summaryrefslogtreecommitdiffstats
path: root/sys/i386/isa
diff options
context:
space:
mode:
authorarchie <archie@FreeBSD.org>1998-12-04 22:54:57 +0000
committerarchie <archie@FreeBSD.org>1998-12-04 22:54:57 +0000
commit982e80577dd08945aa2345ebe35e3f50eef9eb48 (patch)
treee21ff4cbfbcb4097c6cc444d68ddd9a3fd37837f /sys/i386/isa
parent707b8f68aa118c7396f2a2633751e32477d9ed08 (diff)
downloadFreeBSD-src-982e80577dd08945aa2345ebe35e3f50eef9eb48.zip
FreeBSD-src-982e80577dd08945aa2345ebe35e3f50eef9eb48.tar.gz
Examine all occurrences of sprintf(), strcat(), and str[n]cpy()
for possible buffer overflow problems. Replaced most sprintf()'s with snprintf(); for others cases, added terminating NUL bytes where appropriate, replaced constants like "16" with sizeof(), etc. These changes include several bug fixes, but most changes are for maintainability's sake. Any instance where it wasn't "immediately obvious" that a buffer overflow could not occur was made safer. Reviewed by: Bruce Evans <bde@zeta.org.au> Reviewed by: Matthew Dillon <dillon@apollo.backplane.com> Reviewed by: Mike Spengler <mks@networkcs.com>
Diffstat (limited to 'sys/i386/isa')
-rw-r--r--sys/i386/isa/atapi.c2
-rw-r--r--sys/i386/isa/bs/bs_isa.c3
-rw-r--r--sys/i386/isa/bs/bsif.c2
-rw-r--r--sys/i386/isa/cx.c3
-rw-r--r--sys/i386/isa/diskslice_machdep.c4
-rw-r--r--sys/i386/isa/fd.c6
-rw-r--r--sys/i386/isa/intr_machdep.c4
-rw-r--r--sys/i386/isa/loran.c5
-rw-r--r--sys/i386/isa/nmi.c4
-rw-r--r--sys/i386/isa/pcvt/pcvt_sup.c2
-rw-r--r--sys/i386/isa/snd/ad1848.c8
-rw-r--r--sys/i386/isa/snd/sb_dsp.c3
-rw-r--r--sys/i386/isa/snd/sound.c11
-rw-r--r--sys/i386/isa/sound/ad1848.c10
-rw-r--r--sys/i386/isa/sound/gus_wave.c6
-rw-r--r--sys/i386/isa/sound/mpu401.c6
-rw-r--r--sys/i386/isa/sound/pas2_card.c2
-rw-r--r--sys/i386/isa/sound/pcm86.c5
-rw-r--r--sys/i386/isa/sound/pss.c2
-rw-r--r--sys/i386/isa/sound/sb16_dsp.c4
-rw-r--r--sys/i386/isa/sound/sb_dsp.c3
-rw-r--r--sys/i386/isa/sound/sound_timer.c2
22 files changed, 56 insertions, 41 deletions
diff --git a/sys/i386/isa/atapi.c b/sys/i386/isa/atapi.c
index 44cdc4e..357d8d1 100644
--- a/sys/i386/isa/atapi.c
+++ b/sys/i386/isa/atapi.c
@@ -380,7 +380,7 @@ static char *cmdname (u_char cmd)
case 0xbd: return ("ATAPI_MECH_STATUS");
case 0xbe: return ("READ_CD");
}
- sprintf (buf, "[0x%x]", cmd);
+ snprintf (buf, sizeof(buf), "[0x%x]", cmd);
return (buf);
}
diff --git a/sys/i386/isa/bs/bs_isa.c b/sys/i386/isa/bs/bs_isa.c
index 7215de6..644dc0e 100644
--- a/sys/i386/isa/bs/bs_isa.c
+++ b/sys/i386/isa/bs/bs_isa.c
@@ -59,7 +59,8 @@ bs_args_copy(bsc, ia, hw)
bsc->sm_offset = 0;
bsc->sc_cfgflags = DVCFG_MINOR(ia->ia_cfgflags);
- strcpy(bsc->sc_dvname, bsc->sc_dev.dv_xname);
+ snprintf(bsc->sc_dvname, sizeof(bsc->sc_dvname),
+ "%s", bsc->sc_dev.dv_xname);
}
static int
diff --git a/sys/i386/isa/bs/bsif.c b/sys/i386/isa/bs/bsif.c
index 58e7203..fc02971 100644
--- a/sys/i386/isa/bs/bsif.c
+++ b/sys/i386/isa/bs/bsif.c
@@ -158,7 +158,7 @@ bsprobe(dev)
else
bsc->sm_offset = (u_long) 0;
- sprintf(bsc->sc_dvname, "bs%d", unit);
+ snprintf(bsc->sc_dvname, sizeof(bsc->sc_dvname), "bs%d", unit);
if (dev->id_iobase == 0)
{
diff --git a/sys/i386/isa/cx.c b/sys/i386/isa/cx.c
index b4fb324..74322b7 100644
--- a/sys/i386/isa/cx.c
+++ b/sys/i386/isa/cx.c
@@ -417,7 +417,8 @@ int cxioctl (dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p)
case 8: o->iftype = c->board->if8type; break;
}
if (c->master != c->ifp)
- sprintf (o->master, "%s%d", c->master->if_name,
+ snprintf (o->master, sizeof(o->master),
+ "%s%d", c->master->if_name,
c->master->if_unit);
else
*o->master = 0;
diff --git a/sys/i386/isa/diskslice_machdep.c b/sys/i386/isa/diskslice_machdep.c
index ab9d4ba..adfd39c 100644
--- a/sys/i386/isa/diskslice_machdep.c
+++ b/sys/i386/isa/diskslice_machdep.c
@@ -35,7 +35,7 @@
*
* from: @(#)ufs_disksubr.c 7.16 (Berkeley) 5/4/91
* from: ufs_disksubr.c,v 1.8 1994/06/07 01:21:39 phk Exp $
- * $Id: diskslice_machdep.c,v 1.30 1998/07/25 16:35:06 bde Exp $
+ * $Id: diskslice_machdep.c,v 1.31 1998/08/10 07:22:14 phk Exp $
*/
#include <sys/param.h>
@@ -405,7 +405,7 @@ extended(dname, dev, strat, lp, ssp, ext_offset, ext_size, base_ext_offset,
sname = dsname(dname, dkunit(dev), WHOLE_DISK_SLICE,
RAW_PART, partname);
- strcpy(buf, sname);
+ snprintf(buf, sizeof(buf), "%s", sname);
if (strlen(buf) < sizeof buf - 11)
strcat(buf, "<extended>");
check_part(buf, dp, base_ext_offset, nsectors,
diff --git a/sys/i386/isa/fd.c b/sys/i386/isa/fd.c
index d6a7659..3bb7737 100644
--- a/sys/i386/isa/fd.c
+++ b/sys/i386/isa/fd.c
@@ -43,7 +43,7 @@
* SUCH DAMAGE.
*
* from: @(#)fd.c 7.4 (Berkeley) 5/25/91
- * $Id: fd.c,v 1.123 1998/09/15 22:07:24 gibbs Exp $
+ * $Id: fd.c,v 1.124 1998/10/22 05:58:38 bde Exp $
*
*/
@@ -340,7 +340,7 @@ fd_cmd(fdcu_t fdcu, int n_out, ...)
if (out_fdc(fdcu, va_arg(ap, int)) < 0)
{
char msg[50];
- sprintf(msg,
+ snprintf(msg, sizeof(msg),
"cmd %x failed at out byte %d of %d\n",
cmd, n + 1, n_out);
return fdc_err(fdcu, msg);
@@ -353,7 +353,7 @@ fd_cmd(fdcu_t fdcu, int n_out, ...)
if (fd_in(fdcu, ptr) < 0)
{
char msg[50];
- sprintf(msg,
+ snprintf(msg, sizeof(msg),
"cmd %02x failed at in byte %d of %d\n",
cmd, n + 1, n_in);
return fdc_err(fdcu, msg);
diff --git a/sys/i386/isa/intr_machdep.c b/sys/i386/isa/intr_machdep.c
index 3f891f2..08c2049 100644
--- a/sys/i386/isa/intr_machdep.c
+++ b/sys/i386/isa/intr_machdep.c
@@ -34,7 +34,7 @@
* SUCH DAMAGE.
*
* from: @(#)isa.c 7.2 (Berkeley) 5/13/91
- * $Id: intr_machdep.c,v 1.13 1998/06/18 16:08:46 bde Exp $
+ * $Id: intr_machdep.c,v 1.14 1998/09/06 22:41:41 tegge Exp $
*/
#include "opt_auto_eoi.h"
@@ -325,7 +325,7 @@ find_device_id(int irq)
char *cp;
int free_id, id;
- sprintf(buf, "pci irq%d", irq);
+ snprintf(buf, sizeof(buf), "pci irq%d", irq);
cp = intrnames;
/* default to 0, which corresponds to clk0 */
free_id = 0;
diff --git a/sys/i386/isa/loran.c b/sys/i386/isa/loran.c
index 8b16501..20385bd 100644
--- a/sys/i386/isa/loran.c
+++ b/sys/i386/isa/loran.c
@@ -6,7 +6,7 @@
* this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
* ----------------------------------------------------------------------------
*
- * $Id: loran.c,v 1.10 1998/10/23 10:45:10 phk Exp $
+ * $Id: loran.c,v 1.11 1998/10/24 19:55:09 phk Exp $
*
* This device-driver helps the userland controlprogram for a LORAN-C
* receiver avoid monopolizing the CPU.
@@ -577,7 +577,8 @@ loranintr(int unit)
outb(PAR, par);
if (status) {
- sprintf(lorantext, "Missed: %02x %d %d this:%p next:%p (dummy=%p)\n",
+ snprintf(lorantext, sizeof(lorantext),
+ "Missed: %02x %d %d this:%p next:%p (dummy=%p)\n",
status, count, delay, this, next, &dummy);
loranerror = 1;
}
diff --git a/sys/i386/isa/nmi.c b/sys/i386/isa/nmi.c
index 3f891f2..08c2049 100644
--- a/sys/i386/isa/nmi.c
+++ b/sys/i386/isa/nmi.c
@@ -34,7 +34,7 @@
* SUCH DAMAGE.
*
* from: @(#)isa.c 7.2 (Berkeley) 5/13/91
- * $Id: intr_machdep.c,v 1.13 1998/06/18 16:08:46 bde Exp $
+ * $Id: intr_machdep.c,v 1.14 1998/09/06 22:41:41 tegge Exp $
*/
#include "opt_auto_eoi.h"
@@ -325,7 +325,7 @@ find_device_id(int irq)
char *cp;
int free_id, id;
- sprintf(buf, "pci irq%d", irq);
+ snprintf(buf, sizeof(buf), "pci irq%d", irq);
cp = intrnames;
/* default to 0, which corresponds to clk0 */
free_id = 0;
diff --git a/sys/i386/isa/pcvt/pcvt_sup.c b/sys/i386/isa/pcvt/pcvt_sup.c
index 3b00191..de7f938 100644
--- a/sys/i386/isa/pcvt/pcvt_sup.c
+++ b/sys/i386/isa/pcvt/pcvt_sup.c
@@ -261,7 +261,7 @@ vgaioctl(Dev_t dev, int cmd, caddr_t data, int flag)
static void
vgapcvtid(struct pcvtid *data)
{
- strcpy(data->name, PCVTIDNAME);
+ snprintf(data->name, sizeof(data->name), "%s", PCVTIDNAME);
data->rmajor = PCVTIDMAJOR;
data->rminor = PCVTIDMINOR;
}
diff --git a/sys/i386/isa/snd/ad1848.c b/sys/i386/isa/snd/ad1848.c
index 6ded9bf..56021d9 100644
--- a/sys/i386/isa/snd/ad1848.c
+++ b/sys/i386/isa/snd/ad1848.c
@@ -1300,7 +1300,7 @@ mss_detect(struct isa_device *dev)
}
}
BVDDB(printf("mss_detect() - Detected %s\n", name));
- strcpy(d->name, name);
+ snprintf(d->name, sizeof(d->name), "%s", name);
dev->id_flags &= ~DV_F_DEV_MASK ;
dev->id_flags |= (d->bd_id << DV_F_DEV_SHIFT) & DV_F_DEV_MASK ;
return 1;
@@ -1500,7 +1500,7 @@ cs423x_attach(u_long csn, u_long vend_id, char *name,
tmp_d.bd_id = MD_CS4232 ; /* to short-circuit the detect routine */
break;
}
- strcpy(tmp_d.name, name);
+ snprintf(tmp_d.name, sizeof(tmp_d.name), "%s", name);
tmp_d.audio_fmt |= AFMT_FULLDUPLEX ;
}
write_pnp_parms( &d, ldn );
@@ -1574,7 +1574,7 @@ opti931_attach(u_long csn, u_long vend_id, char *name,
snddev_last_probed = &tmp_d;
tmp_d = d.flags & DV_PNP_SBCODEC ? sb_op_desc : mss_op_desc ;
- strcpy(tmp_d.name, name);
+ snprintf(tmp_d.name, sizeof(tmp_d.name), "%s", name);
/*
* My MED3931 v.1.0 allocates 3 bytes for the config space,
@@ -1780,7 +1780,7 @@ guspnp_attach(u_long csn, u_long vend_id, char *name,
gus_write(tmp_d.conf_base, 0x5b , tmp | 1 );
BVDDB(printf("GUS: silicon rev %c\n", 'A' + ( ( tmp & 0xf ) >> 4) );)
- strcpy(tmp_d.name, name);
+ snprintf(tmp_d.name, sizeof(tmp_d.name), "%s", name);
pcmattach(dev);
}
diff --git a/sys/i386/isa/snd/sb_dsp.c b/sys/i386/isa/snd/sb_dsp.c
index 2b2e84a..06599ec 100644
--- a/sys/i386/isa/snd/sb_dsp.c
+++ b/sys/i386/isa/snd/sb_dsp.c
@@ -739,7 +739,8 @@ sb_dsp_init(snddev_info *d, struct isa_device *dev)
}
- sprintf(d->name, fmt, (d->bd_id >> 8) &0xff, d->bd_id & 0xff);
+ snprintf(d->name, sizeof(d->name),
+ fmt, (d->bd_id >> 8) &0xff, d->bd_id & 0xff);
sb_mix_init(d);
}
diff --git a/sys/i386/isa/snd/sound.c b/sys/i386/isa/snd/sound.c
index 6a26c07..3253af9 100644
--- a/sys/i386/isa/snd/sound.c
+++ b/sys/i386/isa/snd/sound.c
@@ -1300,19 +1300,21 @@ init_status(snddev_info *d)
if (status_len != 0) /* only do init once */
return ;
- sprintf(status_buf,
+ snprintf(status_buf, sizeof(status_buf),
"FreeBSD Audio Driver (981002) " __DATE__ " " __TIME__ "\n"
"Installed devices:\n");
for (i = 0; i < NPCM_MAX; i++) {
if (pcm_info[i].open)
- sprintf(status_buf + strlen(status_buf),
+ snprintf(status_buf + strlen(status_buf),
+ sizeof(status_buf) - strlen(status_buf),
"pcm%d: <%s> at 0x%x irq %d dma %d:%d\n",
i, pcm_info[i].name, pcm_info[i].io_base,
pcm_info[i].irq,
pcm_info[i].dbuf_out.chan, pcm_info[i].dbuf_in.chan);
if (midi_info[i].open)
- sprintf(status_buf + strlen(status_buf),
+ snprintf(status_buf + strlen(status_buf),
+ sizeof(status_buf) - strlen(status_buf),
"midi%d: <%s> at 0x%x irq %d dma %d:%d\n",
i, midi_info[i].name, midi_info[i].io_base,
midi_info[i].irq,
@@ -1325,7 +1327,8 @@ init_status(snddev_info *d)
case 4 : s = "OPL4"; break;
}
- sprintf(status_buf + strlen(status_buf),
+ snprintf(status_buf + strlen(status_buf),
+ sizeof(status_buf) - strlen(status_buf),
"sequencer%d: <%s> at 0x%x (not functional)\n",
i, s, pcm_info[i].synth_base);
}
diff --git a/sys/i386/isa/sound/ad1848.c b/sys/i386/isa/sound/ad1848.c
index fbd5051..08b0a1e 100644
--- a/sys/i386/isa/sound/ad1848.c
+++ b/sys/i386/isa/sound/ad1848.c
@@ -1440,11 +1440,13 @@ ad1848_init(char *name, int io_base, int irq,
outb(io_Status(devc), 0); /* Clear pending interrupts */
if (name != NULL && name[0] != 0)
- sprintf(ad1848_pcm_operations[nr_ad1848_devs].name,
- "%s (%s)", name, devc->chip_name);
+ snprintf(ad1848_pcm_operations[nr_ad1848_devs].name,
+ sizeof(ad1848_pcm_operations[nr_ad1848_devs].name),
+ "%s (%s)", name, devc->chip_name);
else
- sprintf(ad1848_pcm_operations[nr_ad1848_devs].name,
- "Generic audio codec (%s)", devc->chip_name);
+ snprintf(ad1848_pcm_operations[nr_ad1848_devs].name,
+ sizeof(ad1848_pcm_operations[nr_ad1848_devs].name),
+ "Generic audio codec (%s)", devc->chip_name);
conf_printf2(ad1848_pcm_operations[nr_ad1848_devs].name,
devc->base, devc->irq, dma_playback, dma_capture);
diff --git a/sys/i386/isa/sound/gus_wave.c b/sys/i386/isa/sound/gus_wave.c
index 9b3ab0b..54d36cb 100644
--- a/sys/i386/isa/sound/gus_wave.c
+++ b/sys/i386/isa/sound/gus_wave.c
@@ -4517,9 +4517,11 @@ gus_wave_init(struct address_info * hw_config)
}
if (gus_pnp_seen) {
- sprintf(gus_info.name, "Gravis %s (%dk)", model_num, (int) gus_mem_size / 1024);
+ snprintf(gus_info.name, sizeof(gus_info.name),
+ "Gravis %s (%dk)", model_num, (int) gus_mem_size / 1024);
} else {
- sprintf(gus_info.name, "Gravis UltraSound %s (%dk)", model_num, (int) gus_mem_size / 1024);
+ snprintf(gus_info.name, sizeof(gus_info.name),
+ "Gravis UltraSound %s (%dk)", model_num, (int) gus_mem_size / 1024);
}
conf_printf(gus_info.name, hw_config);
diff --git a/sys/i386/isa/sound/mpu401.c b/sys/i386/isa/sound/mpu401.c
index fdfb94d..0bd1412 100644
--- a/sys/i386/isa/sound/mpu401.c
+++ b/sys/i386/isa/sound/mpu401.c
@@ -1002,7 +1002,8 @@ attach_mpu401(struct address_info * hw_config)
MPU_CAP_CLS | MPU_CAP_2PORT;
revision_char = (devc->revision == 0x7f) ? 'M' : ' ';
- sprintf(mpu_synth_info[num_midis].name,
+ snprintf(mpu_synth_info[num_midis].name,
+ sizeof(mpu_synth_info[num_midis].name),
"MQX-%d%c MIDI Interface #%d",
ports,
revision_char,
@@ -1015,7 +1016,8 @@ attach_mpu401(struct address_info * hw_config)
devc->capabilities |= MPU_CAP_SYNC | MPU_CAP_FSK;
- sprintf(mpu_synth_info[num_midis].name,
+ snprintf(mpu_synth_info[num_midis].name,
+ sizeof(mpu_synth_info[num_midis].name),
"MPU-401 %d.%d%c Midi interface #%d",
(int) (devc->version & 0xf0) >> 4,
devc->version & 0x0f,
diff --git a/sys/i386/isa/sound/pas2_card.c b/sys/i386/isa/sound/pas2_card.c
index 06ab9f2..dc78afa 100644
--- a/sys/i386/isa/sound/pas2_card.c
+++ b/sys/i386/isa/sound/pas2_card.c
@@ -325,7 +325,7 @@ attach_pas_card(struct address_info * hw_config)
if ((pas_model = pas_read(CHIP_REV))) {
char temp[100];
- sprintf(temp,
+ snprintf(temp, sizeof(temp),
"%s rev %d", pas_model_names[(int) pas_model],
pas_read(BOARD_REV_ID));
conf_printf(temp, hw_config);
diff --git a/sys/i386/isa/sound/pcm86.c b/sys/i386/isa/sound/pcm86.c
index 0df86b1..4efec0d 100644
--- a/sys/i386/isa/sound/pcm86.c
+++ b/sys/i386/isa/sound/pcm86.c
@@ -25,7 +25,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $Id: pcm86.c,v 1.3 1997/02/22 09:38:14 peter Exp $
+ * $Id: pcm86.c,v 1.4 1997/06/03 10:25:41 kato Exp $
*/
/*
@@ -1890,7 +1890,8 @@ pcm86_detect(struct address_info *hw_config)
outb(opna_iobase + 2, 0x30);
/* Ok. Detection finished. */
- sprintf(pcm86_operations.name, board_name[pcm_s.board_type]);
+ snprintf(pcm86_operations.name, sizeof(pcm86_operations.name),
+ "%s", board_name[pcm_s.board_type]);
pcm_initialized = NO;
pcm_s.irq = irq;
diff --git a/sys/i386/isa/sound/pss.c b/sys/i386/isa/sound/pss.c
index 17acfb2..a6a5b65 100644
--- a/sys/i386/isa/sound/pss.c
+++ b/sys/i386/isa/sound/pss.c
@@ -348,7 +348,7 @@ attach_pss(struct address_info * hw_config)
#endif
pss_initialized = 1;
- sprintf(tmp, "ECHO-PSS Rev. %d", id);
+ snprintf(tmp, sizeof(tmp), "ECHO-PSS Rev. %d", id);
conf_printf(tmp, hw_config);
return;
diff --git a/sys/i386/isa/sound/sb16_dsp.c b/sys/i386/isa/sound/sb16_dsp.c
index ad9be54..f94675b 100644
--- a/sys/i386/isa/sound/sb16_dsp.c
+++ b/sys/i386/isa/sound/sb16_dsp.c
@@ -450,8 +450,8 @@ sb16_dsp_init(struct address_info * hw_config)
if (sbc_major < 4)
return; /* Not a SB16 */
- sprintf(sb16_dsp_operations.name, "SoundBlaster 16 %d.%d",
- sbc_major, sbc_minor);
+ snprintf(sb16_dsp_operations.name, sizeof(sb16_dsp_operations.name),
+ "SoundBlaster 16 %d.%d", sbc_major, sbc_minor);
conf_printf(sb16_dsp_operations.name, hw_config);
diff --git a/sys/i386/isa/sound/sb_dsp.c b/sys/i386/isa/sound/sb_dsp.c
index 1cf52c5..7d48ec8 100644
--- a/sys/i386/isa/sound/sb_dsp.c
+++ b/sys/i386/isa/sound/sb_dsp.c
@@ -1081,7 +1081,8 @@ sb_dsp_init(struct address_info * hw_config)
fmt = "SoundBlaster %d.%d" ;
}
- sprintf(sb_dsp_operations.name, fmt, sbc_major, sbc_minor);
+ snprintf(sb_dsp_operations.name, sizeof(sb_dsp_operations.name),
+ fmt, sbc_major, sbc_minor);
conf_printf(sb_dsp_operations.name, hw_config);
#if defined(CONFIG_SB16) && defined(CONFIG_SBPRO)
diff --git a/sys/i386/isa/sound/sound_timer.c b/sys/i386/isa/sound/sound_timer.c
index 8450b2d..cef7596 100644
--- a/sys/i386/isa/sound/sound_timer.c
+++ b/sys/i386/isa/sound/sound_timer.c
@@ -335,7 +335,7 @@ sound_timer_init(struct sound_lowlev_timer * t, char *name)
else
n = num_sound_timers++;
- strcpy(sound_timer.info.name, name);
+ snprintf(sound_timer.info.name, sizeof(sound_timer.info.name), "%s", name);
sound_timer_devs[n] = &sound_timer;
}
OpenPOWER on IntegriCloud