o use in_port_t

 o be careful with string copies; use strlcpy/strlcat when sensible
 o ignore requests with bogus network types

6 files changed, 49 insertions, 38 deletions

diff --git a/usr.sbin/bootpd/bootpd.c b/usr.sbin/bootpd/bootpd.c
index c7b7bdddb02..e630e06c486 100644
--- a/usr.sbin/bootpd/bootpd.c
+++ b/usr.sbin/bootpd/bootpd.c
@@ -21,7 +21,7 @@ SOFTWARE.
 ************************************************************************/
 
 #ifndef lint
-static char rcsid[] = "$Id: bootpd.c,v 1.5 1998/11/14 21:18:20 millert Exp $";
+static char rcsid[] = "$Id: bootpd.c,v 1.6 1998/11/28 04:07:22 millert Exp $";
 #endif
 
 /*
@@ -133,7 +133,7 @@ PRIVATE void usage P((void));
  * IP port numbers for client and server obtained from /etc/services
  */
 
-u_short bootps_port, bootpc_port;
+in_port_t bootps_port, bootpc_port;
 
 
 /*
@@ -315,7 +315,7 @@ main(argc, argv)
 						"bootpd: missing hostname\n");
 				break;
 			}
-			strncpy(hostname, stmp, sizeof(hostname)-1);
+			strlcpy(hostname, stmp, sizeof(hostname));
 			break;
 
 		case 'i':				/* inetd mode */
@@ -443,9 +443,9 @@ main(argc, argv)
 		 */
 		servp = getservbyname("bootps", "udp");
 		if (servp) {
-			bootps_port = ntohs((u_short) servp->s_port);
+			bootps_port = ntohs((in_port_t) servp->s_port);
 		} else {
-			bootps_port = (u_short) IPPORT_BOOTPS;
+			bootps_port = (in_port_t) IPPORT_BOOTPS;
 			report(LOG_ERR,
 				   "udp/bootps: unknown service -- assuming port %d",
 				   bootps_port);
@@ -475,7 +475,7 @@ main(argc, argv)
 		report(LOG_ERR,
 			   "udp/bootpc: unknown service -- assuming port %d",
 			   IPPORT_BOOTPC);
-		bootpc_port = (u_short) IPPORT_BOOTPC;
+		bootpc_port = (in_port_t) IPPORT_BOOTPC;
 	}
 
 	/*
@@ -632,7 +632,16 @@ ignoring request for server %s from client at %s address %s",
 			return;
 		}
 	} else {
-		strcpy(bp->bp_sname, hostname);
+		strlcpy(bp->bp_sname, hostname, sizeof(bp->bp_sname));
+	}
+
+	/* If it uses an unknown network type, ignore the request.  */
+	if (bp->bp_htype >= hwinfocnt) {
+		if (debug)
+			report(LOG_INFO,
+			    "Request with unknown network type %u",
+			    bp->bp_htype);
+		return;
 	}
 
 	/* Convert the request into a reply. */
@@ -740,11 +749,9 @@ HW addr type is IEEE 802.  convert to %s and check again\n",
 	/* Run a program, passing the client name as a parameter. */
 	if (hp->flags.exec_file) {
 		char tst[100];
-		/* XXX - Check string lengths? -gwr */
-		strcpy (tst, hp->exec_file->string);
-		strcat (tst, " ");
-		strcat (tst, hp->hostname->string);
-		strcat (tst, " &");
+
+		snprintf(tst, sizeof(tst), "%s %s &", hp->exec_file->string,
+		    hp->hostname->string);
 		if (debug)
 			report(LOG_INFO, "executing %s", tst);
 		system(tst);	/* Hope this finishes soon... */
@@ -812,8 +819,7 @@ HW addr type is IEEE 802.  convert to %s and check again\n",
 	 * daemon chroot directory (i.e. /tftpboot).
 	 */
 	if (hp->flags.tftpdir) {
-		strncpy(realpath, hp->tftpdir->string, sizeof realpath-1);
-		realpath[sizeof realpath-1] = '\0';
+		strlcpy(realpath, hp->tftpdir->string, sizeof(realpath));
 		clntpath = &realpath[strlen(realpath)];
 	} else {
 		realpath[0] = '\0';
@@ -857,14 +863,18 @@ HW addr type is IEEE 802.  convert to %s and check again\n",
 	 */
 	if (homedir) {
 		if (homedir[0] != '/')
-			strcat(clntpath, "/");
-		strcat(clntpath, homedir);
+			strlcat(clntpath, "/",
+			    sizeof(realpath) - (clntpath - realpath));
+		strlcat(clntpath, homedir,
+		    sizeof(realpath) - (clntpath - realpath));
 		homedir = NULL;
 	}
 	if (bootfile) {
 		if (bootfile[0] != '/')
-			strcat(clntpath, "/");
-		strcat(clntpath, bootfile);
+			strlcat(clntpath, "/",
+			    sizeof(realpath) - (clntpath - realpath));
+		strlcat(clntpath, bootfile,
+		    sizeof(realpath) - (clntpath - realpath));
 		bootfile = NULL;
 	}
 
@@ -872,8 +882,9 @@ HW addr type is IEEE 802.  convert to %s and check again\n",
 	 * First try to find the file with a ".host" suffix
 	 */
 	n = strlen(clntpath);
-	strcat(clntpath, ".");
-	strcat(clntpath, hp->hostname->string);
+	strlcat(clntpath, ".", sizeof(realpath) - (clntpath - realpath));
+	strlcat(clntpath, hp->hostname->string,
+	    sizeof(realpath) - (clntpath - realpath));
 	if (chk_access(realpath, &bootsize) < 0) {
 		clntpath[n] = 0;			/* Try it without the suffix */
 		if (chk_access(realpath, &bootsize) < 0) {
@@ -908,7 +919,7 @@ HW addr type is IEEE 802.  convert to %s and check again\n",
 #endif	/* CHECK_FILE_ACCESS */
 		}
 	}
-	strncpy(bp->bp_file, clntpath, BP_FILE_LEN);
+	strlcpy(bp->bp_file, clntpath, sizeof(bp->bp_file));
 	if (debug > 2)
 		report(LOG_INFO, "bootfile=\"%s\"", clntpath);
 
@@ -993,7 +1004,7 @@ sendreply(forward, dst_override)
 {
 	struct bootp *bp = (struct bootp *) pktbuf;
 	struct in_addr dst;
-	u_short port = bootpc_port;
+	in_port_t port = bootpc_port;
 	unsigned char *ha;
 	int len;
 
@@ -1147,7 +1158,7 @@ dovend_cmu(bp, hp)
 	 * domain name server, ien name server, time server
 	 */
 	vendp = (struct cmu_vend *) bp->bp_vend;
-	strcpy(vendp->v_magic, (char *)vm_cmu);
+	strlcpy(vendp->v_magic, (char *)vm_cmu, sizeof(vendp->v_magic));
 	if (hp->flags.subnet_mask) {
 		(vendp->v_smask).s_addr = hp->subnet_mask.s_addr;
 		(vendp->v_flags) |= VF_SMASK;
diff --git a/usr.sbin/bootpd/bootpgw.c b/usr.sbin/bootpd/bootpgw.c
index e09f20b2759..5cbdaaf6a7f 100644
--- a/usr.sbin/bootpd/bootpgw.c
+++ b/usr.sbin/bootpd/bootpgw.c
@@ -26,7 +26,7 @@ SOFTWARE.
 ************************************************************************/
 
 #ifndef lint
-static char rcsid[] = "$Id: bootpgw.c,v 1.2 1996/05/06 11:28:16 deraadt Exp $";
+static char rcsid[] = "$Id: bootpgw.c,v 1.3 1998/11/28 04:07:23 millert Exp $";
 #endif
 
 /*
@@ -105,7 +105,7 @@ static void handle_request P((void));
  * IP port numbers for client and server obtained from /etc/services
  */
 
-u_short bootps_port, bootpc_port;
+in_port_t bootps_port, bootpc_port;
 
 
 /*
@@ -399,9 +399,9 @@ main(argc, argv)
 		 */
 		servp = getservbyname("bootps", "udp");
 		if (servp) {
-			bootps_port = ntohs((u_short) servp->s_port);
+			bootps_port = ntohs((in_port_t) servp->s_port);
 		} else {
-			bootps_port = (u_short) IPPORT_BOOTPS;
+			bootps_port = (in_port_t) IPPORT_BOOTPS;
 			report(LOG_ERR,
 				   "udp/bootps: unknown service -- assuming port %d",
 				   bootps_port);
@@ -430,7 +430,7 @@ main(argc, argv)
 		report(LOG_ERR,
 			   "udp/bootpc: unknown service -- assuming port %d",
 			   IPPORT_BOOTPC);
-		bootpc_port = (u_short) IPPORT_BOOTPC;
+		bootpc_port = (in_port_t) IPPORT_BOOTPC;
 	}
 
 	/* no signal catchers */
diff --git a/usr.sbin/bootpd/bootptest.c b/usr.sbin/bootpd/bootptest.c
index 8760ea5f4bd..1d5a465f391 100644
--- a/usr.sbin/bootpd/bootptest.c
+++ b/usr.sbin/bootpd/bootptest.c
@@ -77,7 +77,7 @@ int snaplen;
  * IP port numbers for client and server obtained from /etc/services
  */
 
-u_short bootps_port, bootpc_port;
+in_port_t bootps_port, bootpc_port;
 
 
 /*
@@ -222,11 +222,11 @@ main(argc, argv)
 	 */
 	sep = getservbyname("bootps", "udp");
 	if (sep) {
-		bootps_port = ntohs((u_short) sep->s_port);
+		bootps_port = ntohs((in_port_t) sep->s_port);
 	} else {
 		fprintf(stderr, "udp/bootps: unknown service -- using port %d\n",
 				IPPORT_BOOTPS);
-		bootps_port = (u_short) IPPORT_BOOTPS;
+		bootps_port = (in_port_t) IPPORT_BOOTPS;
 	}
 
 	/*
@@ -259,7 +259,7 @@ main(argc, argv)
 	} else {
 		fprintf(stderr, "udp/bootpc: unknown service -- using port %d\n",
 				IPPORT_BOOTPC);
-		bootpc_port = (u_short) IPPORT_BOOTPC;
+		bootpc_port = (in_port_t) IPPORT_BOOTPC;
 	}
 
 	/*
@@ -287,7 +287,7 @@ main(argc, argv)
 	xid = (int32) getpid();
 	bp->bp_xid = (u_int32) htonl(xid);
 	if (bp_file)
-		strncpy(bp->bp_file, bp_file, BP_FILE_LEN);
+		strlcpy(bp->bp_file, bp_file, BP_FILE_LEN);
 
 	/*
 	 * Fill in the hardware address (or client IP address)
diff --git a/usr.sbin/bootpd/getether.c b/usr.sbin/bootpd/getether.c
index d9c7686737d..a2b2f1d9daf 100644
--- a/usr.sbin/bootpd/getether.c
+++ b/usr.sbin/bootpd/getether.c
@@ -73,7 +73,7 @@ getether(ifname, eap)
 	int nit;
 
 	bzero((char *) &ifrnit, sizeof(ifrnit));
-	strncpy(&ifrnit.ifr_name[0], ifname, IFNAMSIZ);
+	strlcpy(&ifrnit.ifr_name[0], ifname, IFNAMSIZ);
 
 	nit = open("/dev/nit", 0);
 	if (nit < 0) {
diff --git a/usr.sbin/bootpd/print-bootp.c b/usr.sbin/bootpd/print-bootp.c
index 3e0b6cb5635..1a5b97ff896 100644
--- a/usr.sbin/bootpd/print-bootp.c
+++ b/usr.sbin/bootpd/print-bootp.c
@@ -24,7 +24,7 @@
  * There is an e-mail list for tcpdump: <tcpdump@ee.lbl.gov>
  */
 #ifndef lint
-static char rcsid[] = "$Id: print-bootp.c,v 1.1 1995/10/18 08:47:27 deraadt Exp $";
+static char rcsid[] = "$Id: print-bootp.c,v 1.2 1998/11/28 04:07:24 millert Exp $";
 /* 93/10/10 <gwr@mc.com> New data-driven option print routine. */
 #endif
 
@@ -54,7 +54,7 @@ void
 bootp_print(bp, length, sport, dport)
 	struct bootp *bp;
 	int length;
-	u_short sport, dport;
+	in_port_t sport, dport;
 {
 	static char tstr[] = " [|bootp]";
 	static unsigned char vm_cmu[4] = VM_CMU;
diff --git a/usr.sbin/bootpd/readfile.c b/usr.sbin/bootpd/readfile.c
index a32739ea167..8f1afb6f93e 100644
--- a/usr.sbin/bootpd/readfile.c
+++ b/usr.sbin/bootpd/readfile.c
@@ -21,7 +21,7 @@ SOFTWARE.
 ************************************************************************/
 
 #ifndef lint
-static char rcsid[] = "$Id: readfile.c,v 1.2 1996/06/23 10:22:26 deraadt Exp $";
+static char rcsid[] = "$Id: readfile.c,v 1.3 1998/11/28 04:07:24 millert Exp $";
 #endif
 
 
@@ -344,7 +344,7 @@ readtab(force)
 #ifdef DEBUG
 	if (debug > 3) {
 		char timestr[28];
-		strcpy(timestr, ctime(&(st.st_mtime)));
+		strlcpy(timestr, ctime(&(st.st_mtime)), sizeof(timestr));
 		/* zap the newline */
 		timestr[24] = '\0';
 		report(LOG_INFO, "bootptab mtime: %s",