Fix many buffer overflows, correct usage of strcat and implement

$TAPE.  Inspired by OpenBSD's work in this area.

Reviewed by:	Peter Wemm, Guido van Rooij and Jordan Hubbard.
Obtained from: OpenBSD

3 files changed, 19 insertions, 11 deletions

diff --git a/sbin/dump/dumprmt.c b/sbin/dump/dumprmt.c
index d7d59a4..08aa485 100644
--- a/sbin/dump/dumprmt.c
+++ b/sbin/dump/dumprmt.c
@@ -219,7 +219,7 @@ rmtopen(tape, mode)
 {
 	char buf[256];
 
-	(void)sprintf(buf, "O%s\n%d\n", tape, mode);
+	(void)snprintf(buf, sizeof (buf), "O%.226s\n%d\n", tape, mode);
 	rmtstate = TS_OPEN;
 	return (rmtcall(tape, buf));
 }
@@ -243,7 +243,7 @@ rmtread(buf, count)
 	int n, i, cc;
 	extern errno;
 
-	(void)sprintf(line, "R%d\n", count);
+	(void)snprintf(line, sizeof (line), "R%d\n", count);
 	n = rmtcall("read", line);
 	if (n < 0) {
 		errno = n;
@@ -265,7 +265,7 @@ rmtwrite(buf, count)
 {
 	char line[30];
 
-	(void)sprintf(line, "W%d\n", count);
+	(void)snprintf(line, sizeof (line), "W%d\n", count);
 	write(rmtape, line, strlen(line));
 	write(rmtape, buf, count);
 	return (rmtreply("write"));
@@ -277,7 +277,7 @@ rmtwrite0(count)
 {
 	char line[30];
 
-	(void)sprintf(line, "W%d\n", count);
+	(void)snprintf(line, sizeof (line), "W%d\n", count);
 	write(rmtape, line, strlen(line));
 }
 
@@ -303,7 +303,7 @@ rmtseek(offset, pos)
 {
 	char line[80];
 
-	(void)sprintf(line, "L%d\n%d\n", offset, pos);
+	(void)snprintf(line, sizeof (line), "L%d\n%d\n", offset, pos);
 	return (rmtcall("seek", line));
 }
 
@@ -331,7 +331,7 @@ rmtioctl(cmd, count)
 
 	if (count < 0)
 		return (-1);
-	(void)sprintf(buf, "I%d\n%d\n", cmd, count);
+	(void)snprintf(buf, sizeof (buf), "I%d\n%d\n", cmd, count);
 	return (rmtcall("ioctl", buf));
 }
 
diff --git a/sbin/dump/main.c b/sbin/dump/main.c
index 481fecb..6275168 100644
--- a/sbin/dump/main.c
+++ b/sbin/dump/main.c
@@ -105,7 +105,8 @@ main(argc, argv)
 	(void)time((time_t *)&spcl.c_date);
 
 	tsize = 0;	/* Default later, based on 'c' option for cart tapes */
-	tape = _PATH_DEFTAPE;
+	if ((tape = getenv("TAPE")) == NULL)
+		tape = _PATH_DEFTAPE;
 	dumpdates = _PATH_DUMPDATES;
 	temp = _PATH_DTMP;
 	if (TP_BSIZE / DEV_BSIZE == 0 || TP_BSIZE % DEV_BSIZE != 0)
@@ -256,6 +257,10 @@ main(argc, argv)
 		tape = index(host, ':');
 		*tape++ = '\0';
 #ifdef RDUMP
+		if (index(tape, "\n") {
+		    (void)fprintf(stderr, "invalid characters in tape\n");
+		    exit(X_ABORT);
+		}
 		if (rmthost(host) == 0)
 			exit(X_ABORT);
 #else
@@ -298,6 +303,8 @@ main(argc, argv)
 		(void)strncpy(spcl.c_filesys, "an unlisted file system",
 		    NAMELEN);
 	}
+	spcl.c_dev[NAMELEN-1]='\0';
+	spcl.c_filesys[NAMELEN-1]='\0';
 	(void)strcpy(spcl.c_label, "none");
 	(void)gethostname(spcl.c_host, NAMELEN);
 	spcl.c_level = level - '0';
@@ -556,9 +563,10 @@ rawname(cp)
 		return (NULL);
 	*dp = '\0';
 	(void)strncpy(rawbuf, cp, MAXPATHLEN - 1);
+	rawbuf[MAXPATHLEN-1] = '\0';
 	*dp = '/';
-      (void)strncat(rawbuf, "/r", MAXPATHLEN-1 - strlen(rawbuf));
-      (void)strncat(rawbuf, dp + 1, MAXPATHLEN-1 - strlen(rawbuf));
+	(void)strncat(rawbuf, "/r", MAXPATHLEN - 1 - strlen(rawbuf));
+	(void)strncat(rawbuf, dp + 1, MAXPATHLEN - 1 - strlen(rawbuf));
 	return (rawbuf);
 }
 
diff --git a/sbin/dump/optr.c b/sbin/dump/optr.c
index 3c464e4..60a6796 100644
--- a/sbin/dump/optr.c
+++ b/sbin/dump/optr.c
@@ -244,13 +244,13 @@ static void
 sendmes(tty, message)
 	char *tty, *message;
 {
-	char t[50], buf[BUFSIZ];
+	char t[MAXPATHLEN], buf[BUFSIZ];
 	register char *cp;
 	int lmsg = 1;
 	FILE *f_tty;
 
 	(void) strcpy(t, _PATH_DEV);
-	(void) strcat(t, tty);
+	(void) strncat(t, tty, sizeof t - strlen(_PATH_DEV) - 1);
 
 	if ((f_tty = fopen(t, "w")) != NULL) {
 		setbuf(f_tty, buf);