From 68b03ab551368c9e52815b2d9c98a47bb6f7a264 Mon Sep 17 00:00:00 2001
From: ken <ken@FreeBSD.org>
Date: Wed, 14 Oct 1998 23:28:26 +0000
Subject: Fix a couple of potential buffer overrun cases.

Submitted by:	imp
---
 lib/libdevstat/devstat.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'lib/libdevstat')

diff --git a/lib/libdevstat/devstat.c b/lib/libdevstat/devstat.c
index 6211909..ec86c78 100644
--- a/lib/libdevstat/devstat.c
+++ b/lib/libdevstat/devstat.c
@@ -25,7 +25,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	$Id: devstat.c,v 1.2 1998/09/18 02:35:25 ken Exp $
+ *	$Id: devstat.c,v 1.3 1998/09/20 00:11:09 ken Exp $
  */
 
 #include <sys/types.h>
@@ -193,8 +193,10 @@ checkversion(void)
 			strncat(devstat_errbuf, tmpstr,
 				DEVSTAT_ERRBUF_SIZE - buflen - 1);
 			buflen += errlen;
-		} else
+		} else {
 			strncpy(devstat_errbuf, tmpstr, DEVSTAT_ERRBUF_SIZE);
+			devstat_errbuf[DEVSTAT_ERRBUF_SIZE - 1] = '\0';
+		}
 
                 if (version < DEVSTAT_VERSION)
 			snprintf(tmpstr, sizeof(tmpstr),
@@ -510,6 +512,7 @@ selectdevs(struct device_selection **dev_select, int *num_selected,
 			strncpy((*dev_select)[i].device_name,
 				devices[i].device_name,
 				DEVSTAT_NAME_LEN);
+			(*dev_select)[i].device_name[DEVSTAT_NAME_LEN - 1]='\0';
 			(*dev_select)[i].unit_number = devices[i].unit_number;
 			(*dev_select)[i].position = i;
 		}
@@ -531,7 +534,8 @@ selectdevs(struct device_selection **dev_select, int *num_selected,
 	for (i = 0; (i < *num_selections) && (num_dev_selections > 0); i++) {
 		char tmpstr[80];
 
-		sprintf(tmpstr, "%s%d", (*dev_select)[i].device_name,
+		snprintf(tmpstr, sizeof(tmpstr), "%s%d",
+			(*dev_select)[i].device_name,
 			(*dev_select)[i].unit_number);
 		for (j = 0; j < num_dev_selections; j++) {
 			if (strcmp(tmpstr, dev_selections[j]) == 0) {
@@ -998,7 +1002,7 @@ buildmatch(char *match_str, struct devstat_match **matches, int *num_matches)
 		 * or interface.
 		 */
 		if ((*matches)[*num_matches].num_match_categories != (i + 1)) {
-			sprintf(devstat_errbuf,
+			snprintf(devstat_errbuf, sizeof(devstat_errbuf),
 				"%s: unknown match item \"%s\"", func_name,
 				tstr[i]);
 			return(-1);
-- 
cgit v1.1