From a396a56831490577d914ea4c1d26aec5728b6cdc Mon Sep 17 00:00:00 2001 From: roam Date: Mon, 2 Dec 2002 20:29:08 +0000 Subject: Replace the remaining strcpy() instances with strlcpy(), fixing a segfault when parsing a malformed command-line parameter. Rearrange a risky usage of sprintf() in a loop. Reported by: phrail@division7.us via the vuln-dev mailing list Approved by: re (rwatson) --- usr.sbin/raycontrol/raycontrol.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/usr.sbin/raycontrol/raycontrol.c b/usr.sbin/raycontrol/raycontrol.c index e361c5d..c287643 100644 --- a/usr.sbin/raycontrol/raycontrol.c +++ b/usr.sbin/raycontrol/raycontrol.c @@ -75,14 +75,12 @@ ray_printhex(u_int8_t *d, char *s, int len) char *p; int i; - if (len > 256) + if (2 * len + strlen(s) * (len - 1) > sizeof(buf) - 1) err(1, "Byte string too long"); sprintf(buf, "%02x", *d); - for (p = buf + 2, i = 1; i < len; i++) { - sprintf(p, "%s%02x", s, *(d+i)); - p = p + 2 + strlen(s); - } + for (p = buf + 2, i = 1; i < len; i++) + p += sprintf(p, "%s%02x", s, *(d+i)); return(buf); } @@ -118,7 +116,7 @@ ray_getsiglev(char *iface, struct ray_siglev *siglev) bzero((char *)&ifr, sizeof(ifr)); - strcpy(ifr.ifr_name, iface); + strlcpy(ifr.ifr_name, iface, sizeof(ifr.ifr_name)); ifr.ifr_data = (caddr_t)siglev; s = socket(AF_INET, SOCK_DGRAM, 0); @@ -140,7 +138,7 @@ ray_getstats(char *iface, struct ray_stats_req *sreq) bzero((char *)&ifr, sizeof(ifr)); - strcpy(ifr.ifr_name, iface); + strlcpy(ifr.ifr_name, iface, sizeof(ifr.ifr_name)); ifr.ifr_data = (caddr_t)sreq; s = socket(AF_INET, SOCK_DGRAM, 0); @@ -271,7 +269,7 @@ ray_setval(char *iface, struct ray_param_req *rreq) bzero((char *)&ifr, sizeof(ifr)); - strcpy(ifr.ifr_name, iface); + strlcpy(ifr.ifr_name, iface, sizeof(ifr.ifr_name)); ifr.ifr_data = (caddr_t)rreq; s = socket(AF_INET, SOCK_DGRAM, 0); -- cgit v1.1