From 78bd82b79fdb80709642f906507dbf2b169271d9 Mon Sep 17 00:00:00 2001 From: Moritz Jodeit Date: Mon, 17 Sep 2007 07:07:24 +0000 Subject: Check snprintf(3) return value for error or truncation. Mostly path construction, where truncation could be bad. ok and input from deraadt@ millert@ ray@ --- lib/libc/db/btree/bt_open.c | 16 +++++++++++----- lib/libc/db/hash/hash_page.c | 11 ++++++++--- lib/libc/db/hash/ndbm.c | 7 ++++--- 3 files changed, 23 insertions(+), 11 deletions(-) (limited to 'lib/libc/db') diff --git a/lib/libc/db/btree/bt_open.c b/lib/libc/db/btree/bt_open.c index cdc439cba22..d837df88ae2 100644 --- a/lib/libc/db/btree/bt_open.c +++ b/lib/libc/db/btree/bt_open.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bt_open.c,v 1.13 2005/08/05 13:02:59 espie Exp $ */ +/* $OpenBSD: bt_open.c,v 1.14 2007/09/17 07:07:23 moritz Exp $ */ /*- * Copyright (c) 1990, 1993, 1994 @@ -91,7 +91,7 @@ __bt_open(const char *fname, int flags, int mode, const BTREEINFO *openinfo, DB *dbp; pgno_t ncache; ssize_t nr; - int machine_lorder; + int machine_lorder, saved_errno; t = NULL; @@ -322,13 +322,15 @@ einval: errno = EINVAL; eftype: errno = EFTYPE; goto err; -err: if (t) { +err: saved_errno = errno; + if (t) { if (t->bt_dbp) free(t->bt_dbp); if (t->bt_fd != -1) (void)close(t->bt_fd); free(t); } + errno = saved_errno; return (NULL); } @@ -385,14 +387,18 @@ static int tmp(void) { sigset_t set, oset; - int fd; + int fd, len; char *envtmp = NULL; char path[MAXPATHLEN]; if (issetugid() == 0) envtmp = getenv("TMPDIR"); - (void)snprintf(path, + len = snprintf(path, sizeof(path), "%s/bt.XXXXXX", envtmp ? envtmp : "/tmp"); + if (len < 0 || len >= sizeof(path)) { + errno = ENAMETOOLONG; + return(-1); + } (void)sigfillset(&set); (void)sigprocmask(SIG_BLOCK, &set, &oset); diff --git a/lib/libc/db/hash/hash_page.c b/lib/libc/db/hash/hash_page.c index c32e2820069..a744e689b41 100644 --- a/lib/libc/db/hash/hash_page.c +++ b/lib/libc/db/hash/hash_page.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hash_page.c,v 1.17 2005/08/05 13:03:00 espie Exp $ */ +/* $OpenBSD: hash_page.c,v 1.18 2007/09/17 07:07:23 moritz Exp $ */ /*- * Copyright (c) 1990, 1993, 1994 @@ -832,13 +832,18 @@ static int open_temp(HTAB *hashp) { sigset_t set, oset; + int len; char *envtmp = NULL; char path[MAXPATHLEN]; - + if (issetugid() == 0) envtmp = getenv("TMPDIR"); - (void)snprintf(path, + len = snprintf(path, sizeof(path), "%s/_hash.XXXXXX", envtmp ? envtmp : "/tmp"); + if (len < 0 || len >= sizeof(path)) { + errno = ENAMETOOLONG; + return (-1); + } /* Block signals; make sure file goes away at process exit. */ (void)sigfillset(&set); diff --git a/lib/libc/db/hash/ndbm.c b/lib/libc/db/hash/ndbm.c index 58f2cf040a8..5e4c3655dc8 100644 --- a/lib/libc/db/hash/ndbm.c +++ b/lib/libc/db/hash/ndbm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ndbm.c,v 1.21 2005/08/08 08:05:33 espie Exp $ */ +/* $OpenBSD: ndbm.c,v 1.22 2007/09/17 07:07:23 moritz Exp $ */ /*- * Copyright (c) 1990, 1993 @@ -189,8 +189,10 @@ _dbm_open(file, suff, flags, mode) { HASHINFO info; char path[MAXPATHLEN]; + int len; - if (strlen(file) + strlen(suff) > sizeof(path) - 1) { + len = snprintf(path, sizeof path, "%s%s", file, suff); + if (len < 0 || len >= sizeof path) { errno = ENAMETOOLONG; return (NULL); } @@ -205,7 +207,6 @@ _dbm_open(file, suff, flags, mode) info.cachesize = 0; info.hash = NULL; info.lorder = 0; - snprintf(path, sizeof path, "%s%s", file, suff); return ((DBM *)__hash_open(path, flags, mode, &info, 0)); } -- cgit v1.2.3