diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 1996-10-25 19:38:24 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 1996-10-25 19:38:24 +0000 |
commit | 54d9c030a9eb88aec5d7bca3eddad4a71b52ed1f (patch) | |
tree | 26398a3548b72884d9e7f88f1e303d772bd8ff91 | |
parent | cf129a78e19c51cae5e0dcb02628e09c4ef90191 (diff) |
proactive bounds checking; help from millert
-rw-r--r-- | usr.sbin/lpr/common_source/common.c | 4 | ||||
-rw-r--r-- | usr.sbin/lpr/common_source/displayq.c | 7 | ||||
-rw-r--r-- | usr.sbin/lpr/common_source/rmjob.c | 4 | ||||
-rw-r--r-- | usr.sbin/lpr/common_source/startdaemon.c | 5 | ||||
-rw-r--r-- | usr.sbin/lpr/lpd/printjob.c | 36 | ||||
-rw-r--r-- | usr.sbin/lpr/lpd/recvjob.c | 4 |
6 files changed, 40 insertions, 20 deletions
diff --git a/usr.sbin/lpr/common_source/common.c b/usr.sbin/lpr/common_source/common.c index 6d48d7b1768..ae26013e0cf 100644 --- a/usr.sbin/lpr/common_source/common.c +++ b/usr.sbin/lpr/common_source/common.c @@ -197,14 +197,14 @@ getline(cfp) register char *lp = line; register c; - while ((c = getc(cfp)) != '\n') { + while ((c = getc(cfp)) != '\n' && linel+1<sizeof(line)) { if (c == EOF) return(0); if (c == '\t') { do { *lp++ = ' '; linel++; - } while ((linel & 07) != 0); + } while ((linel & 07) != 0 && linel+1<sizeof(line)); continue; } *lp++ = c; diff --git a/usr.sbin/lpr/common_source/displayq.c b/usr.sbin/lpr/common_source/displayq.c index 7a1282b8ee4..503a7c43f4f 100644 --- a/usr.sbin/lpr/common_source/displayq.c +++ b/usr.sbin/lpr/common_source/displayq.c @@ -225,13 +225,14 @@ displayq(format) */ if (nitems) putchar('\n'); - (void) sprintf(line, "%c%s", format + '\3', RP); + (void) snprintf(line, sizeof line, "%c%s", format + '\3', RP); cp = line; - for (i = 0; i < requests; i++) { + for (i = 0; i < requests && cp-line+10 < sizeof line; i++) { cp += strlen(cp); (void) sprintf(cp, " %d", requ[i]); } - for (i = 0; i < users; i++) { + for (i = 0; i < users && cp-line+1+strlen(user[i]) < + sizeof line; i++) { cp += strlen(cp); *cp++ = ' '; (void) strcpy(cp, user[i]); diff --git a/usr.sbin/lpr/common_source/rmjob.c b/usr.sbin/lpr/common_source/rmjob.c index b3fd6daec92..b4e71bb5140 100644 --- a/usr.sbin/lpr/common_source/rmjob.c +++ b/usr.sbin/lpr/common_source/rmjob.c @@ -327,12 +327,12 @@ rmremote() (void)snprintf(buf, sizeof(buf), "\5%s %s", RP, all ? "-all" : person); cp = buf; - for (i = 0; i < users; i++) { + for (i = 0; i < users && cp-buf+1+strlen(user[i]) < sizeof buf; i++) { cp += strlen(cp); *cp++ = ' '; strcpy(cp, user[i]); } - for (i = 0; i < requests; i++) { + for (i = 0; i < requests && cp-buf+10 < sizeof buf; i++) { cp += strlen(cp); (void) sprintf(cp, " %d", requ[i]); } diff --git a/usr.sbin/lpr/common_source/startdaemon.c b/usr.sbin/lpr/common_source/startdaemon.c index 930afc341de..4f3ec34c7f9 100644 --- a/usr.sbin/lpr/common_source/startdaemon.c +++ b/usr.sbin/lpr/common_source/startdaemon.c @@ -83,7 +83,10 @@ startdaemon(printer) return(0); } seteuid(uid); - (void) sprintf(buf, "\1%s\n", printer); + if (snprintf(buf, sizeof buf, "\1%s\n", printer) > sizeof buf-1) { + close(s); + return (0); + } n = strlen(buf); if (write(s, buf, n) != n) { perr("write"); diff --git a/usr.sbin/lpr/lpd/printjob.c b/usr.sbin/lpr/lpd/printjob.c index dff077b5dc6..21370f43bd9 100644 --- a/usr.sbin/lpr/lpd/printjob.c +++ b/usr.sbin/lpr/lpd/printjob.c @@ -1,4 +1,4 @@ -/* $OpenBSD: printjob.c,v 1.8 1996/09/30 21:24:34 deraadt Exp $ */ +/* $OpenBSD: printjob.c,v 1.9 1996/10/25 19:38:23 deraadt Exp $ */ /* $NetBSD: printjob.c,v 1.9.4.3 1996/07/12 22:31:39 jtc Exp $ */ /* @@ -219,7 +219,7 @@ again: errcnt = 0; restart: (void) lseek(lfd, pidoff, 0); - (void) sprintf(line, "%s\n", q->q_name); + (void) snprintf(line, sizeof line, "%s\n", q->q_name); i = strlen(line); if (write(lfd, line, i) != i) syslog(LOG_ERR, "%s: %s: %m", printer, LO); @@ -377,13 +377,17 @@ printit(file) while (getline(cfp)) switch (line[0]) { case 'H': - strcpy(fromhost, line+1); - if (class[0] == '\0') + strncpy(fromhost, line+1, sizeof(fromhost)-1); + fromhost[sizeof(fromhost)-1] = '\0'; + if (class[0] == '\0') { strncpy(class, line+1, sizeof(class)-1); + class[sizeof(class)-1] = '\0'; + } continue; case 'P': strncpy(logname, line+1, sizeof(logname)-1); + logname[sizeof(logname)-1] = '\0'; if (RS) { /* restricted */ if (getpwnam(logname) == NULL) { bombed = NOACCT; @@ -407,9 +411,10 @@ printit(file) continue; case 'J': - if (line[1] != '\0') + if (line[1] != '\0') { strncpy(jobname, line+1, sizeof(jobname)-1); - else + jobname[sizeof(jobname)-1] = '\0'; + } else strcpy(jobname, " "); continue; @@ -418,10 +423,12 @@ printit(file) strncpy(class, line+1, sizeof(class)-1); else if (class[0] == '\0') gethostname(class, sizeof(class)); + class[sizeof(class)-1] = '\0'; continue; case 'T': /* header title for pr */ strncpy(title, line+1, sizeof(title)-1); + title[sizeof(title)-1] = '\0'; continue; case 'L': /* identification line */ @@ -433,16 +440,21 @@ printit(file) case '2': case '3': case '4': - if (line[1] != '\0') - strcpy(fonts[line[0]-'1'], line+1); + if (line[1] != '\0') { + strncpy(fonts[line[0]-'1'], line+1, + 50-1); + fonts[line[0]-'1'][50-1] = '\0'; + } continue; case 'W': /* page width */ strncpy(width+2, line+1, sizeof(width)-3); + width[2+sizeof(width)-3] = '\0'; continue; case 'I': /* indent amount */ strncpy(indent+2, line+1, sizeof(indent)-3); + indent[2+sizeof(indent)-3] = '\0'; continue; default: /* some file to print */ @@ -844,7 +856,9 @@ sendfile(type, file) if ((stb.st_mode & S_IFMT) == S_IFLNK && fstat(f, &stb) == 0 && (stb.st_dev != fdev || stb.st_ino != fino)) return(ACCESS); - (void) sprintf(buf, "%c%qd %s\n", type, stb.st_size, file); + if (snprintf(buf, sizeof buf, "%c%qd %s\n", type, + stb.st_size, file) > sizeof buf-1) + return (ACCESS); /* XXX hack */ amt = strlen(buf); for (i = 0; ; i++) { if (write(pfd, buf, amt) != amt || @@ -1049,7 +1063,7 @@ sendmail(user, bombed) cp++; else cp = _PATH_SENDMAIL; - sprintf(buf, "%s@%s", user, fromhost); + snprintf(buf, sizeof buf, "%s@%s", user, fromhost); execl(_PATH_SENDMAIL, cp, buf, 0); exit(0); } else if (s > 0) { /* parent */ @@ -1382,7 +1396,7 @@ openrem() resp = -1; pfd = getport(RM, 0); if (pfd >= 0) { - (void) sprintf(line, "\2%s\n", RP); + (void) snprintf(line, sizeof line, "\2%s\n", RP); n = strlen(line); if (write(pfd, line, n) == n && (resp = response()) == '\0') diff --git a/usr.sbin/lpr/lpd/recvjob.c b/usr.sbin/lpr/lpd/recvjob.c index 9d5b252da60..ea2128cd31e 100644 --- a/usr.sbin/lpr/lpd/recvjob.c +++ b/usr.sbin/lpr/lpd/recvjob.c @@ -150,7 +150,9 @@ readjob() printer); return(nfiles); } - } while (*cp++ != '\n'); + } while (*cp++ != '\n' && (cp - line + 1) < sizeof line); + if (cp - line + 1 < sizeof line) + frecverr("readjob overflow"); *--cp = '\0'; cp = line; switch (*cp++) { |