Examine all occurrences of sprintf(), strcat(), and str[n]cpy()

for possible buffer overflow problems. Replaced most sprintf()'s
with snprintf(); for others cases, added terminating NUL bytes where
appropriate, replaced constants like "16" with sizeof(), etc.

These changes include several bug fixes, but most changes are for
maintainability's sake. Any instance where it wasn't "immediately
obvious" that a buffer overflow could not occur was made safer.

Reviewed by:	Bruce Evans <bde@zeta.org.au>
Reviewed by:	Matthew Dillon <dillon@apollo.backplane.com>
Reviewed by:	Mike Spengler <mks@networkcs.com>

1 files changed, 4 insertions, 3 deletions

diff --git a/sys/cam/scsi/scsi_cd.c b/sys/cam/scsi/scsi_cd.c
index 9c6ddb6..8f6fb31 100644
--- a/sys/cam/scsi/scsi_cd.c
+++ b/sys/cam/scsi/scsi_cd.c
@@ -24,7 +24,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *      $Id: scsi_cd.c,v 1.8 1998/10/22 22:16:56 ken Exp $
+ *      $Id: scsi_cd.c,v 1.9 1998/11/22 23:44:46 ken Exp $
  */
 /*
  * Portions of this driver taken from the original FreeBSD cd driver.
@@ -1691,7 +1691,7 @@ cddone(struct cam_periph *periph, union ccb *done_ccb)
 
 		if ((csio->ccb_h.status & CAM_STATUS_MASK) == CAM_REQ_CMP) {
 
-			sprintf(announce_buf,
+			snprintf(announce_buf, sizeof(announce_buf),
 				"cd present [%lu x %lu byte records]",
 				cdp->disksize, (u_long)cdp->blksize);
 
@@ -1759,7 +1759,8 @@ cddone(struct cam_periph *periph, union ccb *done_ccb)
 				if ((have_sense)
 				 && ((asc == 0x3a) || (asc == 0x04))
 				 && (error_code == SSD_CURRENT_ERROR))
-					sprintf(announce_buf, 
+					snprintf(announce_buf,
+					    sizeof(announce_buf),
 						"Attempt to query device "
 						"size failed: %s, %s",
 						scsi_sense_key_text[sense_key],