diff options
| author | imp <imp@FreeBSD.org> | 1996-12-27 05:49:51 +0000 |
|---|---|---|
| committer | imp <imp@FreeBSD.org> | 1996-12-27 05:49:51 +0000 |
| commit | 8df70737bab006f5536d7fe7ebf05e9ead64bd4c (patch) | |
| tree | 335fcec75ca7478c4b40d6c42e0ea4619a4c90e9 /usr.sbin/sliplogin | |
| parent | a65d4c9aae43c63d59fa5d1e6ba9af1d63e19e4f (diff) | |
| download | FreeBSD-src-8df70737bab006f5536d7fe7ebf05e9ead64bd4c.zip FreeBSD-src-8df70737bab006f5536d7fe7ebf05e9ead64bd4c.tar.gz | |
Fix various buffer overflow cases in sliplogin. These might have been
able to be exploited, or might not. However, it is better to be safe
than sorry.
Definitely a 2.2 fix, and a -stable if there is someone to commit it.
Reviewed by: Jordan Hubbard <jkh@freebsd.org>
Submitted by: Marc Slemko
Diffstat (limited to 'usr.sbin/sliplogin')
| -rw-r--r-- | usr.sbin/sliplogin/sliplogin.c | 29 |
1 files changed, 17 insertions, 12 deletions
diff --git a/usr.sbin/sliplogin/sliplogin.c b/usr.sbin/sliplogin/sliplogin.c index 26b75cf..0537a0b 100644 --- a/usr.sbin/sliplogin/sliplogin.c +++ b/usr.sbin/sliplogin/sliplogin.c @@ -133,7 +133,9 @@ findid(name) environ = restricted_environ; /* minimal protection for system() */ - (void)strcpy(loginname, name); + (void)strncpy(loginname, name, sizeof(loginname)-1); + loginname[sizeof(loginname)-1] = '\0'; + if ((fp = fopen(_PATH_ACCESS, "r")) == NULL) { accfile_err: syslog(LOG_ERR, "%s: %m\n", _PATH_ACCESS); @@ -174,9 +176,10 @@ findid(name) * one specific to this host. If none found, try for * a generic one. */ - (void)sprintf(loginfile, "%s.%s", _PATH_LOGIN, name); + (void)snprintf(loginfile, sizeof(loginfile), "%s.%s", _PATH_LOGIN, name); if (access(loginfile, R_OK|X_OK) != 0) { - (void)strcpy(loginfile, _PATH_LOGIN); + (void)strncpy(loginfile, _PATH_LOGIN, sizeof(loginfile)-1); + loginfile[sizeof(loginfile)-1] = '\0'; if (access(loginfile, R_OK|X_OK)) { syslog(LOG_ERR, "access denied for %s - no %s\n", @@ -184,9 +187,10 @@ findid(name) exit(5); } } - (void)sprintf(slparmsfile, "%s.%s", _PATH_SLPARMS, name); + (void)snprintf(slparmsfile, sizeof(slparmsfile), "%s.%s", _PATH_SLPARMS, name); if (access(slparmsfile, R_OK|X_OK) != 0) { - (void)strcpy(slparmsfile, _PATH_SLPARMS); + (void)strncpy(slparmsfile, _PATH_SLPARMS, sizeof(slparmsfile)-1); + slparmsfile[sizeof(slparmsfile)-1] = '\0'; if (access(slparmsfile, R_OK|X_OK)) *slparmsfile = '\0'; } @@ -265,7 +269,7 @@ sigstr(s) case SIGUSR1: return("USR1"); case SIGUSR2: return("USR2"); } - (void)sprintf(buf, "sig %d", s); + (void)snprintf(buf, sizeof(buf), "sig %d", s); return(buf); } @@ -277,14 +281,15 @@ hup_handler(s) (void) close(0); seteuid(0); - (void)sprintf(logoutfile, "%s.%s", _PATH_LOGOUT, loginname); - if (access(logoutfile, R_OK|X_OK) != 0) - (void)strcpy(logoutfile, _PATH_LOGOUT); + (void)snprintf(logoutfile, sizeof(logoutfile), "%s.%s", _PATH_LOGOUT, loginname); + if (access(logoutfile, R_OK|X_OK) != 0) { + (void)strncpy(logoutfile, _PATH_LOGOUT, sizeof(logoutfile)-1); + logoutfile[sizeof(logoutfile)-1] = '\0'; + } if (access(logoutfile, R_OK|X_OK) == 0) { char logincmd[2*MAXPATHLEN+32]; - (void) sprintf(logincmd, "%s %d %ld %s", logoutfile, unit, speed, - loginargs); + (void) snprintf(logincmd, sizeof(logincmd), "%s %d %ld %s", logoutfile, unit, speed, loginargs); (void) system(logincmd); } syslog(LOG_INFO, "closed %s slip unit %d (%s)\n", loginname, unit, @@ -425,7 +430,7 @@ main(argc, argv) } syslog(LOG_INFO, "attaching slip unit %d for %s\n", unit, loginname); - (void)sprintf(logincmd, "%s %d %ld %s", loginfile, unit, speed, + (void)snprintf(logincmd, sizeof(logincmd), "%s %d %ld %s", loginfile, unit, speed, loginargs); /* * aim stdout and errout at /dev/null so logincmd output won't |
