Changeset 153

Timestamp:

Jan 11, 2008, 11:47:17 PM (17 years ago)

Author:

katerina

Message:

Use -D_FORTIFY_SOURCE=1 -fstack-protector-all if supported. Compiler warnings fixed.

Location:

trunk

Files:

• aclocal.m4 (modified) (4 diffs)
• configure.ac (modified) (1 diff)
• docs/Changelog (modified) (1 diff)
• src/samhain.c (modified) (3 diffs)
• src/sh_entropy.c (modified) (1 diff)
• src/sh_err_console.c (modified) (3 diffs)
• src/sh_err_log.c (modified) (1 diff)
• src/sh_gpg.c (modified) (1 diff)
• src/sh_hash.c (modified) (6 diffs)
• src/sh_mem.c (modified) (1 diff)
• src/sh_unix.c (modified) (4 diffs)
• src/sh_utmp.c (modified) (2 diffs)

trunk/aclocal.m4

@@ -1121 +1121 @@
       ssp_cv_cc,
       [ssp_old_cflags="$CFLAGS"
-       CFLAGS="$CFLAGS -fstack-protector"
+       CFLAGS="$CFLAGS -fstack-protector-all"
        AC_TRY_COMPILE(,, ssp_cv_cc=yes, ssp_cv_cc=no)
        CFLAGS="$ssp_old_cflags"
       ])
-    if test $ssp_cv_cc = yes; then
-      CFLAGS="$CFLAGS -fstack-protector"
-      AC_DEFINE([ENABLE_SSP_CC], 1, [Define if SSP C support is enabled.])
+    if test $ssp_cv_cc = no; then
+      AC_CACHE_CHECK([whether ${CC} accepts -fstack-protector],
+        ssp_cv_cc,
+        [ssp_old_cflags="$CFLAGS"
+         CFLAGS="$CFLAGS -fstack-protector-all"
+         AC_TRY_COMPILE(,, ssp_cv_cc=yes, ssp_cv_cc=no)
+         CFLAGS="$ssp_old_cflags"
+        ])
+      if test $ssp_cv_cc = yes; then
+        CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=1 -fstack-protector-all"
+        AC_DEFINE([ENABLE_SSP_CC], 1, [Define if SSP C support is enabled.])
+      fi
+    else
+      if test $ssp_cv_cc = yes; then
+        CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=1 -fstack-protector"
+        AC_DEFINE([ENABLE_SSP_CC], 1, [Define if SSP C support is enabled.])
+      fi
     fi
   fi
@@ -1704 +1718 @@
                 AC_MSG_CHECKING([whether pthreads work with $flag])
                 PTHREAD_CFLAGS="$flag"
-                PTHREAD_LDFLAGS="$flag"
                 ;;
 
@@ -1730 +1743 @@
         LIBS="$PTHREAD_LIBS $LIBS"
         CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
-        LDFLAGS="$LDFLAGS $PTHREAD_LDFLAGS"
+        LDFLAGS="$LDFLAGS $PTHREAD_CFLAGS"
 
         # Check for various functions.  We must include pthread.h,
@@ -1758 +1771 @@
         PTHREAD_LIBS=""
         PTHREAD_CFLAGS=""
-        PTHREAD_LDFLAGS=""
 done
 fi

trunk/configure.ac

@@ -875 +875 @@
         CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
         LIBS="$PTHREAD_LIBS $LIBS"
-        LDFLAGS="$PTHREAD_LDFLAGS $LDFLAGS"
+        LDFLAGS="$PTHREAD_CFLAGS $LDFLAGS"
         CC="$PTHREAD_CC"
 fi

trunk/docs/Changelog

@@ -1 +1 @@
 2.4.2:
+        * fix some compiler warnings
+        * use -D_FORTIFY_SOURCE=1 -fstack-protector-all instead
+          of -fstack-protector
+        * always add PTHREAD_CFLAGS to LDFLAGS
         * sh_tiger0.c: checksum functions return length of file hashed,
           needed to fix GrowingLogfile bug (researched by 

trunk/src/samhain.c

@@ -1391 +1391 @@
           my_argv[0] = argv[0]; ++my_argc;  
           command_line[0] = '\0';
-          (void*) fgets (command_line, sizeof(command_line), stdin);
-          command_line[sizeof(command_line)-1] = '\0';
+          if (NULL != fgets (command_line, sizeof(command_line), stdin))
+            command_line[sizeof(command_line)-1] = '\0';
+
           do {
 #if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
@@ -1961 +1962 @@
               (void) sh_dirs_chk  (1);
 #ifndef SH_PROFILE
-              (void) chdir ("/");
+              (void) retry_aud_chdir (FIL__, __LINE__, "/");
 #endif
             }
@@ -1968 +1969 @@
               (void) sh_dirs_chk  (2); 
 #ifndef SH_PROFILE
-              (void) chdir ("/");
+              (void) retry_aud_chdir (FIL__, __LINE__, "/");
 #endif
             }

trunk/src/sh_entropy.c

@@ -618 +618 @@
       }
       
-      freopen (_("/dev/null"), "r+", stderr);
+      if (NULL != freopen (_("/dev/null"), "r+", stderr))
+        {
       
-      /* exec the program */
-      retry_aud_execve (FIL__, __LINE__, _("/bin/sh"), arg, envp);
-      
+          /* exec the program */
+          retry_aud_execve (FIL__, __LINE__, _("/bin/sh"), arg, envp);
+        }
+
       /* failed 
        */

trunk/src/sh_err_console.c

@@ -286 +286 @@
   struct sigaction sa_new, sa_old;
   static int blockMe = 0;
+  int    val_return;
 
   SL_ENTER(_("sh_log_console"));
@@ -315 +316 @@
     {
       len = strlen(errmsg);
-      (void) write(STDERR_FILENO, errmsg, len);
-      (void) write(STDERR_FILENO, "\n", 1);
+      do {
+        val_return = write(STDERR_FILENO, errmsg, len);
+      } while (val_return < 0 && errno == EINTR); 
+      do {
+        val_return = write(STDERR_FILENO, "\n", 1);
+      } while (val_return < 0 && errno == EINTR); 
       /* 
        * fprintf (stderr, "%s\n", errmsg); 
@@ -367 +372 @@
           if (fd[cc] >= 0)
             {
-              (void) write(fd[cc], errmsg, strlen(errmsg));
-              (void) write(fd[cc], "\r\n",              2);
+              do {
+                val_return = write(fd[cc], errmsg, strlen(errmsg));
+              } while (val_return < 0 && errno == EINTR);
+              do {
+                val_return = write(fd[cc], "\r\n",              2);
+              } while (val_return < 0 && errno == EINTR);
               (void) close(fd[cc]);
               service_failure[cc] = 0;

trunk/src/sh_err_log.c

@@ -392 +392 @@
                   (void) fflush(stdout); 
                   key[0] = '\0';
-                  (void) fgets(key, sizeof(key), stdin);
-                  if (key[0] != '\n') 
+                  if (NULL != fgets(key, sizeof(key), stdin))
                     {
-                      if (key[strlen(key) - 1] == '\n')
-                        key[strlen(key) - 1] = '\0';
-                    }
-                  if (key[0] == '/')
-                    {
-                      chk_mode = CHK_FIL;
-                      (void) sl_strlcpy(path, key, KEY_LEN+1); 
-                      break;
+                      if (key[0] != '\n') 
+                        {
+                          if (key[strlen(key) - 1] == '\n')
+                            key[strlen(key) - 1] = '\0';
+                        }
+                      if (key[0] == '/')
+                        {
+                          chk_mode = CHK_FIL;
+                          (void) sl_strlcpy(path, key, KEY_LEN+1); 
+                          break;
+                        }
                     }
                 }

trunk/src/sh_gpg.c

@@ -489 +489 @@
       sh_unix_closeall (3, -1); /* in child process */
 
-      freopen(_("/dev/null"), "r+", stderr); 
+      if (NULL == freopen(_("/dev/null"), "r+", stderr))
+        {
+          dlog(1, FIL__, __LINE__, _("Internal error: freopen failed\n"));
+          aud__exit(FIL__, __LINE__, EXIT_FAILURE);
+        }
 
       /* We should become privileged if SUID,

trunk/src/sh_hash.c

@@ -459 +459 @@
 
  unlock_and_return:
+  ; /* 'label at end of compound statement */
   SH_MUTEX_UNLOCK(mutex_hash);
   return retval;
@@ -1349 +1350 @@
 
  unlock_and_return:
+  ; /* 'label at end of compound statement */
   SH_MUTEX_UNLOCK(mutex_hash);
   SL_RET0(_("sh_hash_init"));
@@ -1377 +1379 @@
 
  unlock_and_exit:
+  ; /* 'label at end of compound statement */
   SH_MUTEX_UNLOCK(mutex_hash);
   SL_RET0(_("sh_hash_hashdelete"));
@@ -1792 +1795 @@
         sl_write_line_fast (pushdata_fd, attr_string, sl_strlen(attr_string));
     } else {
-      fwrite (&p, sizeof(sh_filestore_t), 1, stdout);
-      printf ("%s\n", fullpath);
-      printf ("%s\n", linkpath);
-      if (attr_string)
-        printf ("%s\n", attr_string);
+      if (fwrite (&p, sizeof(sh_filestore_t), 1, stdout))
+        {
+          printf ("%s\n", fullpath);
+          printf ("%s\n", linkpath);
+          if (attr_string)
+            printf ("%s\n", attr_string);
+        }
+      else
+        {
+          perror(_("Error writing database"));
+          aud_exit (FIL__, __LINE__, EXIT_FAILURE);
+        }
     }
 
@@ -2728 +2738 @@
 
   char log_policy[32];
-  int  log_severity;
+  volatile int  log_severity;
   char hashbuf[KEYBUF_SIZE];
 
@@ -3504 +3514 @@
 
  unlock_and_return:
-
+  ; /* 'label at end of compound statement */
   SH_MUTEX_UNLOCK(mutex_hash);
   SL_RETURN(retval, _("sh_hash_compdata"));

trunk/src/sh_mem.c

@@ -260 +260 @@
 void sh_mem_free (void * a, char * file, int line)
 {
-  memlist_t * this   = memlist;
-  memlist_t * before = memlist;
-  unsigned long size = 0;
+  volatile memlist_t * this   = memlist;
+  memlist_t          * before = memlist;
+  unsigned long        size   = 0;
 
   SL_ENTER(_("sh_mem_free"));

trunk/src/sh_unix.c

@@ -411 +411 @@
 #define STDERR_FILENO 2
 #endif
-    write(STDERR_FILENO,  msg, strlen(msg));
-    write(STDERR_FILENO, "\n", 1);
+    int retval = 0;
+    do {
+      retval = write(STDERR_FILENO,  msg, strlen(msg));
+    } while (retval < 0 && errno == EINTR);
+    do {
+      retval = write(STDERR_FILENO, "\n", 1);
+    } while (retval < 0 && errno == EINTR);
     return 0;
   }
@@ -468 +473 @@
   }
   sl_strlcat(msg, details, 128);
-  safe_logger (signal, method, msg);
+  (void) safe_logger (signal, method, msg);
   _exit(EXIT_FAILURE);
 }
@@ -507 +512 @@
       if (immediate_exit_normal == 2)
         {
-          chdir ("/");
+          int val_return;
+
+          do {
+            val_return = chdir ("/");
+          } while (val_return < 0 && errno == EINTR);
+
           safe_logger (mysignal, 0, NULL);
         }
@@ -3032 +3042 @@
     {
       char hashbuf[KEYBUF_SIZE];
+      UINT64 local_length = (UINT64) (tmpFile.size < 0 ? 0 : tmpFile.size);
       sl_strlcpy(fileHash,
-                 sh_tiger_generic_hash (filename, fd, &(tmpFile.size), 
+                 sh_tiger_generic_hash (filename, fd, &(local_length), 
                                         alert_timeout, hashbuf, sizeof(hashbuf)),
                  KEY_LEN+1);

trunk/src/sh_utmp.c

@@ -773 +773 @@
 static void sh_utmp_addlogin (struct SH_UTMP_S * ut)
 {
-  struct log_user   * user     = userlist;
-  struct log_user   * userold  = userlist;
+  struct          log_user   * user     = userlist;
+  volatile struct log_user   * userold  = userlist;
 #ifdef HAVE_UTTYPE  
   struct log_user   * username = userlist;
@@ -781 +781 @@
   char   ttt[TIM_MAX];
 #ifdef HAVE_UTTYPE
-  int    status;
+  volatile int    status;
 #endif