aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGerald Combs <gerald@wireshark.org>2010-09-16 19:20:06 +0000
committerGerald Combs <gerald@wireshark.org>2010-09-16 19:20:06 +0000
commita87bdf9660f26c48ed0024d7db286fee7ddf1280 (patch)
treec9bf130aae742b288f2617e5d9f61a4dac4dc245
parent034f2739d22835e79b94c350839cdaee990339ae (diff)
Turn on ASLR via /DYNAMICBASE and DEP via SetProcessDEPPolicy().
svn path=/trunk/; revision=34137
-rw-r--r--capinfos.c2
-rw-r--r--config.nmake10
-rw-r--r--dftest.c2
-rw-r--r--dumpcap.c2
-rw-r--r--editcap.c14
-rw-r--r--gtk/main.c2
-rw-r--r--rawshark.c4
-rw-r--r--tshark.c2
-rw-r--r--wsutil/libwsutil.def2
-rw-r--r--wsutil/privileges.c21
-rw-r--r--wsutil/privileges.h6
11 files changed, 44 insertions, 23 deletions
diff --git a/capinfos.c b/capinfos.c
index 97d852cfef..08017999b4 100644
--- a/capinfos.c
+++ b/capinfos.c
@@ -816,7 +816,7 @@ main(int argc, char *argv[])
/*
* Get credential information for later use.
*/
- get_credential_info();
+ init_process_policies();
#ifdef HAVE_PLUGINS
/* Register wiretap plugins */
diff --git a/config.nmake b/config.nmake
index eaa3eced3b..f6e7885fe8 100644
--- a/config.nmake
+++ b/config.nmake
@@ -780,6 +780,7 @@ LOCAL_CFLAGS=$(LOCAL_CFLAGS) /D_BIND_TO_CURRENT_CRT_VERSION=1
!IF "$(MSVC_VARIANT)" == "MSVC2008" || "$(MSVC_VARIANT)" == "MSVC2008EE" || "$(MSVC_VARIANT)" == "MSVC2010" || "$(MSVC_VARIANT)" == "MSVC2010EE"
LOCAL_CFLAGS= $(LOCAL_CFLAGS) /MP
!ENDIF
+
# Linker flags:
# /DEBUG generate debug info
# /PROFILE generate map file(s) for profiling
@@ -792,6 +793,15 @@ DLL_LDFLAGS =
DLL_LDFLAGS = /MANIFEST:no
!ENDIF
+# Enable ASLR. Requires VS2008 or later.
+# http://blogs.msdn.com/b/vcblog/archive/2009/05/21/dynamicbase-and-nxcompat.aspx
+# DEP is handled in init_process_policies()
+
+# ASLR http://msdn.microsoft.com/en-us/library/bb384887.aspx
+!IF $(MSC_VER_REQUIRED) >= 1500
+LOCAL_LDFLAGS= $(LOCAL_LDFLAGS) /DYNAMICBASE
+!ENDIF
+
PLUGIN_LDFLAGS = /NOLOGO /INCREMENTAL:no $(LOCAL_LDFLAGS) $(DLL_LDFLAGS)
#
diff --git a/dftest.c b/dftest.c
index a9ed864588..5d82b6374b 100644
--- a/dftest.c
+++ b/dftest.c
@@ -68,7 +68,7 @@ main(int argc, char **argv)
/*
* Get credential information for later use.
*/
- get_credential_info();
+ init_process_policies();
/*
* Attempt to get the pathname of the executable file.
diff --git a/dumpcap.c b/dumpcap.c
index e89094d8a5..4cb1b6c944 100644
--- a/dumpcap.c
+++ b/dumpcap.c
@@ -3569,7 +3569,7 @@ main(int argc, char *argv[])
/* */
/* ----------------------------------------------------------------- */
- get_credential_info();
+ init_process_policies();
#ifdef HAVE_LIBCAP
/* If 'started with special privileges' (and using libcap) */
diff --git a/editcap.c b/editcap.c
index 33201c4e18..53c39beb86 100644
--- a/editcap.c
+++ b/editcap.c
@@ -383,9 +383,9 @@ set_strict_time_adj(char *optarg_str_p)
optarg_str_p++;
}
- /*
- * check for a negative adjustment
- * A negative strict adjustment value is a flag
+ /*
+ * check for a negative adjustment
+ * A negative strict adjustment value is a flag
* to adjust all frames by the specifed delta time.
*/
if (*optarg_str_p == '-') {
@@ -807,7 +807,7 @@ main(int argc, char *argv[])
/*
* Get credential information for later use.
*/
- get_credential_info();
+ init_process_policies();
#ifdef HAVE_PLUGINS
/* Register wiretap plugins */
@@ -1226,9 +1226,9 @@ main(int argc, char *argv[])
phdr = &snap_phdr;
}
} else {
- /*
- * A negative strict time adjustment is requested.
- * Unconditionally set each timestamp to previous
+ /*
+ * A negative strict time adjustment is requested.
+ * Unconditionally set each timestamp to previous
* packet's timestamp plus delta.
*/
snap_phdr = *phdr;
diff --git a/gtk/main.c b/gtk/main.c
index 7c52b8f13b..d70880e382 100644
--- a/gtk/main.c
+++ b/gtk/main.c
@@ -2116,7 +2116,7 @@ main(int argc, char *argv[])
* before doing anything else.
* Let the user know if anything happened.
*/
- get_credential_info();
+ init_process_policies();
relinquish_special_privs_perm();
/*
diff --git a/rawshark.c b/rawshark.c
index 05eba3c3ea..4218941eca 100644
--- a/rawshark.c
+++ b/rawshark.c
@@ -453,7 +453,7 @@ main(int argc, char *argv[])
/*
* Get credential information for later use.
*/
- get_credential_info();
+ init_process_policies();
/*
* Clear the filters arrays
@@ -480,7 +480,7 @@ main(int argc, char *argv[])
/*
* Get credential information for later use.
*/
- get_credential_info();
+ init_process_policies();
/* nothing more than the standard GLib handler, but without a warning */
log_flags =
diff --git a/tshark.c b/tshark.c
index 5c63d2c7ef..475d6a3bf6 100644
--- a/tshark.c
+++ b/tshark.c
@@ -824,7 +824,7 @@ main(int argc, char *argv[])
/*
* Get credential information for later use.
*/
- get_credential_info();
+ init_process_policies();
/*
* Attempt to get the pathname of the executable file.
diff --git a/wsutil/libwsutil.def b/wsutil/libwsutil.def
index 1dff793519..a0d4ed1b47 100644
--- a/wsutil/libwsutil.def
+++ b/wsutil/libwsutil.def
@@ -42,7 +42,7 @@ mpa_samples
mpa_version
; privileges.c
-get_credential_info
+init_process_policies
get_cur_groupname
get_cur_username
npf_sys_is_running
diff --git a/wsutil/privileges.c b/wsutil/privileges.c
index 19adbd3d70..4cd1ae4adb 100644
--- a/wsutil/privileges.c
+++ b/wsutil/privileges.c
@@ -44,8 +44,19 @@
* we'll need later.
*/
void
-get_credential_info(void)
+init_process_policies(void)
{
+ typedef BOOL (*SetProcessDEPPolicyHandler)(DWORD);
+ SetProcessDEPPolicyHandler PSetProcessDEPPolicy;
+
+#ifndef PROCESS_DEP_ENABLE
+#define PROCESS_DEP_ENABLE 1
+#endif
+
+ if (PSetProcessDEPPolicy = (SetProcessDEPPolicyHandler) GetProcAddress(GetModuleHandle(_T("kernel32.dll")), "SetProcessDEPPolicy")) {
+ PSetProcessDEPPolicy(PROCESS_DEP_ENABLE);
+ }
+
npf_sys_is_running();
}
@@ -149,7 +160,7 @@ npf_sys_is_running() {
static uid_t ruid, euid;
static gid_t rgid, egid;
-static gboolean get_credential_info_called = FALSE;
+static gboolean init_process_polices_called = FALSE;
/*
* Called when the program starts, to save whatever credential information
@@ -157,14 +168,14 @@ static gboolean get_credential_info_called = FALSE;
* That'd be the real and effective UID and GID on UNIX.
*/
void
-get_credential_info(void)
+init_process_polices(void)
{
ruid = getuid();
euid = geteuid();
rgid = getgid();
egid = getegid();
- get_credential_info_called = TRUE;
+ init_process_polices_called = TRUE;
}
/*
@@ -174,7 +185,7 @@ get_credential_info(void)
gboolean
started_with_special_privs(void)
{
- g_assert(get_credential_info_called);
+ g_assert(init_process_polices_called);
#ifdef HAVE_ISSETUGID
return issetugid();
#else
diff --git a/wsutil/privileges.h b/wsutil/privileges.h
index e45b77807f..7526a8ce75 100644
--- a/wsutil/privileges.h
+++ b/wsutil/privileges.h
@@ -23,10 +23,10 @@
*/
/**
- * Called when the program starts, to save whatever credential information
- * we'll need later.
+ * Called when the program starts, to enable security features and save
+ * whatever credential information we'll need later.
*/
-extern void get_credential_info(void);
+extern void init_process_policies(void);
/**
* Was this program started with special privileges? get_credential_info()