Examine all occurrences of sprintf(), strcat(), and str[n]cpy()

for possible buffer overflow problems. Replaced most sprintf()'s with snprintf(); for others cases, added terminating NUL bytes where appropriate, replaced constants like "16" with sizeof(), etc. These changes include several bug fixes, but most changes are for maintainability's sake. Any instance where it wasn't "immediately obvious" that a buffer overflow could not occur was made safer. Reviewed by: Bruce Evans <bde@zeta.org.au> Reviewed by: Matthew Dillon <dillon@apollo.backplane.com> Reviewed by: Mike Spengler <mks@networkcs.com>
author: archie <archie@FreeBSD.org> 1998-12-04 22:54:57 +0000
committer: archie <archie@FreeBSD.org> 1998-12-04 22:54:57 +0000
commit: 982e80577dd08945aa2345ebe35e3f50eef9eb48 (patch)
tree: e21ff4cbfbcb4097c6cc444d68ddd9a3fd37837f /sys/netinet
parent: 707b8f68aa118c7396f2a2633751e32477d9ed08 (diff)
download: FreeBSD-src-982e80577dd08945aa2345ebe35e3f50eef9eb48.zip
FreeBSD-src-982e80577dd08945aa2345ebe35e3f50eef9eb48.tar.gz
3 files changed, 14 insertions, 12 deletions
diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c
index 87ae671..b39948e 100644
--- a/sys/netinet/ip_divert.c
+++ b/sys/netinet/ip_divert.c
@@ -30,7 +30,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	$Id: ip_divert.c,v 1.33 1998/07/02 06:31:25 julian Exp $
+ *	$Id: ip_divert.c,v 1.34 1998/07/06 09:06:58 julian Exp $
  */
 
 #include "opt_inet.h"
@@ -197,8 +197,8 @@ div_input(struct mbuf *m, int hlen)
 	/*
 	 * Record the incoming interface name whenever we have one.
 	 */
+	bzero(&divsrc.sin_zero, sizeof(divsrc.sin_zero));
 	if (m->m_pkthdr.rcvif) {
-		char	name[32];
 		/*
 		 * Hide the actual interface name in there in the 
 		 * sin_zero array. XXX This needs to be moved to a
@@ -217,9 +217,9 @@ div_input(struct mbuf *m, int hlen)
 		 * this iface name will come along for the ride.
 		 * (see div_output for the other half of this.)
 		 */ 
-		sprintf(name, "%s%d",
-			m->m_pkthdr.rcvif->if_name, m->m_pkthdr.rcvif->if_unit);
-		strncpy(divsrc.sin_zero, name, 7);
+		snprintf(divsrc.sin_zero, sizeof(divsrc.sin_zero),
+			"%s%d", m->m_pkthdr.rcvif->if_name,
+			m->m_pkthdr.rcvif->if_unit);
 	}
 
 	/* Put packet on socket queue, if any */
diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c
index 1075316..6cbdac9 100644
--- a/sys/netinet/ip_fil.c
+++ b/sys/netinet/ip_fil.c
@@ -7,7 +7,7 @@
  */
 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_fil.c,v 1.5 1998/06/20 18:37:50 peter Exp $";
+static const char rcsid[] = "@(#)$Id: ip_fil.c,v 1.6 1998/08/15 21:51:53 bde Exp $";
 #endif
 
 #include "opt_ipfilter.h"
@@ -1110,12 +1110,12 @@ ip_t *ip;
 
 # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
 	(defined(OpenBSD) && (OpenBSD >= 199603))
-	sprintf(fname, "/tmp/%s", ifp->if_xname);
+	snprintf(fname, sizeof(fname), "/tmp/%s", ifp->if_xname);
 	if ((fp = fopen(fname, "a"))) {
 		fclose(fp);
 	}
 # else
-	sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit);
+	snprintf(fname, sizeof(fname), "/tmp/%s%d", ifp->if_name, ifp->if_unit);
 	if ((fp = fopen(fname, "a"))) {
 		fwrite((char *)ip, ntohs(ip->ip_len), 1, fp);
 		fclose(fp);
@@ -1139,7 +1139,8 @@ char *name;
 	char ifname[32], *s;
 
 	for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
-		(void) sprintf(ifname, "%s%d", ifp->if_name, ifp->if_unit);
+		(void) snprintf(ifname, sizeof(ifname),
+			"%s%d", ifp->if_name, ifp->if_unit);
 		if (!strcmp(name, ifname))
 			return ifp;
 	}
@@ -1190,7 +1191,7 @@ void init_ifp()
 	(defined(OpenBSD) && (OpenBSD >= 199603))
 	for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
 		ifp->if_output = write_output;
-		sprintf(fname, "/tmp/%s", ifp->if_xname);
+		snprintf(fname, sizeof(fname), "/tmp/%s", ifp->if_xname);
 		if ((fp = fopen(fname, "w")))
 			fclose(fp);
 	}
@@ -1198,7 +1199,8 @@ void init_ifp()
 
 	for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
 		ifp->if_output = write_output;
-		sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit);
+		snprintf(fname, sizeof(fname),
+		    "/tmp/%s%d", ifp->if_name, ifp->if_unit);
 		if ((fp = fopen(fname, "w")))
 			fclose(fp);
 	}
diff --git a/sys/netinet/ip_ftp_pxy.c b/sys/netinet/ip_ftp_pxy.c
index 1a66a9b..dd70c81 100644
--- a/sys/netinet/ip_ftp_pxy.c
+++ b/sys/netinet/ip_ftp_pxy.c
@@ -165,7 +165,7 @@ nat_t *nat;
 	a4 = a1 & 0xff;
 	a1 >>= 24;
 	olen = s - portbuf + 1;
-	(void) sprintf(newbuf, "PORT %d,%d,%d,%d,%d,%d\r\n",
+	(void) snprintf(newbuf, sizeof(newbuf), "PORT %d,%d,%d,%d,%d,%d\r\n",
 		a1, a2, a3, a4, a5, a6);
 	nlen = strlen(newbuf);
 	inc = nlen - olen;
author	archie <archie@FreeBSD.org>	1998-12-04 22:54:57 +0000
committer	archie <archie@FreeBSD.org>	1998-12-04 22:54:57 +0000
commit	982e80577dd08945aa2345ebe35e3f50eef9eb48 (patch)
tree	e21ff4cbfbcb4097c6cc444d68ddd9a3fd37837f /sys/netinet
parent	707b8f68aa118c7396f2a2633751e32477d9ed08 (diff)
download	FreeBSD-src-982e80577dd08945aa2345ebe35e3f50eef9eb48.zip FreeBSD-src-982e80577dd08945aa2345ebe35e3f50eef9eb48.tar.gz