Examine all occurrences of sprintf(), strcat(), and str[n]cpy()

for possible buffer overflow problems. Replaced most sprintf()'s
with snprintf(); for others cases, added terminating NUL bytes where
appropriate, replaced constants like "16" with sizeof(), etc.

These changes include several bug fixes, but most changes are for
maintainability's sake. Any instance where it wasn't "immediately
obvious" that a buffer overflow could not occur was made safer.

Reviewed by:	Bruce Evans <bde@zeta.org.au>
Reviewed by:	Matthew Dillon <dillon@apollo.backplane.com>
Reviewed by:	Mike Spengler <mks@networkcs.com>

4 files changed, 10 insertions, 7 deletions

diff --git a/sys/dev/sound/isa/mss.c b/sys/dev/sound/isa/mss.c
index 6ded9bf..56021d9 100644
--- a/sys/dev/sound/isa/mss.c
+++ b/sys/dev/sound/isa/mss.c
@@ -1300,7 +1300,7 @@ mss_detect(struct isa_device *dev)
 	}
     }
     BVDDB(printf("mss_detect() - Detected %s\n", name));
-    strcpy(d->name, name);
+    snprintf(d->name, sizeof(d->name), "%s", name);
     dev->id_flags &= ~DV_F_DEV_MASK ;
     dev->id_flags |= (d->bd_id << DV_F_DEV_SHIFT) & DV_F_DEV_MASK ;
     return 1;
@@ -1500,7 +1500,7 @@ cs423x_attach(u_long csn, u_long vend_id, char *name,
 	    tmp_d.bd_id = MD_CS4232 ; /* to short-circuit the detect routine */
 	    break;
 	}
-	strcpy(tmp_d.name, name);
+	snprintf(tmp_d.name, sizeof(tmp_d.name), "%s", name);
 	tmp_d.audio_fmt |= AFMT_FULLDUPLEX ;
     }
     write_pnp_parms( &d, ldn );
@@ -1574,7 +1574,7 @@ opti931_attach(u_long csn, u_long vend_id, char *name,
     snddev_last_probed = &tmp_d;
     tmp_d =  d.flags & DV_PNP_SBCODEC ? sb_op_desc : mss_op_desc ;
 
-    strcpy(tmp_d.name, name);
+    snprintf(tmp_d.name, sizeof(tmp_d.name), "%s", name);
 
     /*
      * My MED3931 v.1.0 allocates 3 bytes for the config space,
@@ -1780,7 +1780,7 @@ guspnp_attach(u_long csn, u_long vend_id, char *name,
     gus_write(tmp_d.conf_base, 0x5b , tmp | 1 );
     BVDDB(printf("GUS: silicon rev %c\n", 'A' + ( ( tmp & 0xf ) >> 4) );)
 
-    strcpy(tmp_d.name, name);
+    snprintf(tmp_d.name, sizeof(tmp_d.name), "%s", name);
 
     pcmattach(dev);
 }
diff --git a/sys/dev/sound/isa/sb.c b/sys/dev/sound/isa/sb.c
index 2b2e84a..06599ec 100644
--- a/sys/dev/sound/isa/sb.c
+++ b/sys/dev/sound/isa/sb.c
@@ -739,7 +739,8 @@ sb_dsp_init(snddev_info *d, struct isa_device *dev)
 
     }
 
-    sprintf(d->name, fmt, (d->bd_id >> 8) &0xff, d->bd_id & 0xff);
+    snprintf(d->name, sizeof(d->name),
+	fmt, (d->bd_id >> 8) &0xff, d->bd_id & 0xff);
 
     sb_mix_init(d);
 }
diff --git a/sys/dev/sound/isa/sb16.c b/sys/dev/sound/isa/sb16.c
index 2b2e84a..06599ec 100644
--- a/sys/dev/sound/isa/sb16.c
+++ b/sys/dev/sound/isa/sb16.c
@@ -739,7 +739,8 @@ sb_dsp_init(snddev_info *d, struct isa_device *dev)
 
     }
 
-    sprintf(d->name, fmt, (d->bd_id >> 8) &0xff, d->bd_id & 0xff);
+    snprintf(d->name, sizeof(d->name),
+	fmt, (d->bd_id >> 8) &0xff, d->bd_id & 0xff);
 
     sb_mix_init(d);
 }
diff --git a/sys/dev/sound/isa/sb8.c b/sys/dev/sound/isa/sb8.c
index 2b2e84a..06599ec 100644
--- a/sys/dev/sound/isa/sb8.c
+++ b/sys/dev/sound/isa/sb8.c
@@ -739,7 +739,8 @@ sb_dsp_init(snddev_info *d, struct isa_device *dev)
 
     }
 
-    sprintf(d->name, fmt, (d->bd_id >> 8) &0xff, d->bd_id & 0xff);
+    snprintf(d->name, sizeof(d->name),
+	fmt, (d->bd_id >> 8) &0xff, d->bd_id & 0xff);
 
     sb_mix_init(d);
 }