opts) { FILE *digest_file_ptr = NULL; unsigned int num_lines = 0, digest_ctr = 0; - char line_buf[MAX_LINE_LEN] = {0}; + char line_buf[MAX_LINE_LEN] = {0}; char src_ip[INET_ADDRSTRLEN+1] = {0}; char dst_ip[INET_ADDRSTRLEN+1] = {0}; long int time_tmp; diff --git a/server/tcp_server.c b/server/tcp_server.c index d60bff5e..7734253d 100644 --- a/server/tcp_server.c +++ b/server/tcp_server.c @@ -60,7 +60,7 @@ run_tcp_server(fko_srv_options_t *opts) fd_set sfd_set; struct sockaddr_in saddr, caddr; struct timeval tv; - char sipbuf[MAX_IPV4_STR_LEN]; + char sipbuf[MAX_IPV4_STR_LEN] = {0}; unsigned short port; diff --git a/server/utils.c b/server/utils.c index 8422a993..1bb3ecf3 100644 --- a/server/utils.c +++ b/server/utils.c @@ -114,7 +114,7 @@ hex_dump(const unsigned char *data, const int size) char * dump_ctx(fko_ctx_t ctx) { - static char buf[CTX_DUMP_BUFSIZE]; + static char buf[CTX_DUMP_BUFSIZE] = {0}; int cp = 0; size_t bytes_left; @@ -164,7 +164,6 @@ dump_ctx(fko_ctx_t ctx) hmac_digest_inttostr(hmac_type, hmac_str, sizeof(hmac_str)); enc_mode_inttostr(encryption_mode, enc_mode_str, sizeof(enc_mode_str)); - memset(buf, 0x0, sizeof(buf)); bytes_left = sizeof(buf) - 1; cp = append_msg_to_buf(buf, bytes_left, "SPA Field Values:\n=================\n");