DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

Merge pull request #282 from DeforaNetworks/khorben/execvp

Browse Source 
Use execvp() instead of execvpe()
This commit is contained in:
Michael Rash 2018-08-08 17:05:55 -07:00 committed by GitHub
commit 71b8f22402
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 50 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
client/http_resolve_host.c
View File

@ -328,8 +328,8 @@ resolve_ip_https(fko_cli_options_t *options)
struct url url; /* for validation only */ struct url url; /* for validation only */
char wget_ssl_cmd[MAX_URL_PATH_LEN] = {0}; /* for verbose logging only */ char wget_ssl_cmd[MAX_URL_PATH_LEN] = {0}; /* for verbose logging only */
#if HAVE_EXECVPE #if HAVE_EXECVP
char *wget_argv[MAX_CMDLINE_ARGS]; /* for execvpe() */ char *wget_argv[MAX_CMDLINE_ARGS]; /* for execvp() */
int wget_argc=0; int wget_argc=0;
int pipe_fd[2]; int pipe_fd[2];
pid_t pid=0; pid_t pid=0;
@ -339,7 +339,7 @@ resolve_ip_https(fko_cli_options_t *options)
FILE *wget; FILE *wget;
#endif #endif
#if HAVE_EXECVPE #if HAVE_EXECVP
memset(wget_argv, 0x0, sizeof(wget_argv)); memset(wget_argv, 0x0, sizeof(wget_argv));
#endif #endif
memset(&url, 0x0, sizeof(url)); memset(&url, 0x0, sizeof(url));
@ -410,7 +410,7 @@ resolve_ip_https(fko_cli_options_t *options)
return(1); return(1);
#endif #endif
#if HAVE_EXECVPE #if HAVE_EXECVP
if(strtoargv(wget_ssl_cmd, wget_argv, &wget_argc) != 1) if(strtoargv(wget_ssl_cmd, wget_argv, &wget_argc) != 1)
{ {
log_msg(LOG_VERBOSITY_ERROR, "Error converting wget cmd str to argv"); log_msg(LOG_VERBOSITY_ERROR, "Error converting wget cmd str to argv");
@ -434,14 +434,14 @@ resolve_ip_https(fko_cli_options_t *options)
close(pipe_fd[0]); close(pipe_fd[0]);
dup2(pipe_fd[1], STDOUT_FILENO); dup2(pipe_fd[1], STDOUT_FILENO);
dup2(pipe_fd[1], STDERR_FILENO); dup2(pipe_fd[1], STDERR_FILENO);
es = execvpe(wget_argv[0], wget_argv, (char * const *)NULL); /* don't use env */ es = execvp(wget_argv[0], wget_argv);
if(es == -1) if(es == -1)
log_msg(LOG_VERBOSITY_ERROR, log_msg(LOG_VERBOSITY_ERROR,
"[*] resolve_ip_https(): execvpe() failed: %s", "[*] resolve_ip_https(): execvp() failed: %s",
strerror(errno)); strerror(errno));
/* We only make it here if there was a problem with execvpe(), /* We only make it here if there was a problem with execvp(),
* so exit() here either way * so exit() here either way
*/ */
exit(es); exit(es);

16
configure.ac
View File

@ -389,17 +389,17 @@ AC_FUNC_STAT
AC_CHECK_FUNCS([bzero gettimeofday memmove memset socket strchr strcspn strdup strncasecmp strndup strrchr strspn strnlen stat lstat chmod chown strlcat strlcpy]) AC_CHECK_FUNCS([bzero gettimeofday memmove memset socket strchr strcspn strdup strncasecmp strndup strrchr strspn strnlen stat lstat chmod chown strlcat strlcpy])
dnl Decide whether or not to check for the execvpe() function dnl Decide whether or not to check for the execvp() function
dnl dnl
use_execvpe=yes use_execvp=yes
AC_ARG_ENABLE([execvpe], AC_ARG_ENABLE([execvp],
[AS_HELP_STRING([--disable-execvpe], [AS_HELP_STRING([--disable-execvp],
[Do not check for the execvpe() function for command execution @<:@default is on@:>@])], [Do not check for the execvp() function for command execution @<:@default is on@:>@])],
[use_execvpe=$enableval], [use_execvp=$enableval],
[]) [])
if test "x$use_execvpe" = "xyes"; then if test "x$use_execvp" = "xyes"; then
AC_CHECK_FUNCS([execvpe]) AC_CHECK_FUNCS([execvp])
fi fi
AC_SEARCH_LIBS([socket], [socket]) AC_SEARCH_LIBS([socket], [socket])

40
server/extcmd.c
View File

@ -128,10 +128,10 @@ _run_extcmd(uid_t uid, gid_t gid, const char *cmd, char *so_buf,
int line_ctr = 0, found_str = 0, do_break = 0; int line_ctr = 0, found_str = 0, do_break = 0;
int es = 0; int es = 0;
char *argv_new[MAX_CMDLINE_ARGS]; /* for validation and/or execvpe() */ char *argv_new[MAX_CMDLINE_ARGS]; /* for validation and/or execvp() */
int argc_new=0; int argc_new=0;
#if HAVE_EXECVPE #if HAVE_EXECVP
int pipe_fd[2]; int pipe_fd[2];
#endif #endif
@ -143,7 +143,7 @@ _run_extcmd(uid_t uid, gid_t gid, const char *cmd, char *so_buf,
*pid_status = 0; *pid_status = 0;
/* Even without execvpe() we examine the command for basic validity /* Even without execvp() we examine the command for basic validity
* in term of number of args * in term of number of args
*/ */
memset(argv_new, 0x0, sizeof(argv_new)); memset(argv_new, 0x0, sizeof(argv_new));
@ -155,16 +155,16 @@ _run_extcmd(uid_t uid, gid_t gid, const char *cmd, char *so_buf,
return EXTCMD_ARGV_ERROR; return EXTCMD_ARGV_ERROR;
} }
#if !HAVE_EXECVPE #if !HAVE_EXECVP
/* if we are not using execvpe() then free up argv_new unconditionally /* if we are not using execvp() then free up argv_new unconditionally
* since was used only for validation * since was used only for validation
*/ */
free_argv(argv_new, &argc_new); free_argv(argv_new, &argc_new);
#endif #endif
#if HAVE_EXECVPE #if HAVE_EXECVP
if(opts->verbose > 1) if(opts->verbose > 1)
log_msg(LOG_INFO, "run_extcmd() (with execvpe()): running CMD: %s", cmd); log_msg(LOG_INFO, "run_extcmd() (with execvp()): running CMD: %s", cmd);
if(so_buf != NULL || substr_search != NULL) if(so_buf != NULL || substr_search != NULL)
{ {
@ -204,12 +204,12 @@ _run_extcmd(uid_t uid, gid_t gid, const char *cmd, char *so_buf,
/* don't use env /* don't use env
*/ */
es = execvpe(argv_new[0], argv_new, (char * const *)NULL); es = execvp(argv_new[0], argv_new);
if(es == -1) if(es == -1)
log_msg(LOG_ERR, "run_extcmd(): execvpe() failed: %s", strerror(errno)); log_msg(LOG_ERR, "run_extcmd(): execvp() failed: %s", strerror(errno));
/* We only make it here if there was a problem with execvpe(), /* We only make it here if there was a problem with execvp(),
* so exit() here either way to not leave another fwknopd process * so exit() here either way to not leave another fwknopd process
* running after fork(). * running after fork().
*/ */
@ -265,7 +265,7 @@ _run_extcmd(uid_t uid, gid_t gid, const char *cmd, char *so_buf,
#else #else
if(opts->verbose > 1) if(opts->verbose > 1)
log_msg(LOG_INFO, "run_extcmd() (without execvpe()): running CMD: %s", cmd); log_msg(LOG_INFO, "run_extcmd() (without execvp()): running CMD: %s", cmd);
if(so_buf == NULL && substr_search == NULL) if(so_buf == NULL && substr_search == NULL)
{ {
@ -586,10 +586,10 @@ int _run_extcmd_write(const char *cmd, const char *cmd_write, int *pid_status,
const fko_srv_options_t * const opts) const fko_srv_options_t * const opts)
{ {
int retval = EXTCMD_SUCCESS_ALL_OUTPUT; int retval = EXTCMD_SUCCESS_ALL_OUTPUT;
char *argv_new[MAX_CMDLINE_ARGS]; /* for validation and/or execvpe() */ char *argv_new[MAX_CMDLINE_ARGS]; /* for validation and/or execvp() */
int argc_new=0; int argc_new=0;
#if HAVE_EXECVPE #if HAVE_EXECVP
int pipe_fd[2]; int pipe_fd[2];
pid_t pid=0; pid_t pid=0;
#else #else
@ -602,7 +602,7 @@ int _run_extcmd_write(const char *cmd, const char *cmd_write, int *pid_status,
*pid_status = 0; *pid_status = 0;
/* Even without execvpe() we examine the command for basic validity /* Even without execvp() we examine the command for basic validity
* in term of number of args * in term of number of args
*/ */
memset(argv_new, 0x0, sizeof(argv_new)); memset(argv_new, 0x0, sizeof(argv_new));
@ -614,16 +614,16 @@ int _run_extcmd_write(const char *cmd, const char *cmd_write, int *pid_status,
return EXTCMD_ARGV_ERROR; return EXTCMD_ARGV_ERROR;
} }
#if !HAVE_EXECVPE #if !HAVE_EXECVP
/* if we are not using execvpe() then free up argv_new unconditionally /* if we are not using execvp() then free up argv_new unconditionally
* since was used only for validation * since was used only for validation
*/ */
free_argv(argv_new, &argc_new); free_argv(argv_new, &argc_new);
#endif #endif
#if HAVE_EXECVPE #if HAVE_EXECVP
if(opts->verbose > 1) if(opts->verbose > 1)
log_msg(LOG_INFO, "run_extcmd_write() (with execvpe()): running CMD: %s | %s", log_msg(LOG_INFO, "run_extcmd_write() (with execvp()): running CMD: %s | %s",
cmd_write, cmd); cmd_write, cmd);
if(pipe(pipe_fd) < 0) if(pipe(pipe_fd) < 0)
@ -644,7 +644,7 @@ int _run_extcmd_write(const char *cmd, const char *cmd_write, int *pid_status,
/* don't use env /* don't use env
*/ */
execvpe(argv_new[0], argv_new, (char * const *)NULL); execvp(argv_new[0], argv_new);
} }
else if(pid == -1) else if(pid == -1)
{ {
@ -664,7 +664,7 @@ int _run_extcmd_write(const char *cmd, const char *cmd_write, int *pid_status,
#else #else
if(opts->verbose > 1) if(opts->verbose > 1)
log_msg(LOG_INFO, "run_extcmd_write() (without execvpe()): running CMD: %s | %s", log_msg(LOG_INFO, "run_extcmd_write() (without execvp()): running CMD: %s | %s",
cmd_write, cmd); cmd_write, cmd);
if ((fd = popen(cmd, "w")) == NULL) if ((fd = popen(cmd, "w")) == NULL)

4
server/fw_util_firewalld.h
View File

@ -35,8 +35,8 @@
#define FIREWD_CMD_FAIL_STR "COMMAND_FAILED" /* returned by firewall-cmd */ #define FIREWD_CMD_FAIL_STR "COMMAND_FAILED" /* returned by firewall-cmd */
#define FIREWD_CMD_PREFIX "--direct --passthrough ipv4" #define FIREWD_CMD_PREFIX "--direct --passthrough ipv4"
#if HAVE_EXECVPE #if HAVE_EXECVP
#define SH_REDIR "" /* the shell is not used when execvpe() is available */ #define SH_REDIR "" /* the shell is not used when execvp() is available */
#else #else
#define SH_REDIR " 2>&1" #define SH_REDIR " 2>&1"
#endif #endif

4
server/fw_util_iptables.h
View File

@ -32,8 +32,8 @@
#define SNAT_TARGET_BUFSIZE 64 #define SNAT_TARGET_BUFSIZE 64
#if HAVE_EXECVPE #if HAVE_EXECVP
#define SH_REDIR "" /* the shell is not used when execvpe() is available */ #define SH_REDIR "" /* the shell is not used when execvp() is available */
#else #else
#define SH_REDIR " 2>&1" #define SH_REDIR " 2>&1"
#endif #endif

6
server/fw_util_pf.h
View File

@ -33,8 +33,8 @@
#define MAX_PF_ANCHOR_SEARCH_LEN (MAX_PF_ANCHOR_LEN+11) /* room for 'anchor "' string */ #define MAX_PF_ANCHOR_SEARCH_LEN (MAX_PF_ANCHOR_LEN+11) /* room for 'anchor "' string */
#define MAX_PF_NEW_RULE_LEN 140 #define MAX_PF_NEW_RULE_LEN 140
#if HAVE_EXECVPE #if HAVE_EXECVP
#define SH_REDIR "" /* the shell is not used when execvpe() is available */ #define SH_REDIR "" /* the shell is not used when execvp() is available */
#else #else
#define SH_REDIR " 2>&1" #define SH_REDIR " 2>&1"
#endif #endif
@ -43,7 +43,7 @@
*/ */
#define PF_ADD_RULE_ARGS "pass in quick proto %u from %s to %s port %u keep state label " EXPIRE_COMMENT_PREFIX "%u" #define PF_ADD_RULE_ARGS "pass in quick proto %u from %s to %s port %u keep state label " EXPIRE_COMMENT_PREFIX "%u"
#define PF_WRITE_ANCHOR_RULES_ARGS "-a %s -f -" #define PF_WRITE_ANCHOR_RULES_ARGS "-a %s -f -"
#if HAVE_EXECVPE #if HAVE_EXECVP
#define PF_LIST_ANCHOR_RULES_ARGS "-a %s -s rules" #define PF_LIST_ANCHOR_RULES_ARGS "-a %s -s rules"
#else #else
#define PF_LIST_ANCHOR_RULES_ARGS "-a %s -s rules 2> /dev/null" #define PF_LIST_ANCHOR_RULES_ARGS "-a %s -s rules 2> /dev/null"

4
test/test-fwknop.pl
View File

@ -2103,14 +2103,14 @@ sub configure_args_restore_orig() {
return $rv; return $rv;
} }
sub configure_args_disable_execvpe() { sub configure_args_disable_execvp() {
my $rv = 1; my $rv = 1;
my $curr_pwd = cwd() or die $!; my $curr_pwd = cwd() or die $!;
chdir '..' or die $!; chdir '..' or die $!;
unless (&config_recompile('./extras/apparmor/configure_args.sh --disable-execvpe')) { unless (&config_recompile('./extras/apparmor/configure_args.sh --disable-execvp')) {
&write_test_file("[-] configure/recompile failure.\n", &write_test_file("[-] configure/recompile failure.\n",
"test/$curr_test_file"); "test/$curr_test_file");
chdir $curr_pwd or die $!; chdir $curr_pwd or die $!;

12
test/tests/configure_args.pl
View File

@ -46,12 +46,12 @@
'fw_rule_created' => $REQUIRE_NO_NEW_RULE, 'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
}, },
### disable execvpe() usage ### disable execvp() usage
{ {
'category' => 'configure args', 'category' => 'configure args',
'subcategory' => 'compile', 'subcategory' => 'compile',
'detail' => '--disable-execvpe check', 'detail' => '--disable-execvp check',
'function' => \&configure_args_disable_execvpe, 'function' => \&configure_args_disable_execvp,
}, },
{ {
'category' => 'configure args', 'category' => 'configure args',
@ -64,7 +64,7 @@
'fw_rule_created' => $NEW_RULE_REQUIRED, 'fw_rule_created' => $NEW_RULE_REQUIRED,
'fw_rule_removed' => $NEW_RULE_REMOVED, 'fw_rule_removed' => $NEW_RULE_REMOVED,
'key_file' => $cf{'rc_hmac_b64_key'}, 'key_file' => $cf{'rc_hmac_b64_key'},
'server_positive_output_matches' => [qr/without execvpe/], 'server_positive_output_matches' => [qr/without execvp/],
}, },
{ {
'category' => 'configure args', 'category' => 'configure args',
@ -77,7 +77,7 @@
'fw_rule_created' => $NEW_RULE_REQUIRED, 'fw_rule_created' => $NEW_RULE_REQUIRED,
'fw_rule_removed' => $NEW_RULE_REMOVED, 'fw_rule_removed' => $NEW_RULE_REMOVED,
'key_file' => $cf{'rc_hmac_b64_key'}, 'key_file' => $cf{'rc_hmac_b64_key'},
'server_positive_output_matches' => [qr/without execvpe/], 'server_positive_output_matches' => [qr/without execvp/],
'client_cycles_per_server_instance' => 3, 'client_cycles_per_server_instance' => 3,
}, },
@ -92,7 +92,7 @@
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_cmd_access'} " . 'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_cmd_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str", "-d $default_digest_file -p $default_pid_file $intf_str",
'fw_rule_created' => $REQUIRE_NO_NEW_RULE, 'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
'server_positive_output_matches' => [qr/without execvpe/], 'server_positive_output_matches' => [qr/without execvp/],
}, },
### restore original ./configure args to be prepared to run ### restore original ./configure args to be prepared to run