From 1f6db05a7cd2ec3fc6bfec4827a19956c199bb29 Mon Sep 17 00:00:00 2001 From: Theo de Raadt Date: Fri, 1 Nov 1996 06:10:45 +0000 Subject: 40 buf oflows --- usr.sbin/timed/timed/acksend.c | 5 ++-- usr.sbin/timed/timed/candidate.c | 9 ++++-- usr.sbin/timed/timed/correct.c | 6 ++-- usr.sbin/timed/timed/master.c | 45 +++++++++++++++++++--------- usr.sbin/timed/timed/readmsg.c | 5 ++-- usr.sbin/timed/timed/slave.c | 65 ++++++++++++++++++++++++++++------------ usr.sbin/timed/timed/timed.c | 20 ++++++++----- usr.sbin/timed/timedc/cmds.c | 8 +++-- 8 files changed, 111 insertions(+), 52 deletions(-) (limited to 'usr.sbin') diff --git a/usr.sbin/timed/timed/acksend.c b/usr.sbin/timed/timed/acksend.c index 15e5d7155d0..aae477e42d7 100644 --- a/usr.sbin/timed/timed/acksend.c +++ b/usr.sbin/timed/timed/acksend.c @@ -36,7 +36,7 @@ static char sccsid[] = "@(#)acksend.c 5.1 (Berkeley) 5/11/93"; #endif /* not lint */ #ifdef sgi -#ident "$Revision: 1.1 $" +#ident "$Revision: 1.2 $" #endif #include "globals.h" @@ -56,7 +56,8 @@ xmit(int type, msg.tsp_type = type; msg.tsp_seq = seq; msg.tsp_vers = TSPVERSION; - (void)strcpy(msg.tsp_name, hostname); + (void)strncpy(msg.tsp_name, hostname, sizeof msg.tsp_name-1); + msg.tsp_name[sizeof msg.tsp_name-1] = '\0'; bytenetorder(&msg); if (sendto(sock, (char *)&msg, sizeof(struct tsp), 0, (struct sockaddr*)addr, sizeof(struct sockaddr)) < 0) { diff --git a/usr.sbin/timed/timed/candidate.c b/usr.sbin/timed/timed/candidate.c index da7016feb54..1fe531dbfe7 100644 --- a/usr.sbin/timed/timed/candidate.c +++ b/usr.sbin/timed/timed/candidate.c @@ -36,7 +36,7 @@ static char sccsid[] = "@(#)candidate.c 5.1 (Berkeley) 5/11/93"; #endif /* not lint */ #ifdef sgi -#ident "$Revision: 1.1 $" +#ident "$Revision: 1.2 $" #endif #include "globals.h" @@ -80,7 +80,8 @@ again: fprintf(fd, "This machine is a candidate time master\n"); msg.tsp_type = TSP_ELECTION; msg.tsp_vers = TSPVERSION; - (void)strcpy(msg.tsp_name, hostname); + (void)strncpy(msg.tsp_name, hostname, sizeof msg.tsp_name-1); + msg.tsp_name[sizeof msg.tsp_name-1] = '\0'; bytenetorder(&msg); if (sendto(sock, (char *)&msg, sizeof(struct tsp), 0, (struct sockaddr*)&net->dest_addr, @@ -139,7 +140,9 @@ again: /* no master for another round */ htp = addmach(resp->tsp_name,&from,fromnet); msg.tsp_type = TSP_REFUSE; - (void)strcpy(msg.tsp_name, hostname); + (void)strncpy(msg.tsp_name, hostname, + sizeof msg.tsp_name-1); + msg.tsp_name[sizeof msg.tsp_name-1] = '\0'; answer = acksend(&msg, &htp->addr, htp->name, TSP_ACK, 0, htp->noanswer); if (!answer) { diff --git a/usr.sbin/timed/timed/correct.c b/usr.sbin/timed/timed/correct.c index 701b57605cb..5c6a8e2861a 100644 --- a/usr.sbin/timed/timed/correct.c +++ b/usr.sbin/timed/timed/correct.c @@ -36,7 +36,7 @@ static char sccsid[] = "@(#)correct.c 5.1 (Berkeley) 5/11/93"; #endif /* not lint */ #ifdef sgi -#ident "$Revision: 1.2 $" +#ident "$Revision: 1.3 $" #endif #include "globals.h" @@ -89,7 +89,9 @@ correct(long avdelta) to.tsp_time.tv_usec = tmptv.tv_usec; to.tsp_type = TSP_ADJTIME; } - (void)strcpy(to.tsp_name, hostname); + (void)strncpy(to.tsp_name, hostname, + sizeof to.tsp_name-1); + to.tsp_name[sizeof to.tsp_name-1] = '\0'; answer = acksend(&to, &htp->addr, htp->name, TSP_ACK, 0, 0); if (!answer) { diff --git a/usr.sbin/timed/timed/master.c b/usr.sbin/timed/timed/master.c index 0a5a60b5d36..a1c5615c0b8 100644 --- a/usr.sbin/timed/timed/master.c +++ b/usr.sbin/timed/timed/master.c @@ -1,4 +1,4 @@ -/* $OpenBSD: master.c,v 1.3 1996/07/28 06:04:09 downsj Exp $ */ +/* $OpenBSD: master.c,v 1.4 1996/11/01 06:10:41 deraadt Exp $ */ /*- * Copyright (c) 1985, 1993 The Regents of the University of California. @@ -38,7 +38,7 @@ static char sccsid[] = "@(#)master.c 5.1 (Berkeley) 5/11/93"; #endif /* not lint */ #ifdef sgi -#ident "$Revision: 1.3 $" +#ident "$Revision: 1.4 $" #endif #include "globals.h" @@ -156,7 +156,9 @@ loop: to.tsp_vers = TSPVERSION; to.tsp_seq = sequence++; to.tsp_hopcnt = MAX_HOPCNT; - (void)strcpy(to.tsp_name, hostname); + (void)strncpy(to.tsp_name, hostname, + sizeof to.tsp_name-1); + to.tsp_name[sizeof to.tsp_name-1] = '\0'; bytenetorder(&to); if (sendto(sock, (char *)&to, sizeof(struct tsp), 0, @@ -186,7 +188,8 @@ loop: (void)cftime(newdate, "%D %T", &msg->tsp_time.tv_sec); #else tmpt = msg->tsp_time.tv_sec; - (void)strcpy(newdate, ctime(&tmpt)); + (void)strncpy(newdate, ctime(&tmpt), sizeof newdate-1); + newdate[sizeof newdate-1] = '\0'; #endif /* sgi */ if (!good_host_name(msg->tsp_name)) { syslog(LOG_NOTICE, @@ -208,7 +211,8 @@ loop: (void)cftime(newdate, "%D %T", &msg->tsp_time.tv_sec); #else tmpt = msg->tsp_time.tv_sec; - (void)strcpy(newdate, ctime(&tmpt)); + (void)strncpy(newdate, ctime(&tmpt), sizeof newdate-1); + newdate[sizeof newdate-1] = '\0'; #endif /* sgi */ htp = findhost(msg->tsp_name); if (htp == 0) { @@ -256,9 +260,12 @@ loop: (void)addmach(msg->tsp_name, &from,fromnet); } taddr = from; - (void)strcpy(tname, msg->tsp_name); + (void)strncpy(tname, msg->tsp_name, sizeof tname-1); + tname[sizeof tname-1] = '\0'; to.tsp_type = TSP_QUIT; - (void)strcpy(to.tsp_name, hostname); + (void)strncpy(to.tsp_name, hostname, + sizeof to.tsp_name-1); + to.tsp_name[sizeof to.tsp_name-1] = '\0'; answer = acksend(&to, &taddr, tname, TSP_ACK, 0, 1); if (answer == NULL) { @@ -275,7 +282,9 @@ loop: */ if (!fromnet || fromnet->status != MASTER) break; - (void)strcpy(to.tsp_name, hostname); + (void)strncpy(to.tsp_name, hostname, + sizeof to.tsp_name-1); + to.tsp_name[sizeof to.tsp_name-1] = '\0'; /* The other master often gets into the same state, * with boring results if we stay at it forever. @@ -283,7 +292,9 @@ loop: ntp = fromnet; /* (acksend() can leave fromnet=0 */ for (i = 0; i < 3; i++) { to.tsp_type = TSP_RESOLVE; - (void)strcpy(to.tsp_name, hostname); + (void)strncpy(to.tsp_name, hostname, + sizeof to.tsp_name-1); + to.tsp_name[sizeof to.tsp_name-1] = '\0'; answer = acksend(&to, &ntp->dest_addr, ANYADDR, TSP_MASTERACK, ntp, 0); @@ -328,7 +339,9 @@ loop: */ htp = addmach(msg->tsp_name, &from,fromnet); to.tsp_type = TSP_QUIT; - (void)strcpy(to.tsp_name, hostname); + (void)strncpy(to.tsp_name, hostname, + sizeof to.tsp_name-1); + to.tsp_name[sizeof to.tsp_name-1] = '\0'; answer = acksend(&to, &htp->addr, htp->name, TSP_ACK, 0, 1); if (!answer) { @@ -371,11 +384,13 @@ mchgdate(struct tsp *msg) char olddate[32]; struct timeval otime, ntime, tmptv; - (void)strcpy(tname, msg->tsp_name); + (void)strncpy(tname, msg->tsp_name, sizeof tname-1); + tname[sizeof tname-1] = '\0'; xmit(TSP_DATEACK, msg->tsp_seq, &from); - (void)strcpy(olddate, date()); + (void)strncpy(olddate, date(), sizeof olddate-1); + olddate[sizeof olddate-1] = '\0'; /* adjust time for residence on the queue */ (void)gettimeofday(&otime, 0); @@ -512,7 +527,8 @@ spreadtime() dictate = 2; for (htp = self.l_fwd; htp != &self; htp = htp->l_fwd) { to.tsp_type = TSP_SETTIME; - (void)strcpy(to.tsp_name, hostname); + (void)strncpy(to.tsp_name, hostname, sizeof to.tsp_name-1); + to.tsp_name[sizeof to.tsp_name-1] = '\0'; (void)gettimeofday(&tmptv, 0); to.tsp_time.tv_sec = tmptv.tv_sec; to.tsp_time.tv_usec = tmptv.tv_usec; @@ -791,7 +807,8 @@ newslave(struct tsp *msg) if (now.tv_sec >= fromnet->slvwait.tv_sec+3 || now.tv_sec < fromnet->slvwait.tv_sec) { to.tsp_type = TSP_SETTIME; - (void)strcpy(to.tsp_name, hostname); + (void)strncpy(to.tsp_name, hostname, sizeof to.tsp_name-1); + to.tsp_name[sizeof to.tsp_name-1] = '\0'; (void)gettimeofday(&tmptv, 0); to.tsp_time.tv_sec = tmptv.tv_sec; to.tsp_time.tv_usec = tmptv.tv_usec; diff --git a/usr.sbin/timed/timed/readmsg.c b/usr.sbin/timed/timed/readmsg.c index 2c3d52024f7..dc6a729bb3b 100644 --- a/usr.sbin/timed/timed/readmsg.c +++ b/usr.sbin/timed/timed/readmsg.c @@ -36,7 +36,7 @@ static char sccsid[] = "@(#)readmsg.c 5.1 (Berkeley) 5/11/93"; #endif /* not lint */ #ifdef sgi -#ident "$Revision: 1.1 $" +#ident "$Revision: 1.2 $" #endif #include "globals.h" @@ -390,7 +390,8 @@ masterack() resp = msgin; resp.tsp_vers = TSPVERSION; - (void)strcpy(resp.tsp_name, hostname); + (void)strncpy(resp.tsp_name, hostname, sizeof resp.tsp_name-1); + resp.tsp_name[sizeof resp.tsp_name-1] = '\0'; switch(msgin.tsp_type) { diff --git a/usr.sbin/timed/timed/slave.c b/usr.sbin/timed/timed/slave.c index 331da53706d..545f797f783 100644 --- a/usr.sbin/timed/timed/slave.c +++ b/usr.sbin/timed/timed/slave.c @@ -1,4 +1,4 @@ -/* $OpenBSD: slave.c,v 1.3 1996/07/28 06:04:10 downsj Exp $ */ +/* $OpenBSD: slave.c,v 1.4 1996/11/01 06:10:42 deraadt Exp $ */ /*- * Copyright (c) 1985, 1993 The Regents of the University of California. @@ -38,7 +38,7 @@ static char sccsid[] = "@(#)slave.c 5.1 (Berkeley) 5/11/93"; #endif /* not lint */ #ifdef sgi -#ident "$Revision: 1.3 $" +#ident "$Revision: 1.4 $" #endif #include "globals.h" @@ -51,7 +51,7 @@ extern int justquit; extern u_short sequence; -static char master_name[MAXHOSTNAMELEN+1]; +static char master_name[MAXHOSTNAMELEN]; static struct netinfo *old_slavenet; static int old_status; @@ -154,7 +154,9 @@ loop: to.tsp_vers = TSPVERSION; to.tsp_seq = sequence++; to.tsp_hopcnt = MAX_HOPCNT; - (void)strcpy(to.tsp_name, hostname); + (void)strncpy(to.tsp_name, hostname, + sizeof to.tsp_name-1); + to.tsp_name[sizeof to.tsp_name-1] = '\0'; bytenetorder(&to); if (sendto(sock, (char *)&to, sizeof(struct tsp), 0, (struct sockaddr*)&ntp->dest_addr, @@ -268,9 +270,11 @@ loop: * the following line is necessary due to syslog * calling ctime() which clobbers the static buffer */ - (void)strcpy(olddate, date()); + (void)strncpy(olddate, date(), sizeof olddate-1); + olddate[sizeof olddate-1] = '\0'; tmpt = msg->tsp_time.tv_sec; - (void)strcpy(newdate, ctime(&tmpt)); + (void)strncpy(newdate, ctime(&tmpt), sizeof newdate-1); + newdate[sizeof newdate-1] = '\0'; #endif /* sgi */ if (!good_host_name(msg->tsp_name)) { @@ -364,7 +368,8 @@ loop: (void)cftime(newdate, "%D %T", &msg->tsp_time.tv_sec); #else tmpt = msg->tsp_time.tv_sec; - (void)strcpy(newdate, ctime(&tmpt)); + (void)strncpy(newdate, ctime(&tmpt), sizeof newdate-1); + newdate[sizeof newdate-1] = '\0'; #endif /* sgi */ schgdate(msg, newdate); break; @@ -376,7 +381,8 @@ loop: (void)cftime(newdate, "%D %T", &msg->tsp_time.tv_sec); #else tmpt = msg->tsp_time.tv_sec; - (void)strcpy(newdate, ctime(&tmpt)); + (void)strncpy(newdate, ctime(&tmpt), sizeof newdate-1); + newdate[sizeof newdate-1] = '\0'; #endif /* sgi */ htp = findhost(msg->tsp_name); if (0 == htp) { @@ -430,8 +436,12 @@ loop: refusetime = ntime.tv_sec + 30; } taddr = from; - (void)strcpy(tname, msg->tsp_name); - (void)strcpy(to.tsp_name, hostname); + (void)strncpy(tname, msg->tsp_name, + sizeof tname-1); + tname[sizeof tname-1] = '\0'; + (void)strncpy(to.tsp_name, hostname, + sizeof to.tsp_name-1); + to.tsp_name[sizeof to.tsp_name-1] = '\0'; answerdelay(); if (!acksend(&to, &taddr, tname, TSP_ACK, 0, 0)) @@ -442,7 +452,9 @@ loop: } else { /* fromnet->status == MASTER */ htp = addmach(msg->tsp_name, &from,fromnet); to.tsp_type = TSP_QUIT; - (void)strcpy(to.tsp_name, hostname); + (void)strncpy(to.tsp_name, hostname, + sizeof to.tsp_name-1); + to.tsp_name[sizeof to.tsp_name-1] = '\0'; if (!acksend(&to, &htp->addr, htp->name, TSP_ACK, 0, htp->noanswer)) { syslog(LOG_ERR, @@ -461,7 +473,9 @@ loop: * more than one master: the first slave to * come up will notify here the situation. */ - (void)strcpy(to.tsp_name, hostname); + (void)strncpy(to.tsp_name, hostname, + sizeof to.tsp_name-1); + to.tsp_name[sizeof to.tsp_name-1] = '\0'; /* The other master often gets into the same state, * with boring results. @@ -495,7 +509,9 @@ loop: to.tsp_type = TSP_MSITEREQ; to.tsp_vers = TSPVERSION; to.tsp_seq = 0; - (void)strcpy(to.tsp_name, hostname); + (void)strncpy(to.tsp_name, hostname, + sizeof to.tsp_name-1); + to.tsp_name[sizeof to.tsp_name-1] = '\0'; answer = acksend(&to, &slavenet->dest_addr, ANYADDR, TSP_ACK, slavenet, 0); @@ -503,7 +519,9 @@ loop: && good_host_name(answer->tsp_name)) { setmaster(answer); to.tsp_type = TSP_ACK; - (void)strcpy(to.tsp_name, answer->tsp_name); + (void)strncpy(to.tsp_name, answer->tsp_name, + sizeof to.tsp_name-1); + to.tsp_name[sizeof to.tsp_name-1] = '\0'; bytenetorder(&to); if (sendto(sock, (char *)&to, sizeof(struct tsp), 0, @@ -552,9 +570,13 @@ loop: if (answer == NULL) break; taddr = from; - (void)strcpy(tname, answer->tsp_name); + (void)strncpy(tname, answer->tsp_name, + sizeof tname-1); + tname[sizeof tname-1] = '\0'; to.tsp_type = TSP_QUIT; - (void)strcpy(to.tsp_name, hostname); + (void)strncpy(to.tsp_name, hostname, + sizeof to.tsp_name-1); + to.tsp_name[sizeof to.tsp_name-1] = '\0'; if (!acksend(&to, &taddr, tname, TSP_ACK, 0, 1)) { syslog(LOG_ERR, @@ -607,7 +629,9 @@ loop: htp = addmach(answer->tsp_name, &from,ntp); to.tsp_type = TSP_QUIT; - (void)strcpy(to.tsp_name, hostname); + (void)strncpy(to.tsp_name, hostname, + sizeof to.tsp_name-1); + to.tsp_name[sizeof to.tsp_name-1] = '\0'; if (!acksend(&to,&htp->addr,htp->name, TSP_ACK, 0, htp->noanswer)) { syslog(LOG_ERR, @@ -642,7 +666,9 @@ setmaster(struct tsp *msg) && (slavenet != old_slavenet || strcmp(msg->tsp_name, master_name) || old_status != status)) { - (void)strcpy(master_name, msg->tsp_name); + (void)strncpy(master_name, msg->tsp_name, + sizeof master_name-1); + master_name[sizeof master_name-1] = '\0'; old_slavenet = slavenet; old_status = status; @@ -688,7 +714,8 @@ schgdate(struct tsp *msg, char *newdate) to.tsp_type = TSP_SETDATEREQ; to.tsp_time = msg->tsp_time; - (void)strcpy(to.tsp_name, hostname); + (void)strncpy(to.tsp_name, hostname, sizeof to.tsp_name-1); + to.tsp_name[sizeof to.tsp_name-1] = '\0'; if (!acksend(&to, &slavenet->dest_addr, ANYADDR, TSP_DATEACK, slavenet, 0)) diff --git a/usr.sbin/timed/timed/timed.c b/usr.sbin/timed/timed/timed.c index d568223171e..a0ea90708fa 100644 --- a/usr.sbin/timed/timed/timed.c +++ b/usr.sbin/timed/timed/timed.c @@ -42,7 +42,7 @@ static char sccsid[] = "@(#)timed.c 5.1 (Berkeley) 5/11/93"; #endif /* not lint */ #ifdef sgi -#ident "$Revision: 1.2 $" +#ident "$Revision: 1.3 $" #endif /* sgi */ #define TSPTYPES @@ -92,7 +92,7 @@ static struct nets { struct hosttbl hosttbl[NHOSTS+1]; /* known hosts */ static struct goodhost { /* hosts that we trust */ - char name[MAXHOSTNAMELEN+1]; + char name[MAXHOSTNAMELEN]; struct goodhost *next; char perm; } *goodhosts; @@ -589,7 +589,8 @@ suppress(struct sockaddr_in *addr, if (trace) fprintf(fd, "suppress: %s\n", name); tgt = *addr; - (void)strcpy(tname, name); + (void)strncpy(tname, name, sizeof tname-1); + tname[sizeof tname-1] = '\0'; while (0 != readmsg(TSP_ANY, ANYADDR, &wait, net)) { if (trace) @@ -599,7 +600,8 @@ suppress(struct sockaddr_in *addr, syslog(LOG_NOTICE, "suppressing false master %s", tname); msg.tsp_type = TSP_QUIT; - (void)strcpy(msg.tsp_name, hostname); + (void)strncpy(msg.tsp_name, hostname, sizeof msg.tsp_name-1); + msg.tsp_name[sizeof msg.tsp_name-1] = '\0'; (void)acksend(&msg, &tgt, tname, TSP_ACK, 0, 1); } @@ -616,7 +618,8 @@ lookformaster(struct netinfo *ntp) /* look for master */ resp.tsp_type = TSP_MASTERREQ; - (void)strcpy(resp.tsp_name, hostname); + (void)strncpy(resp.tsp_name, hostname, sizeof resp.tsp_name-1); + resp.tsp_name[sizeof resp.tsp_name-1] = '\0'; answer = acksend(&resp, &ntp->dest_addr, ANYADDR, TSP_MASTERACK, ntp, 0); if (answer != 0 && !good_host_name(answer->tsp_name)) { @@ -671,7 +674,8 @@ lookformaster(struct netinfo *ntp) } ntp->status = SLAVE; - (void)strcpy(mastername, answer->tsp_name); + (void)strncpy(mastername, answer->tsp_name, sizeof mastername-1); + mastername[sizeof mastername-1] = '\0'; masteraddr = from; /* @@ -689,7 +693,9 @@ lookformaster(struct netinfo *ntp) if (answer != NULL && strcmp(answer->tsp_name, mastername) != 0) { conflict.tsp_type = TSP_CONFLICT; - (void)strcpy(conflict.tsp_name, hostname); + (void)strncpy(conflict.tsp_name, hostname, + sizeof conflict.tsp_name-1); + conflict.tsp_name[sizeof conflict.tsp_name-1] = '\0'; if (!acksend(&conflict, &masteraddr, mastername, TSP_ACK, 0, 0)) { syslog(LOG_ERR, diff --git a/usr.sbin/timed/timedc/cmds.c b/usr.sbin/timed/timedc/cmds.c index 9c1d8dd11d8..fa6e8ca1c53 100644 --- a/usr.sbin/timed/timedc/cmds.c +++ b/usr.sbin/timed/timedc/cmds.c @@ -36,7 +36,7 @@ static char sccsid[] = "@(#)cmds.c 5.1 (Berkeley) 5/11/93"; #endif /* not lint */ #ifdef sgi -#ident "$Revision: 1.2 $" +#ident "$Revision: 1.3 $" #endif #include "timedc.h" @@ -306,7 +306,8 @@ msite(int argc, char *argv[]) } bcopy(hp->h_addr, &dest.sin_addr.s_addr, hp->h_length); - (void)strcpy(msg.tsp_name, myname); + (void)strncpy(msg.tsp_name, myname, sizeof msg.tsp_name-1); + msg.tsp_name[sizeof msg.tsp_name-1] = '\0'; msg.tsp_type = TSP_MSITE; msg.tsp_vers = TSPVERSION; bytenetorder(&msg); @@ -445,7 +446,8 @@ tracing(int argc, char *argv[]) onflag = OFF; } - (void)strcpy(msg.tsp_name, myname); + (void)strncpy(msg.tsp_name, myname, sizeof msg.tsp_name-1); + msg.tsp_name[sizeof msg.tsp_name-1] = '\0'; msg.tsp_vers = TSPVERSION; bytenetorder(&msg); if (sendto(sock, &msg, sizeof(struct tsp), 0, -- cgit v1.2.3