diff options
| author | joerg <joerg@FreeBSD.org> | 1997-10-19 10:42:39 +0000 |
|---|---|---|
| committer | joerg <joerg@FreeBSD.org> | 1997-10-19 10:42:39 +0000 |
| commit | b429d6bbe42bc27bdc9dbf00a6444f0a704aea5f (patch) | |
| tree | 7c9ca7a02b34fae1e3d41ad86a6011a8c380f992 /usr.sbin | |
| parent | 048018209a542d977e8193b62ce38d2275e38c90 (diff) | |
| download | FreeBSD-src-b429d6bbe42bc27bdc9dbf00a6444f0a704aea5f.zip FreeBSD-src-b429d6bbe42bc27bdc9dbf00a6444f0a704aea5f.tar.gz | |
Fix a number of buffer overflow conditions.
PR: bin/4610
Submitted by: David Holland (dholland@burgundy.eecs.harvard.edu)
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/bootparamd/bootparamd/bootparamd.c | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/usr.sbin/bootparamd/bootparamd/bootparamd.c b/usr.sbin/bootparamd/bootparamd/bootparamd.c index 327e2bb..c19fb53 100644 --- a/usr.sbin/bootparamd/bootparamd/bootparamd.c +++ b/usr.sbin/bootparamd/bootparamd/bootparamd.c @@ -9,7 +9,7 @@ use and modify. Please send modifications and/or suggestions + bug fixes to #ifndef lint static const char rcsid[] = - "$Id$"; + "$Id: bootparamd.c,v 1.7 1997/09/04 11:49:24 charnier Exp $"; #endif /* not lint */ #include <rpc/rpc.h> @@ -39,7 +39,7 @@ static char path[MAX_PATH_LEN]; static char domain_name[MAX_MACHINE_NAME]; int getthefile __P((char *, char *, char *)); -int checkhost __P((char *, char *)); +int checkhost __P((char *, char *, int)); bp_whoami_res * bootparamproc_whoami_1(whoami) @@ -68,8 +68,10 @@ bp_whoami_arg *whoami; if (debug) warnx("this is host %s", he->h_name); if (dolog) syslog(LOG_NOTICE,"This is host %s\n", he->h_name); - strcpy(askname, he->h_name); - if (checkhost(askname, hostname) ) { + strncpy(askname, he->h_name, sizeof(askname)); + askname[sizeof(askname)-1] = 0; + + if (checkhost(askname, hostname, sizeof hostname) ) { res.client_name = hostname; getdomainname(domain_name, MAX_MACHINE_NAME); res.domain_name = domain_name; @@ -123,7 +125,9 @@ bp_getfile_arg *getfile; he = gethostbyname(getfile->client_name); if (! he ) goto failed; - strcpy(askname,he->h_name); + strncpy(askname, he->h_name, sizeof(askname)); + askname[sizeof(askname)-1] = 0; + if (getthefile(askname, getfile->file_id,buffer)) { if ( (where = index(buffer,':')) ) { /* buffer is re-written to contain the name of the info of file */ @@ -194,7 +198,8 @@ char *fileid, *buffer; if ( ! bpf ) errx(1, "no %s", bootpfile); - while ( fscanf(bpf, "%s", hostname) > 0 && !match ) { + /* XXX see comment below */ + while ( fscanf(bpf, "%255s", hostname) > 0 && !match ) { if ( *hostname != '#' ) { /* comment */ if ( ! strcmp(hostname, askname) ) { match = 1; @@ -269,9 +274,10 @@ char *fileid, *buffer; name for a host in the database */ int -checkhost(askname, hostname) +checkhost(askname, hostname, len) char *askname; char *hostname; +int len; { int ch, pch; FILE *bpf; @@ -286,7 +292,9 @@ char *hostname; if ( ! bpf ) errx(1, "no %s", bootpfile); - while ( fscanf(bpf, "%s", hostname) > 0 ) { + /* XXX there is no way in ISO C to specify the maximal length for a + conversion in a variable way */ + while ( fscanf(bpf, "%254s", hostname) > 0 ) { if ( *hostname != '#' ) { /* comment */ if ( ! strcmp(hostname, askname) ) { /* return true for match of hostname */ @@ -314,7 +322,7 @@ char *hostname; he = gethostbyname(askname); if (he && !strcmp(askname, he->h_name)) { res = 1; - sprintf(hostname,"%s", he->h_name); + snprintf(hostname, len, "%s", he->h_name); } } if (fclose(bpf)) |
