diff options
| author | archie <archie@FreeBSD.org> | 1998-12-04 22:54:57 +0000 |
|---|---|---|
| committer | archie <archie@FreeBSD.org> | 1998-12-04 22:54:57 +0000 |
| commit | 982e80577dd08945aa2345ebe35e3f50eef9eb48 (patch) | |
| tree | e21ff4cbfbcb4097c6cc444d68ddd9a3fd37837f /sys/i386/ibcs2 | |
| parent | 707b8f68aa118c7396f2a2633751e32477d9ed08 (diff) | |
| download | FreeBSD-src-982e80577dd08945aa2345ebe35e3f50eef9eb48.zip FreeBSD-src-982e80577dd08945aa2345ebe35e3f50eef9eb48.tar.gz | |
Examine all occurrences of sprintf(), strcat(), and str[n]cpy()
for possible buffer overflow problems. Replaced most sprintf()'s
with snprintf(); for others cases, added terminating NUL bytes where
appropriate, replaced constants like "16" with sizeof(), etc.
These changes include several bug fixes, but most changes are for
maintainability's sake. Any instance where it wasn't "immediately
obvious" that a buffer overflow could not occur was made safer.
Reviewed by: Bruce Evans <bde@zeta.org.au>
Reviewed by: Matthew Dillon <dillon@apollo.backplane.com>
Reviewed by: Mike Spengler <mks@networkcs.com>
Diffstat (limited to 'sys/i386/ibcs2')
| -rw-r--r-- | sys/i386/ibcs2/ibcs2_socksys.c | 4 | ||||
| -rw-r--r-- | sys/i386/ibcs2/ibcs2_stat.c | 21 | ||||
| -rw-r--r-- | sys/i386/ibcs2/ibcs2_xenix.c | 26 |
3 files changed, 29 insertions, 22 deletions
diff --git a/sys/i386/ibcs2/ibcs2_socksys.c b/sys/i386/ibcs2/ibcs2_socksys.c index e52bd2c..c7f109a 100644 --- a/sys/i386/ibcs2/ibcs2_socksys.c +++ b/sys/i386/ibcs2/ibcs2_socksys.c @@ -146,7 +146,7 @@ ibcs2_getipdomainname(p, uap) int len; /* Get the domain name */ - strcpy(hname, hostname); + snprintf(hname, sizeof(hname), "%s", hostname); dptr = index(hname, '.'); if ( dptr ) dptr++; @@ -177,7 +177,7 @@ ibcs2_setipdomainname(p, uap) return EINVAL; /* Get the host's unqualified name (strip off the domain) */ - strcpy(hname, hostname); + snprintf(hname, sizeof(hname), "%s", hostname); ptr = index(hname, '.'); if ( ptr != NULL ) { ptr++; diff --git a/sys/i386/ibcs2/ibcs2_stat.c b/sys/i386/ibcs2/ibcs2_stat.c index febf4d2..d3bf6ae 100644 --- a/sys/i386/ibcs2/ibcs2_stat.c +++ b/sys/i386/ibcs2/ibcs2_stat.c @@ -221,20 +221,19 @@ ibcs2_utssys(p, uap) struct ibcs2_utsname sut; bzero(&sut, ibcs2_utsname_len); - strncpy(sut.sysname, IBCS2_UNAME_SYSNAME, sizeof(sut.sysname)); - strncpy(sut.release, IBCS2_UNAME_RELEASE, sizeof(sut.release)); - strncpy(sut.version, IBCS2_UNAME_VERSION, sizeof(sut.version)); - strncpy(machine_name, hostname, sizeof(machine_name)); + strncpy(sut.sysname, + IBCS2_UNAME_SYSNAME, sizeof(sut.sysname) - 1); + strncpy(sut.release, + IBCS2_UNAME_RELEASE, sizeof(sut.release) - 1); + strncpy(sut.version, + IBCS2_UNAME_VERSION, sizeof(sut.version) - 1); + strncpy(machine_name, hostname, sizeof(machine_name) - 1); + machine_name[sizeof(machine_name) - 1] = 0; p = index(machine_name, '.'); if ( p ) *p = '\0'; - strncpy(sut.nodename, machine_name, sizeof(sut.nodename)); - strncpy(sut.machine, machine, sizeof(sut.machine)); - sut.sysname[sizeof(sut.sysname)-1] = '\0'; - sut.release[sizeof(sut.release)-1] = '\0'; - sut.version[sizeof(sut.version)-1] = '\0'; - sut.nodename[sizeof(sut.nodename)-1] = '\0'; - sut.machine[sizeof(sut.machine)-1] = '\0'; + strncpy(sut.nodename, machine_name, sizeof(sut.nodename) - 1); + strncpy(sut.machine, machine, sizeof(sut.machine) - 1); DPRINTF(("IBCS2 uname: sys=%s rel=%s ver=%s node=%s mach=%s\n", sut.sysname, sut.release, sut.version, sut.nodename, diff --git a/sys/i386/ibcs2/ibcs2_xenix.c b/sys/i386/ibcs2/ibcs2_xenix.c index 0677ede..8ab5556 100644 --- a/sys/i386/ibcs2/ibcs2_xenix.c +++ b/sys/i386/ibcs2/ibcs2_xenix.c @@ -27,7 +27,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $Id: ibcs2_xenix.c,v 1.15 1998/06/02 05:39:07 dyson Exp $ + * $Id: ibcs2_xenix.c,v 1.16 1998/08/16 01:21:49 bde Exp $ */ #include <sys/param.h> @@ -157,14 +157,22 @@ xenix_utsname(struct proc *p, struct xenix_utsname_args *uap) DPRINTF(("IBCS2: 'xenix sco_utsname'\n")); bzero(&ibcs2_sco_uname, sizeof(struct ibcs2_sco_utsname)); - strncpy(ibcs2_sco_uname.sysname, ostype, 8); - strncpy(ibcs2_sco_uname.nodename, hostname, 8); - strncpy(ibcs2_sco_uname.release, osrelease, 15); - strncpy(ibcs2_sco_uname.kernelid, version, 19); - strncpy(ibcs2_sco_uname.machine, machine, 8); - bcopy("ISA/EISA", ibcs2_sco_uname.bustype, 8); - bcopy("no charge", ibcs2_sco_uname.sysserial, 9); - bcopy("unlim", ibcs2_sco_uname.numusers, 8); + strncpy(ibcs2_sco_uname.sysname, ostype, + sizeof(ibcs2_sco_uname.sysname) - 1); + strncpy(ibcs2_sco_uname.nodename, hostname, + sizeof(ibcs2_sco_uname.nodename) - 1); + strncpy(ibcs2_sco_uname.release, osrelease, + sizeof(ibcs2_sco_uname.release) - 1); + strncpy(ibcs2_sco_uname.kernelid, version, + sizeof(ibcs2_sco_uname.kernelid) - 1); + strncpy(ibcs2_sco_uname.machine, machine, + sizeof(ibcs2_sco_uname.machine) - 1); + strncpy(ibcs2_sco_uname.bustype, "ISA/EISA", + sizeof(ibcs2_sco_uname.bustype) - 1); + strncpy(ibcs2_sco_uname.sysserial, "no charge", + sizeof(ibcs2_sco_uname.sysserial) - 1); + strncpy(ibcs2_sco_uname.numusers, "unlim", + sizeof(ibcs2_sco_uname.numusers) - 1); ibcs2_sco_uname.sysorigin = 0xFFFF; ibcs2_sco_uname.sysoem = 0xFFFF; ibcs2_sco_uname.numcpu = 1; |
