Fix boatloads of buffer overflows from the OpenBSD tree.

Be pedantic about always using sizeof(blah) vs sizeof (blah) or sizeof blah.
Obtained from:OpenBSD

9 files changed, 151 insertions, 100 deletions

diff --git a/usr.sbin/lpr/common_source/common.c b/usr.sbin/lpr/common_source/common.c
index 8c77774..6cb4098 100644
--- a/usr.sbin/lpr/common_source/common.c
+++ b/usr.sbin/lpr/common_source/common.c
@@ -193,14 +193,14 @@ getline(cfp)
 	register char *lp = line;
 	register c;
 
-	while ((c = getc(cfp)) != '\n') {
+	while ((c = getc(cfp)) != '\n' && linel+1 < sizeof(line)) {
 		if (c == EOF)
 			return(0);
 		if (c == '\t') {
 			do {
 				*lp++ = ' ';
 				linel++;
-			} while ((linel & 07) != 0);
+			} while ((linel & 07) != 0 && linel+1 < sizeof(line));
 			continue;
 		}
 		*lp++ = c;
diff --git a/usr.sbin/lpr/common_source/recvjob.c b/usr.sbin/lpr/common_source/recvjob.c
index 3bfbb99..5c1d027 100644
--- a/usr.sbin/lpr/common_source/recvjob.c
+++ b/usr.sbin/lpr/common_source/recvjob.c
@@ -65,10 +65,10 @@ static char sccsid[] = "@(#)recvjob.c	8.2 (Berkeley) 4/27/95";
 
 #define ack()	(void) write(1, sp, 1);
 
-static char	 dfname[256];	/* data files */
+static char	 dfname[NAME_MAX];	/* data files */
 static int	 minfree;       /* keep at least minfree blocks available */
 static char	*sp = "";
-static char	 tfname[256];	/* tmp copy of cf before linking */
+static char	 tfname[NAME_MAX];	/* tmp copy of cf before linking */
 
 static int        chksize __P((int));
 static void       frecverr __P((const char *, ...));
@@ -94,7 +94,7 @@ recvjob()
 		frecverr("unknown printer %s", printer);
 	else if (status == -3)
 		fatal("potential reference loop detected in printcap file");
-
+	
 	if (cgetstr(bp, "lf", &LF) == -1)
 		LF = _PATH_CONSOLE;
 	if (cgetstr(bp, "sd", &SD) == -1)
@@ -146,10 +146,13 @@ readjob()
 		do {
 			if ((size = read(1, cp, 1)) != 1) {
 				if (size < 0)
-					frecverr("%s: Lost connection",printer);
+					frecverr("%s: Lost connection",
+					    printer);
 				return(nfiles);
 			}
-		} while (*cp++ != '\n');
+		} while (*cp++ != '\n' && (cp - line + 1) < sizeof(line));
+		if (cp - line + 1 >= sizeof(line))
+			frecverr("readjob overflow");
 		*--cp = '\0';
 		cp = line;
 		switch (*cp++) {
@@ -169,10 +172,14 @@ readjob()
 			 * something different than what gethostbyaddr()
 			 * returns
 			 */
-			strcpy(cp + 6, from);
-			strncpy(tfname, cp, sizeof tfname-1);
-			tfname[sizeof tfname-1] = '\0';
+			strncpy(cp + 6, from, sizeof(line) + line - cp - 7);
+			line[sizeof(line) - 1 ] = '\0';
+			strncpy(tfname, cp, sizeof(tfname) - 1);
+			tfname[sizeof (tfname) - 1] = '\0';
 			tfname[0] = 't';
+			if (strchr(tfname, '/'))
+				frecverr("readjob: %s: illegal path name",
+				    tfname);
 			if (!chksize(size)) {
 				(void) write(1, "\2", 1);
 				continue;
@@ -198,8 +205,8 @@ readjob()
 				(void) write(1, "\2", 1);
 				continue;
 			}
-			(void) strncpy(dfname, cp, sizeof dfname-1);
-			dfname[sizeof dfname-1] = '\0';
+			(void) strncpy(dfname, cp, sizeof(dfname) - 1);
+			dfname[sizeof(dfname) - 1] = '\0';
 			if (strchr(dfname, '/'))
 				frecverr("readjob: %s: illegal path name",
 					dfname);
diff --git a/usr.sbin/lpr/common_source/rmjob.c b/usr.sbin/lpr/common_source/rmjob.c
index a04b483..c5f79d4 100644
--- a/usr.sbin/lpr/common_source/rmjob.c
+++ b/usr.sbin/lpr/common_source/rmjob.c
@@ -88,7 +88,7 @@ rmjob()
 	if (cgetstr(bp,"lo", &LO) < 0)
 		LO = DEFLOCK;
 	cgetstr(bp, "rm", &RM);
-	if (cp = checkremote())
+	if ((cp = checkremote()))
 		printf("Warning: %s\n", cp);
 
 	/*
@@ -325,12 +325,12 @@ rmremote()
 
 	(void)snprintf(buf, sizeof(buf), "\5%s %s", RP, all ? "-all" : person);
 	cp = buf;
-	for (i = 0; i < users; i++) {
+	for (i = 0; i < users && cp-buf+1+strlen(user[i]) < sizeof(buf); i++) {
 		cp += strlen(cp);
 		*cp++ = ' ';
 		strcpy(cp, user[i]);
 	}
-	for (i = 0; i < requests; i++) {
+	for (i = 0; i < requests && cp-buf+10 < sizeof(buf); i++) {
 		cp += strlen(cp);
 		(void) sprintf(cp, " %d", requ[i]);
 	}
diff --git a/usr.sbin/lpr/common_source/startdaemon.c b/usr.sbin/lpr/common_source/startdaemon.c
index a876c1e..13722f4 100644
--- a/usr.sbin/lpr/common_source/startdaemon.c
+++ b/usr.sbin/lpr/common_source/startdaemon.c
@@ -83,7 +83,7 @@ startdaemon(printer)
 		return(0);
 	}
 	seteuid(uid);
-	if (snprintf(buf, sizeof buf, "\1%s\n", printer) > sizeof buf-1) {
+	if (snprintf(buf, sizeof(buf), "\1%s\n", printer) > sizeof(buf)-1) {
 		close(s);
 		return (0);
 	}
diff --git a/usr.sbin/lpr/lpc/cmds.c b/usr.sbin/lpr/lpc/cmds.c
index c3b8632..b772ed3 100644
--- a/usr.sbin/lpr/lpc/cmds.c
+++ b/usr.sbin/lpr/lpc/cmds.c
@@ -200,11 +200,11 @@ upstat(msg)
 	char *msg;
 {
 	register int fd;
-	char statfile[BUFSIZ];
+	char statfile[MAXPATHLEN];
 
 	if (cgetstr(bp, "st", &ST) == -1)
 		ST = DEFSTAT;
-	(void) sprintf(statfile, "%s/%s", SD, ST);
+	(void) snprintf(statfile, sizeof(statfile), "%s/%s", SD, ST);
 	umask(0);
 	fd = open(statfile, O_WRONLY|O_CREAT, 0664);
 	if (fd < 0 || flock(fd, LOCK_EX) < 0) {
@@ -240,7 +240,8 @@ clean(argc, argv)
 		while (cgetnext(&bp, printcapdb) > 0) {
 			cp1 = prbuf;
 			cp2 = bp;
-			while ((c = *cp2++) && c != '|' && c != ':')
+			while ((c = *cp2++) && c != '|' && c != ':' &&
+			    (cp1 - prbuf) < sizeof(prbuf))
 				*cp1++ = c;
 			*cp1 = '\0';
 			cleanpr();
@@ -390,7 +391,8 @@ enable(argc, argv)
 		while (cgetnext(&bp, printcapdb) > 0) {
 			cp1 = prbuf;
 			cp2 = bp;
-			while ((c = *cp2++) && c != '|' && c != ':')
+			while ((c = *cp2++) && c != '|' && c != ':' &&
+			    (cp1 - prbuf) < sizeof(prbuf))
 				*cp1++ = c;
 			*cp1 = '\0';
 			enablepr();
@@ -458,7 +460,8 @@ disable(argc, argv)
 		while (cgetnext(&bp, printcapdb) > 0) {
 			cp1 = prbuf;
 			cp2 = bp;
-			while ((c = *cp2++) && c != '|' && c != ':')
+			while ((c = *cp2++) && c != '|' && c != ':' &&
+			    (cp1 - prbuf) < sizeof(prbuf))
 				*cp1++ = c;
 			*cp1 = '\0';
 			disablepr();
@@ -535,7 +538,8 @@ down(argc, argv)
 		while (cgetnext(&bp, printcapdb) > 0) {
 			cp1 = prbuf;
 			cp2 = bp;
-			while ((c = *cp2++) && c != '|' && c != ':')
+			while ((c = *cp2++) && c != '|' && c != ':' &&
+			    (cp1 - prbuf) < sizeof(prbuf))
 				*cp1++ = c;
 			*cp1 = '\0';
 			putmsg(argc - 2, argv + 2);
@@ -614,7 +618,7 @@ putmsg(argc, argv)
 	cp1 = buf;
 	while (--argc >= 0) {
 		cp2 = *argv++;
-		while ((*cp1++ = *cp2++))
+		while ((cp1 - buf) < sizeof(buf) && (*cp1++ = *cp2++))
 			;
 		cp1[-1] = ' ';
 	}
@@ -656,7 +660,8 @@ restart(argc, argv)
 		while (cgetnext(&bp, printcapdb) > 0) {
 			cp1 = prbuf;
 			cp2 = bp;
-			while ((c = *cp2++) && c != '|' && c != ':')
+			while ((c = *cp2++) && c != '|' && c != ':' &&
+			    (cp1 - prbuf) < sizeof(prbuf))
 				*cp1++ = c;
 			*cp1 = '\0';
 			abortpr(0);
@@ -701,7 +706,8 @@ startcmd(argc, argv)
 		while (cgetnext(&bp, printcapdb) > 0) {
 			cp1 = prbuf;
 			cp2 = bp;
-			while ((c = *cp2++) && c != '|' && c != ':')
+			while ((c = *cp2++) && c != '|' && c != ':' &&
+			    (cp1 - prbuf) < sizeof(prbuf))
 				*cp1++ = c;
 			*cp1 = '\0';
 			startpr(1);
@@ -770,7 +776,8 @@ status(argc, argv)
 		while (cgetnext(&bp, printcapdb) > 0) {
 			cp1 = prbuf;
 			cp2 = bp;
-			while ((c = *cp2++) && c != '|' && c != ':')
+			while ((c = *cp2++) && c != '|' && c != ':' &&
+			    (cp1 - prbuf) < sizeof(prbuf))
 				*cp1++ = c;
 			*cp1 = '\0';
 			prstat();
@@ -810,7 +817,7 @@ prstat()
 	if (cgetstr(bp, "st", &ST) == -1)
 		ST = DEFSTAT;
 	printf("%s:\n", printer);
-	(void) sprintf(line, "%s/%s", SD, LO);
+	(void) snprintf(line, sizeof(line), "%s/%s", SD, LO);
 	if (stat(line, &stbuf) >= 0) {
 		printf("\tqueuing is %s\n",
 			(stbuf.st_mode & 010) ? "disabled" : "enabled");
@@ -844,7 +851,7 @@ prstat()
 	}
 	(void) close(fd);
 	/* print out the contents of the status file, if it exists */
-	(void) sprintf(line, "%s/%s", SD, ST);
+	(void) snprintf(line, sizeof(line), "%s/%s", SD, ST);
 	fd = open(line, O_RDONLY);
 	if (fd >= 0) {
 		(void) flock(fd, LOCK_SH);
@@ -880,7 +887,8 @@ stop(argc, argv)
 		while (cgetnext(&bp, printcapdb) > 0) {
 			cp1 = prbuf;
 			cp2 = bp;
-			while ((c = *cp2++) && c != '|' && c != ':')
+			while ((c = *cp2++) && c != '|' && c != ':' &&
+			    (cp1 - prbuf) < sizeof(prbuf))
 				*cp1++ = c;
 			*cp1 = '\0';
 			stoppr();
@@ -1049,8 +1057,8 @@ doarg(job)
 	FILE *fp;
 
 	/*
-	 * Look for a job item consisting of system name, colon, number
-	 * (example: ucbarpa:114)
+	 * Look for a job item consisting of system name, colon, number 
+	 * (example: ucbarpa:114)  
 	 */
 	if ((cp = strchr(job, ':')) != NULL) {
 		machine = job;
@@ -1128,7 +1136,8 @@ up(argc, argv)
 		while (cgetnext(&bp, printcapdb) > 0) {
 			cp1 = prbuf;
 			cp2 = bp;
-			while ((c = *cp2++) && c != '|' && c != ':')
+			while ((c = *cp2++) && c != '|' && c != ':' &&
+			    (cp1 - prbuf) < sizeof(prbuf))
 				*cp1++ = c;
 			*cp1 = '\0';
 			startpr(2);
diff --git a/usr.sbin/lpr/lpd/printjob.c b/usr.sbin/lpr/lpd/printjob.c
index 84240d2..3d1400f 100644
--- a/usr.sbin/lpr/lpd/printjob.c
+++ b/usr.sbin/lpr/lpd/printjob.c
@@ -219,7 +219,7 @@ again:
 		errcnt = 0;
 	restart:
 		(void) lseek(lfd, pidoff, 0);
-		(void) sprintf(line, "%s\n", q->q_name);
+		(void) snprintf(line, sizeof(line), "%s\n", q->q_name);
 		i = strlen(line);
 		if (write(lfd, line, i) != i)
 			syslog(LOG_ERR, "%s: %s: %m", printer, LO);
@@ -266,7 +266,7 @@ again:
 			syslog(LOG_WARNING, "%s: job could not be %s (%s)", printer,
 				remote ? "sent to remote host" : "printed", q->q_name);
 			if (i == REPRINT) {
-				/* insure we don't attempt this job again */
+				/* ensure we don't attempt this job again */
 				(void) unlink(q->q_name);
 				q->q_name[0] = 'd';
 				(void) unlink(q->q_name);
@@ -332,7 +332,7 @@ printit(file)
 	 */
 	for (i = 0; i < 4; i++)
 		strcpy(fonts[i], ifonts[i]);
-	sprintf(&width[2], "%d", PW);
+	sprintf(&width[2], "%ld", PW);
 	strcpy(indent+2, "0");
 
 	/*
@@ -377,13 +377,17 @@ printit(file)
 	while (getline(cfp))
 		switch (line[0]) {
 		case 'H':
-			strcpy(fromhost, line+1);
-			if (class[0] == '\0')
-				strncpy(class, line+1, sizeof(class)-1);
+			strncpy(fromhost, line+1, sizeof(fromhost) - 1);
+			fromhost[sizeof(fromhost) - 1] = '\0';
+			if (class[0] == '\0') {
+				strncpy(class, line+1, sizeof(class) - 1);
+				class[sizeof(class) - 1] = '\0';
+			}
 			continue;
 
 		case 'P':
-			strncpy(logname, line+1, sizeof(logname)-1);
+			strncpy(logname, line+1, sizeof(logname) - 1);
+			logname[sizeof(logname) - 1] = '\0';
 			if (RS) {			/* restricted */
 				if (getpwnam(logname) == NULL) {
 					bombed = NOACCT;
@@ -407,21 +411,24 @@ printit(file)
 			continue;
 
 		case 'J':
-			if (line[1] != '\0')
-				strncpy(jobname, line+1, sizeof(jobname)-1);
-			else
+			if (line[1] != '\0') {
+				strncpy(jobname, line+1, sizeof(jobname) - 1);
+				jobname[sizeof(jobname) - 1] = '\0';
+			} else
 				strcpy(jobname, " ");
 			continue;
 
 		case 'C':
 			if (line[1] != '\0')
-				strncpy(class, line+1, sizeof(class)-1);
+				strncpy(class, line+1, sizeof(class) - 1);
 			else if (class[0] == '\0')
 				gethostname(class, sizeof(class));
+			class[sizeof(class) - 1] = '\0';
 			continue;
 
 		case 'T':	/* header title for pr */
-			strncpy(title, line+1, sizeof(title)-1);
+			strncpy(title, line+1, sizeof(title) - 1);
+			title[sizeof(title) - 1] = '\0';
 			continue;
 
 		case 'L':	/* identification line */
@@ -433,16 +440,21 @@ printit(file)
 		case '2':
 		case '3':
 		case '4':
-			if (line[1] != '\0')
-				strcpy(fonts[line[0]-'1'], line+1);
+			if (line[1] != '\0') {
+				strncpy(fonts[line[0]-'1'], line+1,
+				    50-1);
+				fonts[line[0]-'1'][50-1] = '\0';
+			}
 			continue;
 
 		case 'W':	/* page width */
-			strncpy(width+2, line+1, sizeof(width)-3);
+			strncpy(width+2, line+1, sizeof(width) - 3);
+			width[2+sizeof(width) - 3] = '\0';
 			continue;
 
 		case 'I':	/* indent amount */
-			strncpy(indent+2, line+1, sizeof(indent)-3);
+			strncpy(indent+2, line+1, sizeof(indent) - 3);
+			indent[2+sizeof(indent) - 3] = '\0';
 			continue;
 
 		default:	/* some file to print */
@@ -486,6 +498,8 @@ pass2:
 			continue;
 
 		case 'U':
+			if (strchr(line+1, '/'))
+				continue;
 			(void) unlink(line+1);
 		}
 	/*
@@ -709,7 +723,7 @@ start:
 	tof = 0;
 
 	/* Copy filter output to "lf" logfile */
-	if (fp = fopen(tempfile, "r")) {
+	if ((fp = fopen(tempfile, "r"))) {
 		while (fgets(buf, sizeof(buf), fp))
 			fputs(buf, stderr);
 		fclose(fp);
@@ -783,9 +797,9 @@ sendit(file)
 		} else if (line[0] == 'H') {
 			strcpy(fromhost, line+1);
 			if (class[0] == '\0')
-				strncpy(class, line+1, sizeof(class)-1);
+				strncpy(class, line+1, sizeof(class) - 1);
 		} else if (line[0] == 'P') {
-			strncpy(logname, line+1, sizeof(logname)-1);
+			strncpy(logname, line+1, sizeof(logname) - 1);
 			if (RS) {			/* restricted */
 				if (getpwnam(logname) == NULL) {
 					sendmail(line+1, NOACCT);
@@ -794,7 +808,7 @@ sendit(file)
 				}
 			}
 		} else if (line[0] == 'I') {
-			strncpy(indent+2, line+1, sizeof(indent)-3);
+			strncpy(indent+2, line+1, sizeof(indent) - 3);
 		} else if (line[0] >= 'a' && line[0] <= 'z') {
 			strcpy(last, line);
 			while (i = getline(cfp))
@@ -825,7 +839,7 @@ sendit(file)
 	 */
 	fseek(cfp, 0L, 0);
 	while (getline(cfp))
-		if (line[0] == 'U')
+		if (line[0] == 'U' && !strchr(line+1, '/'))
 			(void) unlink(line+1);
 	/*
 	 * clean-up in case another control file exists
@@ -1335,18 +1349,18 @@ init()
 		FF = DEFFF;
 	if (cgetnum(bp, "pw", &PW) < 0)
 		PW = DEFWIDTH;
-	sprintf(&width[2], "%d", PW);
+	sprintf(&width[2], "%ld", PW);
 	if (cgetnum(bp, "pl", &PL) < 0)
 		PL = DEFLENGTH;
-	sprintf(&length[2], "%d", PL);
+	sprintf(&length[2], "%ld", PL);
 	if (cgetnum(bp,"px", &PX) < 0)
 		PX = 0;
-	sprintf(&pxwidth[2], "%d", PX);
+	sprintf(&pxwidth[2], "%ld", PX);
 	if (cgetnum(bp, "py", &PY) < 0)
 		PY = 0;
-	sprintf(&pxlength[2], "%d", PY);
+	sprintf(&pxlength[2], "%ld", PY);
 	cgetstr(bp, "rm", &RM);
-	if (s = checkremote())
+	if ((s = checkremote()))
 		syslog(LOG_WARNING, s);
 
 	cgetstr(bp, "af", &AF);
@@ -1514,13 +1528,13 @@ static void
 openrem()
 {
 	register int i, n;
-	int resp, port;
+	int resp;
 
 	for (i = 1; ; i = i < 256 ? i << 1 : i) {
 		resp = -1;
 		pfd = getport(RM, 0);
 		if (pfd >= 0) {
-			(void) sprintf(line, "\2%s\n", RP);
+			(void) snprintf(line, sizeof(line), "\2%s\n", RP);
 			n = strlen(line);
 			if (write(pfd, line, n) == n &&
 			    (resp = response()) == '\0')
diff --git a/usr.sbin/lpr/lpd/recvjob.c b/usr.sbin/lpr/lpd/recvjob.c
index 3bfbb99..5c1d027 100644
--- a/usr.sbin/lpr/lpd/recvjob.c
+++ b/usr.sbin/lpr/lpd/recvjob.c
@@ -65,10 +65,10 @@ static char sccsid[] = "@(#)recvjob.c	8.2 (Berkeley) 4/27/95";
 
 #define ack()	(void) write(1, sp, 1);
 
-static char	 dfname[256];	/* data files */
+static char	 dfname[NAME_MAX];	/* data files */
 static int	 minfree;       /* keep at least minfree blocks available */
 static char	*sp = "";
-static char	 tfname[256];	/* tmp copy of cf before linking */
+static char	 tfname[NAME_MAX];	/* tmp copy of cf before linking */
 
 static int        chksize __P((int));
 static void       frecverr __P((const char *, ...));
@@ -94,7 +94,7 @@ recvjob()
 		frecverr("unknown printer %s", printer);
 	else if (status == -3)
 		fatal("potential reference loop detected in printcap file");
-
+	
 	if (cgetstr(bp, "lf", &LF) == -1)
 		LF = _PATH_CONSOLE;
 	if (cgetstr(bp, "sd", &SD) == -1)
@@ -146,10 +146,13 @@ readjob()
 		do {
 			if ((size = read(1, cp, 1)) != 1) {
 				if (size < 0)
-					frecverr("%s: Lost connection",printer);
+					frecverr("%s: Lost connection",
+					    printer);
 				return(nfiles);
 			}
-		} while (*cp++ != '\n');
+		} while (*cp++ != '\n' && (cp - line + 1) < sizeof(line));
+		if (cp - line + 1 >= sizeof(line))
+			frecverr("readjob overflow");
 		*--cp = '\0';
 		cp = line;
 		switch (*cp++) {
@@ -169,10 +172,14 @@ readjob()
 			 * something different than what gethostbyaddr()
 			 * returns
 			 */
-			strcpy(cp + 6, from);
-			strncpy(tfname, cp, sizeof tfname-1);
-			tfname[sizeof tfname-1] = '\0';
+			strncpy(cp + 6, from, sizeof(line) + line - cp - 7);
+			line[sizeof(line) - 1 ] = '\0';
+			strncpy(tfname, cp, sizeof(tfname) - 1);
+			tfname[sizeof (tfname) - 1] = '\0';
 			tfname[0] = 't';
+			if (strchr(tfname, '/'))
+				frecverr("readjob: %s: illegal path name",
+				    tfname);
 			if (!chksize(size)) {
 				(void) write(1, "\2", 1);
 				continue;
@@ -198,8 +205,8 @@ readjob()
 				(void) write(1, "\2", 1);
 				continue;
 			}
-			(void) strncpy(dfname, cp, sizeof dfname-1);
-			dfname[sizeof dfname-1] = '\0';
+			(void) strncpy(dfname, cp, sizeof(dfname) - 1);
+			dfname[sizeof(dfname) - 1] = '\0';
 			if (strchr(dfname, '/'))
 				frecverr("readjob: %s: illegal path name",
 					dfname);
diff --git a/usr.sbin/lpr/lpr/lpr.c b/usr.sbin/lpr/lpr/lpr.c
index c4ba232..de0be2a 100644
--- a/usr.sbin/lpr/lpr/lpr.c
+++ b/usr.sbin/lpr/lpr/lpr.c
@@ -45,7 +45,7 @@ static char copyright[] =
 
 #ifndef lint
 static char sccsid[] = "From: @(#)lpr.c	8.4 (Berkeley) 4/28/95"
-	"\n$Id: lpr.c,v 1.17 1997/07/23 00:49:37 imp Exp $\n";
+	"\n$Id: lpr.c,v 1.18 1997/07/23 20:53:38 imp Exp $\n";
 #endif /* not lint */
 
 /*
@@ -140,7 +140,7 @@ main(argc, argv)
 		signal(SIGTERM, cleanup);
 
 	name = argv[0];
-	gethostname(host, sizeof (host));
+	gethostname(host, sizeof(host));
 	openlog("lpd", 0, LOG_LPR);
 
 	errs = 0;
diff --git a/usr.sbin/lpr/runqueue/printjob.c b/usr.sbin/lpr/runqueue/printjob.c
index 84240d2..3d1400f 100644
--- a/usr.sbin/lpr/runqueue/printjob.c
+++ b/usr.sbin/lpr/runqueue/printjob.c
@@ -219,7 +219,7 @@ again:
 		errcnt = 0;
 	restart:
 		(void) lseek(lfd, pidoff, 0);
-		(void) sprintf(line, "%s\n", q->q_name);
+		(void) snprintf(line, sizeof(line), "%s\n", q->q_name);
 		i = strlen(line);
 		if (write(lfd, line, i) != i)
 			syslog(LOG_ERR, "%s: %s: %m", printer, LO);
@@ -266,7 +266,7 @@ again:
 			syslog(LOG_WARNING, "%s: job could not be %s (%s)", printer,
 				remote ? "sent to remote host" : "printed", q->q_name);
 			if (i == REPRINT) {
-				/* insure we don't attempt this job again */
+				/* ensure we don't attempt this job again */
 				(void) unlink(q->q_name);
 				q->q_name[0] = 'd';
 				(void) unlink(q->q_name);
@@ -332,7 +332,7 @@ printit(file)
 	 */
 	for (i = 0; i < 4; i++)
 		strcpy(fonts[i], ifonts[i]);
-	sprintf(&width[2], "%d", PW);
+	sprintf(&width[2], "%ld", PW);
 	strcpy(indent+2, "0");
 
 	/*
@@ -377,13 +377,17 @@ printit(file)
 	while (getline(cfp))
 		switch (line[0]) {
 		case 'H':
-			strcpy(fromhost, line+1);
-			if (class[0] == '\0')
-				strncpy(class, line+1, sizeof(class)-1);
+			strncpy(fromhost, line+1, sizeof(fromhost) - 1);
+			fromhost[sizeof(fromhost) - 1] = '\0';
+			if (class[0] == '\0') {
+				strncpy(class, line+1, sizeof(class) - 1);
+				class[sizeof(class) - 1] = '\0';
+			}
 			continue;
 
 		case 'P':
-			strncpy(logname, line+1, sizeof(logname)-1);
+			strncpy(logname, line+1, sizeof(logname) - 1);
+			logname[sizeof(logname) - 1] = '\0';
 			if (RS) {			/* restricted */
 				if (getpwnam(logname) == NULL) {
 					bombed = NOACCT;
@@ -407,21 +411,24 @@ printit(file)
 			continue;
 
 		case 'J':
-			if (line[1] != '\0')
-				strncpy(jobname, line+1, sizeof(jobname)-1);
-			else
+			if (line[1] != '\0') {
+				strncpy(jobname, line+1, sizeof(jobname) - 1);
+				jobname[sizeof(jobname) - 1] = '\0';
+			} else
 				strcpy(jobname, " ");
 			continue;
 
 		case 'C':
 			if (line[1] != '\0')
-				strncpy(class, line+1, sizeof(class)-1);
+				strncpy(class, line+1, sizeof(class) - 1);
 			else if (class[0] == '\0')
 				gethostname(class, sizeof(class));
+			class[sizeof(class) - 1] = '\0';
 			continue;
 
 		case 'T':	/* header title for pr */
-			strncpy(title, line+1, sizeof(title)-1);
+			strncpy(title, line+1, sizeof(title) - 1);
+			title[sizeof(title) - 1] = '\0';
 			continue;
 
 		case 'L':	/* identification line */
@@ -433,16 +440,21 @@ printit(file)
 		case '2':
 		case '3':
 		case '4':
-			if (line[1] != '\0')
-				strcpy(fonts[line[0]-'1'], line+1);
+			if (line[1] != '\0') {
+				strncpy(fonts[line[0]-'1'], line+1,
+				    50-1);
+				fonts[line[0]-'1'][50-1] = '\0';
+			}
 			continue;
 
 		case 'W':	/* page width */
-			strncpy(width+2, line+1, sizeof(width)-3);
+			strncpy(width+2, line+1, sizeof(width) - 3);
+			width[2+sizeof(width) - 3] = '\0';
 			continue;
 
 		case 'I':	/* indent amount */
-			strncpy(indent+2, line+1, sizeof(indent)-3);
+			strncpy(indent+2, line+1, sizeof(indent) - 3);
+			indent[2+sizeof(indent) - 3] = '\0';
 			continue;
 
 		default:	/* some file to print */
@@ -486,6 +498,8 @@ pass2:
 			continue;
 
 		case 'U':
+			if (strchr(line+1, '/'))
+				continue;
 			(void) unlink(line+1);
 		}
 	/*
@@ -709,7 +723,7 @@ start:
 	tof = 0;
 
 	/* Copy filter output to "lf" logfile */
-	if (fp = fopen(tempfile, "r")) {
+	if ((fp = fopen(tempfile, "r"))) {
 		while (fgets(buf, sizeof(buf), fp))
 			fputs(buf, stderr);
 		fclose(fp);
@@ -783,9 +797,9 @@ sendit(file)
 		} else if (line[0] == 'H') {
 			strcpy(fromhost, line+1);
 			if (class[0] == '\0')
-				strncpy(class, line+1, sizeof(class)-1);
+				strncpy(class, line+1, sizeof(class) - 1);
 		} else if (line[0] == 'P') {
-			strncpy(logname, line+1, sizeof(logname)-1);
+			strncpy(logname, line+1, sizeof(logname) - 1);
 			if (RS) {			/* restricted */
 				if (getpwnam(logname) == NULL) {
 					sendmail(line+1, NOACCT);
@@ -794,7 +808,7 @@ sendit(file)
 				}
 			}
 		} else if (line[0] == 'I') {
-			strncpy(indent+2, line+1, sizeof(indent)-3);
+			strncpy(indent+2, line+1, sizeof(indent) - 3);
 		} else if (line[0] >= 'a' && line[0] <= 'z') {
 			strcpy(last, line);
 			while (i = getline(cfp))
@@ -825,7 +839,7 @@ sendit(file)
 	 */
 	fseek(cfp, 0L, 0);
 	while (getline(cfp))
-		if (line[0] == 'U')
+		if (line[0] == 'U' && !strchr(line+1, '/'))
 			(void) unlink(line+1);
 	/*
 	 * clean-up in case another control file exists
@@ -1335,18 +1349,18 @@ init()
 		FF = DEFFF;
 	if (cgetnum(bp, "pw", &PW) < 0)
 		PW = DEFWIDTH;
-	sprintf(&width[2], "%d", PW);
+	sprintf(&width[2], "%ld", PW);
 	if (cgetnum(bp, "pl", &PL) < 0)
 		PL = DEFLENGTH;
-	sprintf(&length[2], "%d", PL);
+	sprintf(&length[2], "%ld", PL);
 	if (cgetnum(bp,"px", &PX) < 0)
 		PX = 0;
-	sprintf(&pxwidth[2], "%d", PX);
+	sprintf(&pxwidth[2], "%ld", PX);
 	if (cgetnum(bp, "py", &PY) < 0)
 		PY = 0;
-	sprintf(&pxlength[2], "%d", PY);
+	sprintf(&pxlength[2], "%ld", PY);
 	cgetstr(bp, "rm", &RM);
-	if (s = checkremote())
+	if ((s = checkremote()))
 		syslog(LOG_WARNING, s);
 
 	cgetstr(bp, "af", &AF);
@@ -1514,13 +1528,13 @@ static void
 openrem()
 {
 	register int i, n;
-	int resp, port;
+	int resp;
 
 	for (i = 1; ; i = i < 256 ? i << 1 : i) {
 		resp = -1;
 		pfd = getport(RM, 0);
 		if (pfd >= 0) {
-			(void) sprintf(line, "\2%s\n", RP);
+			(void) snprintf(line, sizeof(line), "\2%s\n", RP);
 			n = strlen(line);
 			if (write(pfd, line, n) == n &&
 			    (resp = response()) == '\0')