From c9febda8a0c3f0aad7c4eeae04fc98afb6d13da1 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 13 Feb 2003 17:22:02 +0000 Subject: Fix loop invariants in rmremote(). Reported by Arne Woerner in PR 3084; different fix used. Hopefully this makes the code in question easier to read. deraadt@ henric@ OK --- usr.sbin/lpr/common_source/rmjob.c | 35 ++++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) (limited to 'usr.sbin') diff --git a/usr.sbin/lpr/common_source/rmjob.c b/usr.sbin/lpr/common_source/rmjob.c index 1e7f13dbd56..041c98129be 100644 --- a/usr.sbin/lpr/common_source/rmjob.c +++ b/usr.sbin/lpr/common_source/rmjob.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rmjob.c,v 1.14 2002/06/08 01:53:43 millert Exp $ */ +/* $OpenBSD: rmjob.c,v 1.15 2003/02/13 17:22:01 millert Exp $ */ /* $NetBSD: rmjob.c,v 1.16 2000/04/16 14:43:58 mrg Exp $ */ /* @@ -38,7 +38,7 @@ #if 0 static const char sccsid[] = "@(#)rmjob.c 8.2 (Berkeley) 4/28/95"; #else -static const char rcsid[] = "$OpenBSD: rmjob.c,v 1.14 2002/06/08 01:53:43 millert Exp $"; +static const char rcsid[] = "$OpenBSD: rmjob.c,v 1.15 2003/02/13 17:22:01 millert Exp $"; #endif #endif /* not lint */ @@ -333,6 +333,7 @@ rmremote(void) { char *cp; int i, rem; + size_t n; char buf[BUFSIZ]; if (!remote) @@ -344,18 +345,26 @@ rmremote(void) */ fflush(stdout); - (void)snprintf(buf, sizeof(buf)-2, "\5%s %s", RP, all ? "-all" : person); - cp = buf + strlen(buf); - for (i = 0; i < users && cp-buf+1+strlen(user[i]) < sizeof buf - 2; i++) { - cp += strlen(cp); + /* the trailing space will be replaced with a newline later */ + n = snprintf(buf, sizeof(buf), "\5%s %s ", RP, all ? "-all" : person); + if (n == -1 || n >= sizeof(buf)) + goto bad; + cp = buf + n; + for (i = 0; i < users; i++) { + n = strlcpy(cp, user[i], sizeof(buf) - (cp - buf + 1)); + if (n >= sizeof(buf) - (cp - buf + 1)) + goto bad; + cp += n; *cp++ = ' '; - strcpy(cp, user[i]); } - for (i = 0; i < requests && cp-buf+10 < sizeof(buf) - 2; i++) { - cp += strlen(cp); - (void)sprintf(cp, " %d", requ[i]); + *cp = '\0'; + for (i = 0; i < requests; i++) { + n = snprintf(cp, sizeof(buf) - (cp - buf), "%d ", requ[i]); + if (n == -1 || n >= sizeof(buf) - (cp - buf)) + goto bad; + cp += n; } - strcat(cp, "\n"); + cp[-1] = '\n'; /* replace space with newline, leave the NUL */ rem = getport(RM, 0); if (rem < 0) { if (from != host) @@ -380,6 +389,10 @@ rmremote(void) (void)sigaction(SIGALRM, &osa, NULL); (void)close(rem); } + return; +bad: + printf("remote buffer too large\n"); + return; } static void -- cgit v1.2.3