diff options
| author | guido <guido@FreeBSD.org> | 1997-01-01 14:08:47 +0000 |
|---|---|---|
| committer | guido <guido@FreeBSD.org> | 1997-01-01 14:08:47 +0000 |
| commit | 07e783bc3eb2bb61a692e734cf205be502266408 (patch) | |
| tree | 9d2e2a69b3a8d19bb2eb7f63181668f968c36e59 | |
| parent | 01876569b2445fed76ab3d84c1704e73ad519d13 (diff) | |
| download | FreeBSD-src-07e783bc3eb2bb61a692e734cf205be502266408.zip FreeBSD-src-07e783bc3eb2bb61a692e734cf205be502266408.tar.gz | |
Yet another buffer overflow.
2.2 candidate
(and -stable too actually, who does that?)
Reviewed by: Warner Losh
| -rw-r--r-- | sbin/restore/extern.h | 2 | ||||
| -rw-r--r-- | sbin/restore/interactive.c | 14 | ||||
| -rw-r--r-- | sbin/restore/main.c | 4 | ||||
| -rw-r--r-- | sbin/restore/tape.c | 8 |
4 files changed, 19 insertions, 9 deletions
diff --git a/sbin/restore/extern.h b/sbin/restore/extern.h index 0f64402..c82f997 100644 --- a/sbin/restore/extern.h +++ b/sbin/restore/extern.h @@ -36,7 +36,7 @@ struct entry *addentry __P((char *, ino_t, int)); long addfile __P((char *, ino_t, int)); void badentry __P((struct entry *, char *)); -void canon __P((char *, char *)); +void canon __P((char *, char *, int)); void checkrestore __P((void)); void closemt __P((void)); void createfiles __P((void)); diff --git a/sbin/restore/interactive.c b/sbin/restore/interactive.c index 1b9616c..d2158e4 100644 --- a/sbin/restore/interactive.c +++ b/sbin/restore/interactive.c @@ -109,7 +109,7 @@ runcmdshell() arglist.glob.gl_closedir = (void *)rst_closedir; arglist.glob.gl_lstat = glob_stat; arglist.glob.gl_stat = glob_stat; - canon("/", curdir); + canon("/", curdir, sizeof(curdir)); loop: if (setjmp(reset) != 0) { if (arglist.freeglob != 0) { @@ -357,7 +357,7 @@ getnext: * If it is an absolute pathname, canonicalize it and return it. */ if (rawname[0] == '/') { - canon(rawname, name); + canon(rawname, name, sizeof(name)); } else { /* * For relative pathnames, prepend the current directory to @@ -366,7 +366,7 @@ getnext: (void) strcpy(output, curdir); (void) strcat(output, "/"); (void) strcat(output, rawname); - canon(output, name); + canon(output, name, sizeof(name)); } if (glob(name, GLOB_ALTDIRFUNC, NULL, &ap->glob) < 0) fprintf(stderr, "%s: out of memory\n", ap->cmd); @@ -438,8 +438,9 @@ copynext(input, output) * remove any imbedded "." and ".." components. */ void -canon(rawname, canonname) +canon(rawname, canonname, len) char *rawname, *canonname; + int len; { register char *cp, *np; @@ -449,6 +450,11 @@ canon(rawname, canonname) (void) strcpy(canonname, "."); else (void) strcpy(canonname, "./"); + if (strlen(canonname) + strlen(rawname) >= len) { + fprintf(stderr, "canonname: not enough bufferspace\n"); + done(1); + } + (void) strcat(canonname, rawname); /* * Eliminate multiple and trailing '/'s diff --git a/sbin/restore/main.c b/sbin/restore/main.c index a459945..c2c804f 100644 --- a/sbin/restore/main.c +++ b/sbin/restore/main.c @@ -239,7 +239,7 @@ main(argc, argv) extractdirs(0); initsymtable((char *)0); while (argc--) { - canon(*argv++, name); + canon(*argv++, name, sizeof(name)); ino = dirlookup(name); if (ino == 0) continue; @@ -254,7 +254,7 @@ main(argc, argv) extractdirs(1); initsymtable((char *)0); while (argc--) { - canon(*argv++, name); + canon(*argv++, name, sizeof(name)); ino = dirlookup(name); if (ino == 0) continue; diff --git a/sbin/restore/tape.c b/sbin/restore/tape.c index 7aae76d..51a1ac5 100644 --- a/sbin/restore/tape.c +++ b/sbin/restore/tape.c @@ -63,7 +63,7 @@ static char sccsid[] = "@(#)tape.c 8.3 (Berkeley) 4/1/94"; static long fssize = MAXBSIZE; static int mt = -1; static int pipein = 0; -static char magtape[BUFSIZ]; +static char *magtape; static int blkcnt; static int numtrec; static char *tapebuf; @@ -146,7 +146,11 @@ setinput(source) pipein++; } setuid(getuid()); /* no longer need or want root privileges */ - (void) strcpy(magtape, source); + magtape = strdup(source); + if (magtape == NULL) { + fprintf(stderr, "Cannot allocate space for magtape buffer\n"); + done(1); + } } void |
