summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTodd C. Miller <millert@cvs.openbsd.org>2003-02-13 17:22:02 +0000
committerTodd C. Miller <millert@cvs.openbsd.org>2003-02-13 17:22:02 +0000
commitc9febda8a0c3f0aad7c4eeae04fc98afb6d13da1 (patch)
treeaf0d5af4a9beaa0c9a325f8f52ffb555ab99f6ac
parent2de2232dfc88900deb75585a12dd109e12c9eeb6 (diff)
Fix loop invariants in rmremote(). Reported by Arne Woerner in PR
3084; different fix used. Hopefully this makes the code in question easier to read. deraadt@ henric@ OK
-rw-r--r--usr.sbin/lpr/common_source/rmjob.c35
1 files changed, 24 insertions, 11 deletions
diff --git a/usr.sbin/lpr/common_source/rmjob.c b/usr.sbin/lpr/common_source/rmjob.c
index 1e7f13dbd56..041c98129be 100644
--- a/usr.sbin/lpr/common_source/rmjob.c
+++ b/usr.sbin/lpr/common_source/rmjob.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rmjob.c,v 1.14 2002/06/08 01:53:43 millert Exp $ */
+/* $OpenBSD: rmjob.c,v 1.15 2003/02/13 17:22:01 millert Exp $ */
/* $NetBSD: rmjob.c,v 1.16 2000/04/16 14:43:58 mrg Exp $ */
/*
@@ -38,7 +38,7 @@
#if 0
static const char sccsid[] = "@(#)rmjob.c 8.2 (Berkeley) 4/28/95";
#else
-static const char rcsid[] = "$OpenBSD: rmjob.c,v 1.14 2002/06/08 01:53:43 millert Exp $";
+static const char rcsid[] = "$OpenBSD: rmjob.c,v 1.15 2003/02/13 17:22:01 millert Exp $";
#endif
#endif /* not lint */
@@ -333,6 +333,7 @@ rmremote(void)
{
char *cp;
int i, rem;
+ size_t n;
char buf[BUFSIZ];
if (!remote)
@@ -344,18 +345,26 @@ rmremote(void)
*/
fflush(stdout);
- (void)snprintf(buf, sizeof(buf)-2, "\5%s %s", RP, all ? "-all" : person);
- cp = buf + strlen(buf);
- for (i = 0; i < users && cp-buf+1+strlen(user[i]) < sizeof buf - 2; i++) {
- cp += strlen(cp);
+ /* the trailing space will be replaced with a newline later */
+ n = snprintf(buf, sizeof(buf), "\5%s %s ", RP, all ? "-all" : person);
+ if (n == -1 || n >= sizeof(buf))
+ goto bad;
+ cp = buf + n;
+ for (i = 0; i < users; i++) {
+ n = strlcpy(cp, user[i], sizeof(buf) - (cp - buf + 1));
+ if (n >= sizeof(buf) - (cp - buf + 1))
+ goto bad;
+ cp += n;
*cp++ = ' ';
- strcpy(cp, user[i]);
}
- for (i = 0; i < requests && cp-buf+10 < sizeof(buf) - 2; i++) {
- cp += strlen(cp);
- (void)sprintf(cp, " %d", requ[i]);
+ *cp = '\0';
+ for (i = 0; i < requests; i++) {
+ n = snprintf(cp, sizeof(buf) - (cp - buf), "%d ", requ[i]);
+ if (n == -1 || n >= sizeof(buf) - (cp - buf))
+ goto bad;
+ cp += n;
}
- strcat(cp, "\n");
+ cp[-1] = '\n'; /* replace space with newline, leave the NUL */
rem = getport(RM, 0);
if (rem < 0) {
if (from != host)
@@ -380,6 +389,10 @@ rmremote(void)
(void)sigaction(SIGALRM, &osa, NULL);
(void)close(rem);
}
+ return;
+bad:
+ printf("remote buffer too large\n");
+ return;
}
static void