Examine all occurrences of sprintf(), strcat(), and str[n]cpy()

for possible buffer overflow problems. Replaced most sprintf()'s
with snprintf(); for others cases, added terminating NUL bytes where
appropriate, replaced constants like "16" with sizeof(), etc.

These changes include several bug fixes, but most changes are for
maintainability's sake. Any instance where it wasn't "immediately
obvious" that a buffer overflow could not occur was made safer.

Reviewed by:	Bruce Evans <bde@zeta.org.au>
Reviewed by:	Matthew Dillon <dillon@apollo.backplane.com>
Reviewed by:	Mike Spengler <mks@networkcs.com>

7 files changed, 36 insertions, 24 deletions

diff --git a/sys/netatm/uni/sscf_uni.c b/sys/netatm/uni/sscf_uni.c
index 49e7186..b734524 100644
--- a/sys/netatm/uni/sscf_uni.c
+++ b/sys/netatm/uni/sscf_uni.c
@@ -23,7 +23,7 @@
  * Copies of this Software may be made, however, the above copyright
  * notice must be reproduced on all copies.
  *
- *	@(#) $Id: sscf_uni.c,v 1.2 1998/09/17 09:35:01 phk Exp $
+ *	@(#) $Id: sscf_uni.c,v 1.3 1998/10/31 20:07:00 phk Exp $
  *
  */
 
@@ -43,7 +43,7 @@
 #include <netatm/uni/sscf_uni_var.h>
 
 #ifndef lint
-__RCSID("@(#) $Id: sscf_uni.c,v 1.2 1998/09/17 09:35:01 phk Exp $");
+__RCSID("@(#) $Id: sscf_uni.c,v 1.3 1998/10/31 20:07:00 phk Exp $");
 #endif
 
 
@@ -310,7 +310,7 @@ sscf_uni_pdu_print(uvp, m, msg)
 	struct vccb	*vcp;
 
 	vcp = uvp->uv_connvc->cvc_vcc;
-	sprintf(buf, "sscf_uni %s: vcc=(%d,%d)\n",
+	snprintf(buf, sizeof(buf), "sscf_uni %s: vcc=(%d,%d)\n",
 			msg, vcp->vc_vpi, vcp->vc_vci);
 	atm_pdu_print(m, buf);
 }
diff --git a/sys/netatm/uni/sscop_pdu.c b/sys/netatm/uni/sscop_pdu.c
index 86522b9..0356284 100644
--- a/sys/netatm/uni/sscop_pdu.c
+++ b/sys/netatm/uni/sscop_pdu.c
@@ -23,7 +23,7 @@
  * Copies of this Software may be made, however, the above copyright
  * notice must be reproduced on all copies.
  *
- *	@(#) $Id: sscop_pdu.c,v 1.1 1998/09/15 08:23:07 phk Exp $
+ *	@(#) $Id: sscop_pdu.c,v 1.2 1998/10/31 20:07:00 phk Exp $
  *
  */
 
@@ -44,7 +44,7 @@
 #include <netatm/uni/sscop_var.h>
 
 #ifndef lint
-__RCSID("@(#) $Id: sscop_pdu.c,v 1.1 1998/09/15 08:23:07 phk Exp $");
+__RCSID("@(#) $Id: sscop_pdu.c,v 1.2 1998/10/31 20:07:00 phk Exp $");
 #endif
 
 /*
@@ -1231,7 +1231,8 @@ sscop_pdu_print(sop, m, msg)
 	struct vccb	*vcp;
 
 	vcp = sop->so_connvc->cvc_vcc;
-	sprintf(buf, "sscop %s: vcc=(%d,%d)\n", msg, vcp->vc_vpi, vcp->vc_vci);
+	snprintf(buf, sizeof(buf),
+	    "sscop %s: vcc=(%d,%d)\n", msg, vcp->vc_vpi, vcp->vc_vci);
 	atm_pdu_print(m, buf);
 }
 
diff --git a/sys/netatm/uni/uniarp.c b/sys/netatm/uni/uniarp.c
index b972541..9aae374 100644
--- a/sys/netatm/uni/uniarp.c
+++ b/sys/netatm/uni/uniarp.c
@@ -23,7 +23,7 @@
  * Copies of this Software may be made, however, the above copyright
  * notice must be reproduced on all copies.
  *
- *	@(#) $Id: uniarp.c,v 1.2 1998/09/17 09:35:01 phk Exp $
+ *	@(#) $Id: uniarp.c,v 1.3 1998/10/31 20:07:00 phk Exp $
  *
  */
 
@@ -43,7 +43,7 @@
 #include <netatm/uni/uniip_var.h>
 
 #ifndef lint
-__RCSID("@(#) $Id: uniarp.c,v 1.2 1998/09/17 09:35:01 phk Exp $");
+__RCSID("@(#) $Id: uniarp.c,v 1.3 1998/10/31 20:07:00 phk Exp $");
 #endif
 
 
@@ -1022,7 +1022,8 @@ uniarp_ioctl(code, data, arg1)
 					AF_INET;
 				SATOSIN(&aar.aap_arp_addr)->sin_addr.s_addr =
 					uap->ua_dstip.s_addr;
-				(void) sprintf(aar.aap_intf, "%s%d",
+				(void) snprintf(aar.aap_intf,
+				    sizeof(aar.aap_intf), "%s%d",
 					nip->nif_if.if_name,
 					nip->nif_if.if_unit);
 				aar.aap_flags = uap->ua_flags;
@@ -1076,7 +1077,8 @@ uniarp_ioctl(code, data, arg1)
 			 */
 			SATOSIN(&aar.aap_arp_addr)->sin_family = AF_INET;
 			SATOSIN(&aar.aap_arp_addr)->sin_addr.s_addr = 0;
-			(void) sprintf(aar.aap_intf, "%s%d",
+			(void) snprintf(aar.aap_intf,
+			    sizeof(aar.aap_intf), "%s%d",
 				nip->nif_if.if_name, nip->nif_if.if_unit);
 			aar.aap_flags = 0;
 			aar.aap_origin = uap->ua_origin;
@@ -1157,7 +1159,8 @@ updbuf:
 			 * Fill in info to be returned
 			 */
 			nip = uip->uip_ipnif->inf_nif;
-			(void) sprintf(asr.asp_intf, "%s%d",
+			(void) snprintf(asr.asp_intf,
+			    sizeof(asr.asp_intf), "%s%d",
 				nip->nif_if.if_name, nip->nif_if.if_unit);
 			asr.asp_state = uip->uip_arpstate;
 			if (uip->uip_arpstate == UIAS_SERVER_ACTIVE) {
diff --git a/sys/netatm/uni/uniarp_cache.c b/sys/netatm/uni/uniarp_cache.c
index c5bf5ae..88a26a5 100644
--- a/sys/netatm/uni/uniarp_cache.c
+++ b/sys/netatm/uni/uniarp_cache.c
@@ -23,7 +23,7 @@
  * Copies of this Software may be made, however, the above copyright
  * notice must be reproduced on all copies.
  *
- *	@(#) $Id: uniarp_cache.c,v 1.1 1998/09/15 08:23:09 phk Exp $
+ *	@(#) $Id: uniarp_cache.c,v 1.2 1998/10/31 20:07:00 phk Exp $
  *
  */
 
@@ -43,7 +43,7 @@
 #include <netatm/uni/uniip_var.h>
 
 #ifndef lint
-__RCSID("@(#) $Id: uniarp_cache.c,v 1.1 1998/09/15 08:23:09 phk Exp $");
+__RCSID("@(#) $Id: uniarp_cache.c,v 1.2 1998/10/31 20:07:00 phk Exp $");
 #endif
 
 
@@ -79,6 +79,7 @@ uniarp_cache_svc(uip, ip, atm, atmsub, origin)
 
 #ifdef DIAGNOSTIC
 	strncpy(abuf, unisig_addr_print(atmsub), sizeof(abuf));
+	abuf[sizeof(abuf) - 1] = 0;
 	ATM_DEBUG4("cache_svc: ip=%s, atm=(%s,%s), origin=%d\n",
 		inet_ntoa(*ip), unisig_addr_print(atm), abuf, origin);
 #endif
@@ -156,6 +157,7 @@ uniarp_cache_svc(uip, ip, atm, atmsub, origin)
 			if (ipuap->ua_ivp != NULL) {
 				strncpy(abuf, unisig_addr_print(atmsub),
 					sizeof(abuf));
+				abuf[sizeof(abuf) - 1] = 0;
 				log(LOG_WARNING, 
 					"uniarp: duplicate IP address %s from %s,%s\n",
 					inet_ntoa(*ip), unisig_addr_print(atm),
@@ -185,6 +187,7 @@ uniarp_cache_svc(uip, ip, atm, atmsub, origin)
 		}
 
 		strncpy(abuf, unisig_addr_print(atmsub), sizeof(abuf));
+		abuf[sizeof(abuf) - 1] = 0;
 		log(LOG_WARNING, 
 			"uniarp: ATM address for %s changed to %s,%s\n",
 			inet_ntoa(*ip), unisig_addr_print(atm), abuf);
@@ -328,6 +331,7 @@ uniarp_cache_pvc(ivp, ip, atm, atmsub)
 		vci = ivp->iv_conn->co_connvc->cvc_vcc->vc_vci;
 	}
 	strncpy(buf, unisig_addr_print(atmsub), sizeof(buf));
+	buf[sizeof(buf) - 1] = 0;
 	ATM_DEBUG5("cache_pvc: vcc=(%d,%d), ip=%s, atm=(%s,%s)\n",
 		vpi, vci, inet_ntoa(*ip), unisig_addr_print(atm), buf);
 #endif
diff --git a/sys/netatm/uni/uniarp_input.c b/sys/netatm/uni/uniarp_input.c
index 9ef6225..b621ac3 100644
--- a/sys/netatm/uni/uniarp_input.c
+++ b/sys/netatm/uni/uniarp_input.c
@@ -23,7 +23,7 @@
  * Copies of this Software may be made, however, the above copyright
  * notice must be reproduced on all copies.
  *
- *	@(#) $Id: uniarp_input.c,v 1.1 1998/09/15 08:23:09 phk Exp $
+ *	@(#) $Id: uniarp_input.c,v 1.2 1998/10/31 20:07:00 phk Exp $
  *
  */
 
@@ -43,7 +43,7 @@
 #include <netatm/uni/uniip_var.h>
 
 #ifndef lint
-__RCSID("@(#) $Id: uniarp_input.c,v 1.1 1998/09/15 08:23:09 phk Exp $");
+__RCSID("@(#) $Id: uniarp_input.c,v 1.2 1998/10/31 20:07:00 phk Exp $");
 #endif
 
 
@@ -846,7 +846,8 @@ uniarp_pdu_print(ivp, m, msg)
 	struct vccb	*vcp;
 
 	vcp = ivp->iv_conn->co_connvc->cvc_vcc;
-	sprintf(buf, "uniarp %s: vcc=(%d,%d)\n", msg, vcp->vc_vpi, vcp->vc_vci);
+	snprintf(buf, sizeof(buf),
+	    "uniarp %s: vcc=(%d,%d)\n", msg, vcp->vc_vpi, vcp->vc_vci);
 	atm_pdu_print(m, buf);
 }
 
diff --git a/sys/netatm/uni/unisig_if.c b/sys/netatm/uni/unisig_if.c
index e1cfc8f..c85e462 100644
--- a/sys/netatm/uni/unisig_if.c
+++ b/sys/netatm/uni/unisig_if.c
@@ -23,7 +23,7 @@
  * Copies of this Software may be made, however, the above copyright
  * notice must be reproduced on all copies.
  *
- *	@(#) $Id: unisig_if.c,v 1.2 1998/09/17 09:35:02 phk Exp $
+ *	@(#) $Id: unisig_if.c,v 1.3 1998/10/31 20:07:01 phk Exp $
  *
  */
 
@@ -47,7 +47,7 @@
 #include <netatm/uni/unisig_msg.h>
 
 #ifndef lint
-__RCSID("@(#) $Id: unisig_if.c,v 1.2 1998/09/17 09:35:02 phk Exp $");
+__RCSID("@(#) $Id: unisig_if.c,v 1.3 1998/10/31 20:07:01 phk Exp $");
 #endif
 
 
@@ -894,7 +894,8 @@ unisig_ioctl(code, data, arg1)
 			/*
 			 * Fill out the response struct for the VCC
 			 */
-			(void) sprintf(rsp.avp_intf, "%s%d",
+			(void) snprintf(rsp.avp_intf,
+				    sizeof(rsp.avp_intf), "%s%d",
 					usp->us_pif->pif_name,
 					usp->us_pif->pif_unit);
 			rsp.avp_vpi = uvp->uv_vpi;
diff --git a/sys/netatm/uni/unisig_util.c b/sys/netatm/uni/unisig_util.c
index 6a3afb8..a3a2ab2 100644
--- a/sys/netatm/uni/unisig_util.c
+++ b/sys/netatm/uni/unisig_util.c
@@ -23,7 +23,7 @@
  * Copies of this Software may be made, however, the above copyright
  * notice must be reproduced on all copies.
  *
- *	@(#) $Id: unisig_util.c,v 1.2 1998/09/17 09:35:02 phk Exp $
+ *	@(#) $Id: unisig_util.c,v 1.3 1998/10/31 20:07:01 phk Exp $
  *
  */
 
@@ -42,7 +42,7 @@
 #include <netatm/uni/unisig_msg.h>
 
 #ifndef lint
-__RCSID("@(#) $Id: unisig_util.c,v 1.2 1998/09/17 09:35:02 phk Exp $");
+__RCSID("@(#) $Id: unisig_util.c,v 1.3 1998/10/31 20:07:01 phk Exp $");
 #endif
 
 
@@ -303,7 +303,8 @@ unisig_addr_print(p)
 				 * two-digit hex representation of the
 				 * NSAP byte in the output buffer
 				 */
-				sprintf(t_buff, "%x", *cp + 512);
+				snprintf(t_buff, sizeof(t_buff),
+					"%x", *cp + 512);
 				strcpy(op, &t_buff[strlen(t_buff)-2]);
 				op++; op++;
 				cp++;
@@ -325,7 +326,8 @@ unisig_addr_print(p)
 		 * Print the IA5 characters of the E.164 address
 		 */
 		for(i=0; i<p->address_length; i++) {
-			sprintf(&strbuff[strlen(strbuff)], "%c",
+			snprintf(strbuff + strlen(strbuff),
+			    sizeof(strbuff) - strlen(strbuff), "%c",
 				((Atm_addr_e164 *)p->address)->aae_addr[i]);
 		}
 		break;
@@ -346,7 +348,7 @@ unisig_addr_print(p)
 		/*
 		 * Print the address as two words xxxxx.yyyyyyyy
 		 */
-		sprintf(strbuff, "%x.%x", u1.w, u2.w);
+		snprintf(strbuff, sizeof(strbuff), "%x.%x", u1.w, u2.w);
 		break;
 
 	case T_ATM_ABSENT: