diff options
| author | imp <imp@FreeBSD.org> | 1999-08-21 18:25:38 +0000 |
|---|---|---|
| committer | imp <imp@FreeBSD.org> | 1999-08-21 18:25:38 +0000 |
| commit | a978a32098bf6ccd9c16b09e3d922613a6372e25 (patch) | |
| tree | debdb3b9c72ce29ff5d5169fe371968ba5e431d6 /usr.bin/finger | |
| parent | 1d06e20aed2b1429061f40a5d5b6d1bacf6f95d0 (diff) | |
| download | FreeBSD-src-a978a32098bf6ccd9c16b09e3d922613a6372e25.zip FreeBSD-src-a978a32098bf6ccd9c16b09e3d922613a6372e25.tar.gz | |
Fix possible buffer overflow with finger and fingerd.
Submitted by: Lukasz Luzar <lluzar@noname.kki.krakow.pl> and
Eivind Eklund <eivind@yes.no>
This patch is actually a combination of those two patches.
Diffstat (limited to 'usr.bin/finger')
| -rw-r--r-- | usr.bin/finger/util.c | 43 |
1 files changed, 27 insertions, 16 deletions
diff --git a/usr.bin/finger/util.c b/usr.bin/finger/util.c index 0a48d46..8e58ed2 100644 --- a/usr.bin/finger/util.c +++ b/usr.bin/finger/util.c @@ -39,7 +39,7 @@ static char sccsid[] = "@(#)util.c 8.3 (Berkeley) 4/28/95"; #else static const char rcsid[] = - "$Id$"; + "$Id: util.c,v 1.5 1997/07/02 06:34:51 charnier Exp $"; #endif #endif /* not lint */ @@ -79,7 +79,8 @@ match(pw, user) * XXX * Why do we skip asterisks!?!? */ - (void)strcpy(p = tbuf, pw->pw_gecos); + (void)strncpy(p = tbuf, pw->pw_gecos, sizeof(tbuf)); + p[sizeof(tbuf) - 1] = '\0'; if (*p == '*') ++p; @@ -87,13 +88,17 @@ match(pw, user) if ((p = strtok(p, ",")) == NULL) return(0); - for (t = name; (*t = *p) != '\0'; ++p) - if (*t == '&') { - (void)strcpy(t, pw->pw_name); + for (t = name; (*t = *p) != '\0' && t - name > sizeof(name); ++p) { + if (*t == '&') { + (void)strncpy(t, pw->pw_name, + sizeof(name) - (t - name)); + name[sizeof(name) - 1] = '\0'; while (*++t); - } - else + } else { ++t; + } + } + *t = '\0'; for (t = name; (p = strtok(t, "\t ")) != NULL; t = NULL) if (!strcasecmp(p, user)) return(1); @@ -267,7 +272,7 @@ prphone(num) { register char *p; int len; - static char pbuf[15]; + static char pbuf[20]; /* don't touch anything if the user has their own formatting */ for (p = num; *p; ++p) @@ -346,22 +351,27 @@ userinfo(pn, pw) pn->shell = strdup(pw->pw_shell); /* why do we skip asterisks!?!? */ - (void)strcpy(bp = tbuf, pw->pw_gecos); + (void)strncpy(bp = tbuf, pw->pw_gecos, sizeof(tbuf)); + bp[sizeof(tbuf) - 1] = '\0'; if (*bp == '*') ++bp; /* ampersands get replaced by the login name */ if (!(p = strsep(&bp, ","))) return; - for (t = name; (*t = *p) != '\0'; ++p) + for (t = name; (*t = *p) != '\0' && t < name + sizeof(name); ++p) { if (*t == '&') { - (void)strcpy(t, pw->pw_name); + (void)strncpy(t, pw->pw_name, + sizeof(name) - (t - name)); + name[sizeof(name) - 1] = '\0'; if (islower(*t)) *t = toupper(*t); while (*++t); - } - else + } else { ++t; + } + } + *t = '\0'; pn->realname = strdup(name); pn->office = ((p = strsep(&bp, ",")) && *p) ? strdup(p) : NULL; @@ -369,7 +379,7 @@ userinfo(pn, pw) strdup(p) : NULL; pn->homephone = ((p = strsep(&bp, ",")) && *p) ? strdup(p) : NULL; - (void)sprintf(tbuf,"%s/%s", _PATH_MAILDIR, pw->pw_name); + (void)snprintf(tbuf, sizeof(tbuf), "%s/%s", _PATH_MAILDIR, pw->pw_name); pn->mailrecv = -1; /* -1 == not_valid */ if (stat(tbuf, &sb) < 0) { if (errno != ENOENT) { @@ -396,9 +406,10 @@ hide(pw) if (!pw->pw_dir) return 0; - sprintf (buf, "%s/.nofinger", pw->pw_dir); + snprintf(buf, sizeof(buf), "%s/.nofinger", pw->pw_dir); + buf[sizeof(buf) - 1] = '\0'; - if (access (buf, F_OK) == 0) + if (access(buf, F_OK) == 0) return 1; return 0; |
