diff options
| author | imp <imp@FreeBSD.org> | 1997-07-29 04:17:19 +0000 |
|---|---|---|
| committer | imp <imp@FreeBSD.org> | 1997-07-29 04:17:19 +0000 |
| commit | b1debf973d6a489bfe9c6511c94e356d6c024a47 (patch) | |
| tree | 58de2e9f99438beeb37077a12a91d565f0aa5ae0 /usr.sbin/lpr/lpd/recvjob.c | |
| parent | 62296c6450c3104df51d51aa47ad4b74faae7e6b (diff) | |
| download | FreeBSD-src-b1debf973d6a489bfe9c6511c94e356d6c024a47.zip FreeBSD-src-b1debf973d6a489bfe9c6511c94e356d6c024a47.tar.gz | |
Fix boatloads of buffer overflows from the OpenBSD tree.
Be pedantic about always using sizeof(blah) vs sizeof (blah) or sizeof blah.
Obtained from:OpenBSD
Diffstat (limited to 'usr.sbin/lpr/lpd/recvjob.c')
| -rw-r--r-- | usr.sbin/lpr/lpd/recvjob.c | 27 |
1 files changed, 17 insertions, 10 deletions
diff --git a/usr.sbin/lpr/lpd/recvjob.c b/usr.sbin/lpr/lpd/recvjob.c index 3bfbb99..5c1d027 100644 --- a/usr.sbin/lpr/lpd/recvjob.c +++ b/usr.sbin/lpr/lpd/recvjob.c @@ -65,10 +65,10 @@ static char sccsid[] = "@(#)recvjob.c 8.2 (Berkeley) 4/27/95"; #define ack() (void) write(1, sp, 1); -static char dfname[256]; /* data files */ +static char dfname[NAME_MAX]; /* data files */ static int minfree; /* keep at least minfree blocks available */ static char *sp = ""; -static char tfname[256]; /* tmp copy of cf before linking */ +static char tfname[NAME_MAX]; /* tmp copy of cf before linking */ static int chksize __P((int)); static void frecverr __P((const char *, ...)); @@ -94,7 +94,7 @@ recvjob() frecverr("unknown printer %s", printer); else if (status == -3) fatal("potential reference loop detected in printcap file"); - + if (cgetstr(bp, "lf", &LF) == -1) LF = _PATH_CONSOLE; if (cgetstr(bp, "sd", &SD) == -1) @@ -146,10 +146,13 @@ readjob() do { if ((size = read(1, cp, 1)) != 1) { if (size < 0) - frecverr("%s: Lost connection",printer); + frecverr("%s: Lost connection", + printer); return(nfiles); } - } while (*cp++ != '\n'); + } while (*cp++ != '\n' && (cp - line + 1) < sizeof(line)); + if (cp - line + 1 >= sizeof(line)) + frecverr("readjob overflow"); *--cp = '\0'; cp = line; switch (*cp++) { @@ -169,10 +172,14 @@ readjob() * something different than what gethostbyaddr() * returns */ - strcpy(cp + 6, from); - strncpy(tfname, cp, sizeof tfname-1); - tfname[sizeof tfname-1] = '\0'; + strncpy(cp + 6, from, sizeof(line) + line - cp - 7); + line[sizeof(line) - 1 ] = '\0'; + strncpy(tfname, cp, sizeof(tfname) - 1); + tfname[sizeof (tfname) - 1] = '\0'; tfname[0] = 't'; + if (strchr(tfname, '/')) + frecverr("readjob: %s: illegal path name", + tfname); if (!chksize(size)) { (void) write(1, "\2", 1); continue; @@ -198,8 +205,8 @@ readjob() (void) write(1, "\2", 1); continue; } - (void) strncpy(dfname, cp, sizeof dfname-1); - dfname[sizeof dfname-1] = '\0'; + (void) strncpy(dfname, cp, sizeof(dfname) - 1); + dfname[sizeof(dfname) - 1] = '\0'; if (strchr(dfname, '/')) frecverr("readjob: %s: illegal path name", dfname); |
