summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>1996-10-25 19:38:24 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>1996-10-25 19:38:24 +0000
commit54d9c030a9eb88aec5d7bca3eddad4a71b52ed1f (patch)
tree26398a3548b72884d9e7f88f1e303d772bd8ff91
parentcf129a78e19c51cae5e0dcb02628e09c4ef90191 (diff)
proactive bounds checking; help from millert
-rw-r--r--usr.sbin/lpr/common_source/common.c4
-rw-r--r--usr.sbin/lpr/common_source/displayq.c7
-rw-r--r--usr.sbin/lpr/common_source/rmjob.c4
-rw-r--r--usr.sbin/lpr/common_source/startdaemon.c5
-rw-r--r--usr.sbin/lpr/lpd/printjob.c36
-rw-r--r--usr.sbin/lpr/lpd/recvjob.c4
6 files changed, 40 insertions, 20 deletions
diff --git a/usr.sbin/lpr/common_source/common.c b/usr.sbin/lpr/common_source/common.c
index 6d48d7b1768..ae26013e0cf 100644
--- a/usr.sbin/lpr/common_source/common.c
+++ b/usr.sbin/lpr/common_source/common.c
@@ -197,14 +197,14 @@ getline(cfp)
register char *lp = line;
register c;
- while ((c = getc(cfp)) != '\n') {
+ while ((c = getc(cfp)) != '\n' && linel+1<sizeof(line)) {
if (c == EOF)
return(0);
if (c == '\t') {
do {
*lp++ = ' ';
linel++;
- } while ((linel & 07) != 0);
+ } while ((linel & 07) != 0 && linel+1<sizeof(line));
continue;
}
*lp++ = c;
diff --git a/usr.sbin/lpr/common_source/displayq.c b/usr.sbin/lpr/common_source/displayq.c
index 7a1282b8ee4..503a7c43f4f 100644
--- a/usr.sbin/lpr/common_source/displayq.c
+++ b/usr.sbin/lpr/common_source/displayq.c
@@ -225,13 +225,14 @@ displayq(format)
*/
if (nitems)
putchar('\n');
- (void) sprintf(line, "%c%s", format + '\3', RP);
+ (void) snprintf(line, sizeof line, "%c%s", format + '\3', RP);
cp = line;
- for (i = 0; i < requests; i++) {
+ for (i = 0; i < requests && cp-line+10 < sizeof line; i++) {
cp += strlen(cp);
(void) sprintf(cp, " %d", requ[i]);
}
- for (i = 0; i < users; i++) {
+ for (i = 0; i < users && cp-line+1+strlen(user[i]) <
+ sizeof line; i++) {
cp += strlen(cp);
*cp++ = ' ';
(void) strcpy(cp, user[i]);
diff --git a/usr.sbin/lpr/common_source/rmjob.c b/usr.sbin/lpr/common_source/rmjob.c
index b3fd6daec92..b4e71bb5140 100644
--- a/usr.sbin/lpr/common_source/rmjob.c
+++ b/usr.sbin/lpr/common_source/rmjob.c
@@ -327,12 +327,12 @@ rmremote()
(void)snprintf(buf, sizeof(buf), "\5%s %s", RP, all ? "-all" : person);
cp = buf;
- for (i = 0; i < users; i++) {
+ for (i = 0; i < users && cp-buf+1+strlen(user[i]) < sizeof buf; i++) {
cp += strlen(cp);
*cp++ = ' ';
strcpy(cp, user[i]);
}
- for (i = 0; i < requests; i++) {
+ for (i = 0; i < requests && cp-buf+10 < sizeof buf; i++) {
cp += strlen(cp);
(void) sprintf(cp, " %d", requ[i]);
}
diff --git a/usr.sbin/lpr/common_source/startdaemon.c b/usr.sbin/lpr/common_source/startdaemon.c
index 930afc341de..4f3ec34c7f9 100644
--- a/usr.sbin/lpr/common_source/startdaemon.c
+++ b/usr.sbin/lpr/common_source/startdaemon.c
@@ -83,7 +83,10 @@ startdaemon(printer)
return(0);
}
seteuid(uid);
- (void) sprintf(buf, "\1%s\n", printer);
+ if (snprintf(buf, sizeof buf, "\1%s\n", printer) > sizeof buf-1) {
+ close(s);
+ return (0);
+ }
n = strlen(buf);
if (write(s, buf, n) != n) {
perr("write");
diff --git a/usr.sbin/lpr/lpd/printjob.c b/usr.sbin/lpr/lpd/printjob.c
index dff077b5dc6..21370f43bd9 100644
--- a/usr.sbin/lpr/lpd/printjob.c
+++ b/usr.sbin/lpr/lpd/printjob.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: printjob.c,v 1.8 1996/09/30 21:24:34 deraadt Exp $ */
+/* $OpenBSD: printjob.c,v 1.9 1996/10/25 19:38:23 deraadt Exp $ */
/* $NetBSD: printjob.c,v 1.9.4.3 1996/07/12 22:31:39 jtc Exp $ */
/*
@@ -219,7 +219,7 @@ again:
errcnt = 0;
restart:
(void) lseek(lfd, pidoff, 0);
- (void) sprintf(line, "%s\n", q->q_name);
+ (void) snprintf(line, sizeof line, "%s\n", q->q_name);
i = strlen(line);
if (write(lfd, line, i) != i)
syslog(LOG_ERR, "%s: %s: %m", printer, LO);
@@ -377,13 +377,17 @@ printit(file)
while (getline(cfp))
switch (line[0]) {
case 'H':
- strcpy(fromhost, line+1);
- if (class[0] == '\0')
+ strncpy(fromhost, line+1, sizeof(fromhost)-1);
+ fromhost[sizeof(fromhost)-1] = '\0';
+ if (class[0] == '\0') {
strncpy(class, line+1, sizeof(class)-1);
+ class[sizeof(class)-1] = '\0';
+ }
continue;
case 'P':
strncpy(logname, line+1, sizeof(logname)-1);
+ logname[sizeof(logname)-1] = '\0';
if (RS) { /* restricted */
if (getpwnam(logname) == NULL) {
bombed = NOACCT;
@@ -407,9 +411,10 @@ printit(file)
continue;
case 'J':
- if (line[1] != '\0')
+ if (line[1] != '\0') {
strncpy(jobname, line+1, sizeof(jobname)-1);
- else
+ jobname[sizeof(jobname)-1] = '\0';
+ } else
strcpy(jobname, " ");
continue;
@@ -418,10 +423,12 @@ printit(file)
strncpy(class, line+1, sizeof(class)-1);
else if (class[0] == '\0')
gethostname(class, sizeof(class));
+ class[sizeof(class)-1] = '\0';
continue;
case 'T': /* header title for pr */
strncpy(title, line+1, sizeof(title)-1);
+ title[sizeof(title)-1] = '\0';
continue;
case 'L': /* identification line */
@@ -433,16 +440,21 @@ printit(file)
case '2':
case '3':
case '4':
- if (line[1] != '\0')
- strcpy(fonts[line[0]-'1'], line+1);
+ if (line[1] != '\0') {
+ strncpy(fonts[line[0]-'1'], line+1,
+ 50-1);
+ fonts[line[0]-'1'][50-1] = '\0';
+ }
continue;
case 'W': /* page width */
strncpy(width+2, line+1, sizeof(width)-3);
+ width[2+sizeof(width)-3] = '\0';
continue;
case 'I': /* indent amount */
strncpy(indent+2, line+1, sizeof(indent)-3);
+ indent[2+sizeof(indent)-3] = '\0';
continue;
default: /* some file to print */
@@ -844,7 +856,9 @@ sendfile(type, file)
if ((stb.st_mode & S_IFMT) == S_IFLNK && fstat(f, &stb) == 0 &&
(stb.st_dev != fdev || stb.st_ino != fino))
return(ACCESS);
- (void) sprintf(buf, "%c%qd %s\n", type, stb.st_size, file);
+ if (snprintf(buf, sizeof buf, "%c%qd %s\n", type,
+ stb.st_size, file) > sizeof buf-1)
+ return (ACCESS); /* XXX hack */
amt = strlen(buf);
for (i = 0; ; i++) {
if (write(pfd, buf, amt) != amt ||
@@ -1049,7 +1063,7 @@ sendmail(user, bombed)
cp++;
else
cp = _PATH_SENDMAIL;
- sprintf(buf, "%s@%s", user, fromhost);
+ snprintf(buf, sizeof buf, "%s@%s", user, fromhost);
execl(_PATH_SENDMAIL, cp, buf, 0);
exit(0);
} else if (s > 0) { /* parent */
@@ -1382,7 +1396,7 @@ openrem()
resp = -1;
pfd = getport(RM, 0);
if (pfd >= 0) {
- (void) sprintf(line, "\2%s\n", RP);
+ (void) snprintf(line, sizeof line, "\2%s\n", RP);
n = strlen(line);
if (write(pfd, line, n) == n &&
(resp = response()) == '\0')
diff --git a/usr.sbin/lpr/lpd/recvjob.c b/usr.sbin/lpr/lpd/recvjob.c
index 9d5b252da60..ea2128cd31e 100644
--- a/usr.sbin/lpr/lpd/recvjob.c
+++ b/usr.sbin/lpr/lpd/recvjob.c
@@ -150,7 +150,9 @@ readjob()
printer);
return(nfiles);
}
- } while (*cp++ != '\n');
+ } while (*cp++ != '\n' && (cp - line + 1) < sizeof line);
+ if (cp - line + 1 < sizeof line)
+ frecverr("readjob overflow");
*--cp = '\0';
cp = line;
switch (*cp++) {