str{cat,cpy}/sprintf cleanup. markus@, deraadt@ ok

9 files changed, 32 insertions, 26 deletions

diff --git a/lib/libssl/src/crypto/asn1/a_time.c b/lib/libssl/src/crypto/asn1/a_time.c
index 27ddd30899b..f8fdfb5975e 100644
--- a/lib/libssl/src/crypto/asn1/a_time.c
+++ b/lib/libssl/src/crypto/asn1/a_time.c
@@ -125,6 +125,7 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE
 	{
 	ASN1_GENERALIZEDTIME *ret;
 	char *str;
+	int newlen;
 
 	if (!ASN1_TIME_check(t)) return NULL;
 
@@ -145,14 +146,15 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE
 		}
 
 	/* grow the string */
-	if (!ASN1_STRING_set(ret, NULL, t->length + 2))
+	newlen = t->length + 2;
+	if (!ASN1_STRING_set(ret, NULL, newlen))
 		return NULL;
 	str = (char *)ret->data;
 	/* Work out the century and prepend */
-	if (t->data[0] >= '5') strcpy(str, "19");
-	else strcpy(str, "20");
+	if (t->data[0] >= '5') strlcpy(str, "19", newlen);
+	else strlcpy(str, "20", newlen);
 
-	strcat(str, (char *)t->data);
+	strlcat(str, (char *)t->data, newlen);
 
 	return ret;
 	}
diff --git a/lib/libssl/src/crypto/asn1/t_pkey.c b/lib/libssl/src/crypto/asn1/t_pkey.c
index 2d46914cb18..b3f83640121 100644
--- a/lib/libssl/src/crypto/asn1/t_pkey.c
+++ b/lib/libssl/src/crypto/asn1/t_pkey.c
@@ -143,9 +143,9 @@ int RSA_print(BIO *bp, const RSA *x, int off)
 		}
 
 	if (x->d == NULL)
-		sprintf(str,"Modulus (%d bit):",BN_num_bits(x->n));
+		snprintf(str,sizeof str,"Modulus (%d bit):",BN_num_bits(x->n));
 	else
-		strcpy(str,"modulus:");
+		strlcpy(str,"modulus:",sizeof str);
 	if (!print(bp,str,x->n,m,off)) goto err;
 	s=(x->d == NULL)?"Exponent:":"publicExponent:";
 	if (!print(bp,s,x->e,m,off)) goto err;
diff --git a/lib/libssl/src/crypto/bio/bss_file.c b/lib/libssl/src/crypto/bio/bss_file.c
index 826b361fa22..18e7bb86e60 100644
--- a/lib/libssl/src/crypto/bio/bss_file.c
+++ b/lib/libssl/src/crypto/bio/bss_file.c
@@ -232,15 +232,15 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
 		if (num & BIO_FP_APPEND)
 			{
 			if (num & BIO_FP_READ)
-				strcpy(p,"a+");
-			else	strcpy(p,"a");
+				strlcpy(p,"a+",sizeof p);
+			else	strlcpy(p,"a",sizeof p);
 			}
 		else if ((num & BIO_FP_READ) && (num & BIO_FP_WRITE))
-			strcpy(p,"r+");
+			strlcpy(p,"r+",sizeof p);
 		else if (num & BIO_FP_WRITE)
-			strcpy(p,"w");
+			strlcpy(p,"w",sizeof p);
 		else if (num & BIO_FP_READ)
-			strcpy(p,"r");
+			strlcpy(p,"r",sizeof p);
 		else
 			{
 			BIOerr(BIO_F_FILE_CTRL,BIO_R_BAD_FOPEN_MODE);
diff --git a/lib/libssl/src/crypto/err/err.c b/lib/libssl/src/crypto/err/err.c
index 5abe44e6d57..9b532d1f4ca 100644
--- a/lib/libssl/src/crypto/err/err.c
+++ b/lib/libssl/src/crypto/err/err.c
@@ -1023,7 +1023,7 @@ void ERR_add_error_data(int num, ...)
 				else
 					str=p;
 				}
-			strcat(str,a);
+			strlcat(str,a,s+1);
 			}
 		}
 	ERR_set_error_data(str,ERR_TXT_MALLOCED|ERR_TXT_STRING);
diff --git a/lib/libssl/src/crypto/evp/evp_pbe.c b/lib/libssl/src/crypto/evp/evp_pbe.c
index bcd4d29f858..4234cd76849 100644
--- a/lib/libssl/src/crypto/evp/evp_pbe.c
+++ b/lib/libssl/src/crypto/evp/evp_pbe.c
@@ -87,7 +87,7 @@ int EVP_PBE_CipherInit (ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
 	if (i == -1) {
 		char obj_tmp[80];
 		EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_PBE_ALGORITHM);
-		if (!pbe_obj) strcpy (obj_tmp, "NULL");
+		if (!pbe_obj) strlcpy (obj_tmp, "NULL", sizeof obj_tmp);
 		else i2t_ASN1_OBJECT(obj_tmp, 80, pbe_obj);
 		ERR_add_error_data(2, "TYPE=", obj_tmp);
 		return 0;
diff --git a/lib/libssl/src/crypto/evp/evp_pkey.c b/lib/libssl/src/crypto/evp/evp_pkey.c
index 34b5b1d21cc..30b6fbb03dd 100644
--- a/lib/libssl/src/crypto/evp/evp_pkey.c
+++ b/lib/libssl/src/crypto/evp/evp_pkey.c
@@ -210,7 +210,7 @@ EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8)
 #endif
 		default:
 		EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);
-		if (!a->algorithm) strcpy (obj_tmp, "NULL");
+		if (!a->algorithm) strlcpy (obj_tmp, "NULL", sizeof obj_tmp);
 		else i2t_ASN1_OBJECT(obj_tmp, 80, a->algorithm);
 		ERR_add_error_data(2, "TYPE=", obj_tmp);
 		EVP_PKEY_free (pkey);
diff --git a/lib/libssl/src/crypto/mem_dbg.c b/lib/libssl/src/crypto/mem_dbg.c
index 0beb3b36d15..ea94eee6f4d 100644
--- a/lib/libssl/src/crypto/mem_dbg.c
+++ b/lib/libssl/src/crypto/mem_dbg.c
@@ -585,6 +585,8 @@ static void print_leak(const MEM *m, MEM_LEAK *l)
 	struct tm *lcl = NULL;
 	unsigned long ti;
 
+#define BUF_REMAIN (sizeof buf - (size_t)(bufp - buf))
+
 	if(m->addr == (char *)l->bio)
 	    return;
 
@@ -592,22 +594,22 @@ static void print_leak(const MEM *m, MEM_LEAK *l)
 		{
 		lcl = localtime(&m->time);
 	
-		sprintf(bufp, "[%02d:%02d:%02d] ",
+		snprintf(bufp, BUF_REMAIN, "[%02d:%02d:%02d] ",
 			lcl->tm_hour,lcl->tm_min,lcl->tm_sec);
 		bufp += strlen(bufp);
 		}
 
-	sprintf(bufp, "%5lu file=%s, line=%d, ",
+	snprintf(bufp, BUF_REMAIN, "%5lu file=%s, line=%d, ",
 		m->order,m->file,m->line);
 	bufp += strlen(bufp);
 
 	if (options & V_CRYPTO_MDEBUG_THREAD)
 		{
-		sprintf(bufp, "thread=%lu, ", m->thread);
+		snprintf(bufp, BUF_REMAIN, "thread=%lu, ", m->thread);
 		bufp += strlen(bufp);
 		}
 
-	sprintf(bufp, "number=%d, address=%08lX\n",
+	snprintf(bufp, BUF_REMAIN, "number=%d, address=%08lX\n",
 		m->num,(unsigned long)m->addr);
 	bufp += strlen(bufp);
 
@@ -682,7 +684,7 @@ void CRYPTO_mem_leaks(BIO *b)
 				(char *)&ml);
 	if (ml.chunks != 0)
 		{
-		sprintf(buf,"%ld bytes leaked in %d chunks\n",
+		snprintf(buf,sizeof buf,"%ld bytes leaked in %d chunks\n",
 			ml.bytes,ml.chunks);
 		BIO_puts(b,buf);
 		}
diff --git a/lib/libssl/src/crypto/pem/pem_lib.c b/lib/libssl/src/crypto/pem/pem_lib.c
index a8db6ffbf5c..50f5733654a 100644
--- a/lib/libssl/src/crypto/pem/pem_lib.c
+++ b/lib/libssl/src/crypto/pem/pem_lib.c
@@ -131,9 +131,9 @@ void PEM_proc_type(char *buf, int type)
 	else
 		str="BAD-TYPE";
 		
-	strcat(buf,"Proc-Type: 4,");
-	strcat(buf,str);
-	strcat(buf,"\n");
+	strlcat(buf,"Proc-Type: 4,",PEM_BUFSIZE);
+	strlcat(buf,str,PEM_BUFSIZE);
+	strlcat(buf,"\n",PEM_BUFSIZE);
 	}
 
 void PEM_dek_info(char *buf, const char *type, int len, char *str)
@@ -142,10 +142,12 @@ void PEM_dek_info(char *buf, const char *type, int len, char *str)
 	long i;
 	int j;
 
-	strcat(buf,"DEK-Info: ");
-	strcat(buf,type);
-	strcat(buf,",");
+	strlcat(buf,"DEK-Info: ",PEM_BUFSIZE);
+	strlcat(buf,type,PEM_BUFSIZE);
+	strlcat(buf,",",PEM_BUFSIZE);
 	j=strlen(buf);
+	if (j + (len * 2) + 1 > PEM_BUFSIZE)
+        	return;
 	for (i=0; i<len; i++)
 		{
 		buf[j+i*2]  =map[(str[i]>>4)&0x0f];
diff --git a/lib/libssl/src/crypto/rand/randfile.c b/lib/libssl/src/crypto/rand/randfile.c
index 215c2616eb1..311dd27a7b2 100644
--- a/lib/libssl/src/crypto/rand/randfile.c
+++ b/lib/libssl/src/crypto/rand/randfile.c
@@ -242,7 +242,7 @@ const char *RAND_file_name(char *buf, size_t size)
 			{
 			strlcpy(buf,s,size);
 #ifndef OPENSSL_SYS_VMS
-			strcat(buf,"/");
+			strlcat(buf,"/",size);
 #endif
 			strlcat(buf,RFILE,size);
 			ok = 1;