Examine all occurrences of sprintf(), strcat(), and str[n]cpy()

for possible buffer overflow problems. Replaced most sprintf()'s with snprintf(); for others cases, added terminating NUL bytes where appropriate, replaced constants like "16" with sizeof(), etc. These changes include several bug fixes, but most changes are for maintainability's sake. Any instance where it wasn't "immediately obvious" that a buffer overflow could not occur was made safer. Reviewed by: Bruce Evans <bde@zeta.org.au> Reviewed by: Matthew Dillon <dillon@apollo.backplane.com> Reviewed by: Mike Spengler <mks@networkcs.com>
author: archie <archie@FreeBSD.org> 1998-12-04 22:54:57 +0000
committer: archie <archie@FreeBSD.org> 1998-12-04 22:54:57 +0000
commit: 982e80577dd08945aa2345ebe35e3f50eef9eb48 (patch)
tree: e21ff4cbfbcb4097c6cc444d68ddd9a3fd37837f /sys/cam
parent: 707b8f68aa118c7396f2a2633751e32477d9ed08 (diff)
download: FreeBSD-src-982e80577dd08945aa2345ebe35e3f50eef9eb48.zip
FreeBSD-src-982e80577dd08945aa2345ebe35e3f50eef9eb48.tar.gz
4 files changed, 15 insertions, 21 deletions
diff --git a/sys/cam/scsi/scsi_all.c b/sys/cam/scsi/scsi_all.c
index c87b1eb..bc82bf5 100644
--- a/sys/cam/scsi/scsi_all.c
+++ b/sys/cam/scsi/scsi_all.c
@@ -26,7 +26,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	$Id: scsi_all.c,v 1.5 1998/10/02 21:00:54 ken Exp $
+ *	$Id: scsi_all.c,v 1.6 1998/10/15 19:08:58 ken Exp $
  */
 
 #include <sys/param.h>
@@ -1563,7 +1563,6 @@ char *
 scsi_cdb_string(u_int8_t *cdb_ptr, char *cdb_string, size_t len)
 {
 	u_int8_t cdb_len;
-	char holdstr[8];
 	int i;
 
 	if (cdb_ptr == NULL)
@@ -1608,17 +1607,9 @@ scsi_cdb_string(u_int8_t *cdb_ptr, char *cdb_string, size_t len)
 			break;
 	}
 	*cdb_string = '\0';
-	for (i = 0; i < cdb_len; i++) {
-		sprintf(holdstr, "%x ", cdb_ptr[i]);
-		/*
-		 * If we're about to exceed the length of the string,
-		 * just return what we've already printed.
-		 */
-		if (strlen(holdstr) + strlen(cdb_string) > len)
-			break;
-
-		strcat(cdb_string, holdstr);
-	}
+	for (i = 0; i < cdb_len; i++)
+		snprintf(cdb_string + strlen(cdb_string),
+		    len - strlen(cdb_string), "%x ", cdb_ptr[i]);
 
 	return(cdb_string);
 }
diff --git a/sys/cam/scsi/scsi_cd.c b/sys/cam/scsi/scsi_cd.c
index 9c6ddb6..8f6fb31 100644
--- a/sys/cam/scsi/scsi_cd.c
+++ b/sys/cam/scsi/scsi_cd.c
@@ -24,7 +24,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *      $Id: scsi_cd.c,v 1.8 1998/10/22 22:16:56 ken Exp $
+ *      $Id: scsi_cd.c,v 1.9 1998/11/22 23:44:46 ken Exp $
  */
 /*
  * Portions of this driver taken from the original FreeBSD cd driver.
@@ -1691,7 +1691,7 @@ cddone(struct cam_periph *periph, union ccb *done_ccb)
 
 		if ((csio->ccb_h.status & CAM_STATUS_MASK) == CAM_REQ_CMP) {
 
-			sprintf(announce_buf,
+			snprintf(announce_buf, sizeof(announce_buf),
 				"cd present [%lu x %lu byte records]",
 				cdp->disksize, (u_long)cdp->blksize);
 
@@ -1759,7 +1759,8 @@ cddone(struct cam_periph *periph, union ccb *done_ccb)
 				if ((have_sense)
 				 && ((asc == 0x3a) || (asc == 0x04))
 				 && (error_code == SSD_CURRENT_ERROR))
-					sprintf(announce_buf, 
+					snprintf(announce_buf,
+					    sizeof(announce_buf),
 						"Attempt to query device "
 						"size failed: %s, %s",
 						scsi_sense_key_text[sense_key],
diff --git a/sys/cam/scsi/scsi_ch.c b/sys/cam/scsi/scsi_ch.c
index aa0883f..2d0290e 100644
--- a/sys/cam/scsi/scsi_ch.c
+++ b/sys/cam/scsi/scsi_ch.c
@@ -24,7 +24,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *      $Id: scsi_ch.c,v 1.5 1998/10/22 22:16:56 ken Exp $
+ *      $Id: scsi_ch.c,v 1.6 1998/11/22 23:44:47 ken Exp $
  */
 /*
  * Derived from the NetBSD SCSI changer driver.
@@ -618,7 +618,8 @@ chdone(struct cam_periph *periph, union ccb *done_ccb)
 			softc->sc_picker = softc->sc_firsts[CHET_MT];
 
 #define PLURAL(c)	(c) == 1 ? "" : "s"
-			sprintf(announce_buf, "%d slot%s, %d drive%s, "
+			snprintf(announce_buf, sizeof(announce_buf),
+				"%d slot%s, %d drive%s, "
 				"%d picker%s, %d portal%s",
 		    		softc->sc_counts[CHET_ST],
 				PLURAL(softc->sc_counts[CHET_ST]),
diff --git a/sys/cam/scsi/scsi_da.c b/sys/cam/scsi/scsi_da.c
index cb1d7d2..bd0076f 100644
--- a/sys/cam/scsi/scsi_da.c
+++ b/sys/cam/scsi/scsi_da.c
@@ -25,7 +25,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *      $Id: scsi_da.c,v 1.12 1998/10/22 22:16:56 ken Exp $
+ *      $Id: scsi_da.c,v 1.13 1998/12/02 17:35:28 ken Exp $
  */
 
 #include "opt_hw_wdog.h"
@@ -1286,7 +1286,7 @@ dadone(struct cam_periph *periph, union ccb *done_ccb)
 
 			dasetgeom(periph, rdcap);
 			dp = &softc->params;
-			sprintf(announce_buf,
+			snprintf(announce_buf, sizeof(announce_buf),
 				"%ldMB (%d %d byte sectors: %dH %dS/T %dC)",
 				dp->sectors / ((1024L * 1024L) / dp->secsize),
 				dp->sectors, dp->secsize, dp->heads,
@@ -1350,7 +1350,8 @@ dadone(struct cam_periph *periph, union ccb *done_ccb)
 				 */
 				if ((have_sense) && (asc == 0x3a)
 				 && (error_code == SSD_CURRENT_ERROR))
-					sprintf(announce_buf, 
+					snprintf(announce_buf,
+					    sizeof(announce_buf),
 						"Attempt to query device "
 						"size failed: %s, %s",
 						scsi_sense_key_text[sense_key],
author	archie <archie@FreeBSD.org>	1998-12-04 22:54:57 +0000
committer	archie <archie@FreeBSD.org>	1998-12-04 22:54:57 +0000
commit	982e80577dd08945aa2345ebe35e3f50eef9eb48 (patch)
tree	e21ff4cbfbcb4097c6cc444d68ddd9a3fd37837f /sys/cam
parent	707b8f68aa118c7396f2a2633751e32477d9ed08 (diff)
download	FreeBSD-src-982e80577dd08945aa2345ebe35e3f50eef9eb48.zip FreeBSD-src-982e80577dd08945aa2345ebe35e3f50eef9eb48.tar.gz