diff options
| author | imp <imp@FreeBSD.org> | 1996-10-27 03:06:52 +0000 |
|---|---|---|
| committer | imp <imp@FreeBSD.org> | 1996-10-27 03:06:52 +0000 |
| commit | 354a4db3b5ff4e1a474ecd6a53a6b494699bb7e5 (patch) | |
| tree | 66221bf4a36b58f86dc5901d5b3fa62ac74e6013 /usr.sbin/lpr/lpd | |
| parent | 45818699bea7c582d8a5554fabaa32c65e8385f8 (diff) | |
| download | FreeBSD-src-354a4db3b5ff4e1a474ecd6a53a6b494699bb7e5.zip FreeBSD-src-354a4db3b5ff4e1a474ecd6a53a6b494699bb7e5.tar.gz | |
lpc/cmds.c:
From NetBSD via OpenBSD to fix NetBSD PR #506
More descriptive message for printer status
(OpenBSD: 1.2)
Various warnings cleaned up (OpenBSD: 1.4)
lpc/lpc.c:
Various warnings cleaned up (OpenBSD: 1.3)
lpd/lpd.c:
Remove trailing blank lines (OpenBSD: 1.2)
Potential umask problem with creating /dev/printer
(OpenBSD: 1.4 and 1.5)
Ftp bounce attack (untested on FreeBSD)
(OpenBSD: 1.6, 1.8, 1.9)
Fencepost in strncpy
(OpenBSD: 1.6)
lpd/printjob.c:
Fix from freebsd for waiting for an exiting filter, that
appears not in the FreeBSD CVS tree.
(OpenBSD: 1.6)
lpd/recvjob.c:
Buffer overflow protection: use strncpy rather than strcpy.
(OpenBSD: 1.3)
lpr/lpr.c:
NetBSD change of return type for main()
(OpenBSD: 1.2)
Restrict time running as root
(OpenBSD: 1.7)
Use getcwd rather than getwd (from NetBSD)
Use snprintf rather than sprintf
(OpenBSD: 1.8)
Minor tweak to end of loop and buffer overflow sanity. card()
overflow already in FreeBSD
(OpenBSD: 1.9)
lptest/lptest.c:
void -> int return type of main, from NetBSD via OpenBSD
(OpenBSD: 1.2)
pac/pac.c:
void -> int return type of main, from NetBSD via OpenBSD
(OpenBSD: 1.3)
Obtained from: OpenBSD
Diffstat (limited to 'usr.sbin/lpr/lpd')
| -rw-r--r-- | usr.sbin/lpr/lpd/lpd.c | 38 | ||||
| -rw-r--r-- | usr.sbin/lpr/lpd/printjob.c | 2 | ||||
| -rw-r--r-- | usr.sbin/lpr/lpd/recvjob.c | 6 |
3 files changed, 30 insertions, 16 deletions
diff --git a/usr.sbin/lpr/lpd/lpd.c b/usr.sbin/lpr/lpd/lpd.c index feae8e7..898fc48 100644 --- a/usr.sbin/lpr/lpd/lpd.c +++ b/usr.sbin/lpr/lpd/lpd.c @@ -179,6 +179,7 @@ main(argc, argv) } #define mask(s) (1 << ((s) - 1)) omask = sigblock(mask(SIGHUP)|mask(SIGINT)|mask(SIGQUIT)|mask(SIGTERM)); + (void) umask(07); signal(SIGHUP, mcleanup); signal(SIGINT, mcleanup); signal(SIGQUIT, mcleanup); @@ -193,6 +194,7 @@ main(argc, argv) syslog(LOG_ERR, "ubind: %m"); exit(1); } + (void) umask(0); sigsetmask(omask); FD_ZERO(&defreadfds); FD_SET(funix, &defreadfds); @@ -245,6 +247,10 @@ main(argc, argv) domain = AF_INET, fromlen = sizeof(frominet); s = accept(finet, (struct sockaddr *)&frominet, &fromlen); + if (frominet.sin_port == htons(20)) { + close(s); + continue; + } } if (s < 0) { if (errno != EINTR) @@ -494,9 +500,11 @@ chkhost(f) register struct hostent *hp; register FILE *hostf; int first = 1; + int good = 0; f->sin_port = ntohs(f->sin_port); - if (f->sin_family != AF_INET || f->sin_port >= IPPORT_RESERVED) + if (f->sin_family != AF_INET || f->sin_port >= IPPORT_RESERVED || + f->sin_port == htons(20)) fatal("Malformed from address"); /* Need real hostname for temporary filenames */ @@ -506,10 +514,24 @@ chkhost(f) fatal("Host name for your address (%s) unknown", inet_ntoa(f->sin_addr)); - (void) strncpy(fromb, hp->h_name, sizeof(fromb)); + (void) strncpy(fromb, hp->h_name, sizeof(fromb) - 1); from[sizeof(fromb) - 1] = '\0'; from = fromb; + /* Check for spoof, ala rlogind */ + hp = gethostbyname(fromb); + if (!hp) + fatal("hostname for your address (%s) unknown", + inet_ntoa(f->sin_addr)); + for (; good == 0 && hp->h_addr_list[0] != NULL; hp->h_addr_list++) { + if (!bcmp(hp->h_addr_list[0], (caddr_t)&f->sin_addr, + sizeof(f->sin_addr))) + good = 1; + } + if (good == 0) + fatal("address for your hostname (%s) not matched", + inet_ntoa(f->sin_addr)); + hostf = fopen(_PATH_HOSTSEQUIV, "r"); again: if (hostf) { @@ -528,15 +550,3 @@ again: fatal("Your host does not have line printer access"); /*NOTREACHED*/ } - - - - - - - - - - - - diff --git a/usr.sbin/lpr/lpd/printjob.c b/usr.sbin/lpr/lpd/printjob.c index e7e8324..d47d3f0 100644 --- a/usr.sbin/lpr/lpd/printjob.c +++ b/usr.sbin/lpr/lpd/printjob.c @@ -288,6 +288,8 @@ again: if (TR != NULL) /* output trailer */ (void) write(ofd, TR, strlen(TR)); } + (void) close(ofd); + (void) wait(NULL); (void) unlink(tempfile); exit(0); } diff --git a/usr.sbin/lpr/lpd/recvjob.c b/usr.sbin/lpr/lpd/recvjob.c index fb307c5..040db82 100644 --- a/usr.sbin/lpr/lpd/recvjob.c +++ b/usr.sbin/lpr/lpd/recvjob.c @@ -170,7 +170,8 @@ readjob() * returns */ strcpy(cp + 6, from); - strcpy(tfname, cp); + strncpy(tfname, cp, sizeof tfname-1); + tfname[sizeof tfname-1] = '\0'; tfname[0] = 't'; if (!chksize(size)) { (void) write(1, "\2", 1); @@ -197,7 +198,8 @@ readjob() (void) write(1, "\2", 1); continue; } - (void) strcpy(dfname, cp); + (void) strncpy(dfname, cp, sizeof dfname-1); + dfname[sizeof dfname-1] = '\0'; if (index(dfname, '/')) frecverr("readjob: %s: illegal path name", dfname); |
