From eba6461a0360d1811fb9e58dbfe4ab0e3658ccbd Mon Sep 17 00:00:00 2001 From: imp Date: Tue, 7 Jan 1997 20:48:24 +0000 Subject: Fix many buffer overflows, correct usage of strcat and implement $TAPE. Inspired by OpenBSD's work in this area. Reviewed by: Peter Wemm, Guido van Rooij and Jordan Hubbard. Obtained from: OpenBSD --- sbin/dump/dumprmt.c | 12 ++++++------ sbin/dump/main.c | 14 +++++++++++--- sbin/dump/optr.c | 4 ++-- 3 files changed, 19 insertions(+), 11 deletions(-) (limited to 'sbin') diff --git a/sbin/dump/dumprmt.c b/sbin/dump/dumprmt.c index d7d59a4..08aa485 100644 --- a/sbin/dump/dumprmt.c +++ b/sbin/dump/dumprmt.c @@ -219,7 +219,7 @@ rmtopen(tape, mode) { char buf[256]; - (void)sprintf(buf, "O%s\n%d\n", tape, mode); + (void)snprintf(buf, sizeof (buf), "O%.226s\n%d\n", tape, mode); rmtstate = TS_OPEN; return (rmtcall(tape, buf)); } @@ -243,7 +243,7 @@ rmtread(buf, count) int n, i, cc; extern errno; - (void)sprintf(line, "R%d\n", count); + (void)snprintf(line, sizeof (line), "R%d\n", count); n = rmtcall("read", line); if (n < 0) { errno = n; @@ -265,7 +265,7 @@ rmtwrite(buf, count) { char line[30]; - (void)sprintf(line, "W%d\n", count); + (void)snprintf(line, sizeof (line), "W%d\n", count); write(rmtape, line, strlen(line)); write(rmtape, buf, count); return (rmtreply("write")); @@ -277,7 +277,7 @@ rmtwrite0(count) { char line[30]; - (void)sprintf(line, "W%d\n", count); + (void)snprintf(line, sizeof (line), "W%d\n", count); write(rmtape, line, strlen(line)); } @@ -303,7 +303,7 @@ rmtseek(offset, pos) { char line[80]; - (void)sprintf(line, "L%d\n%d\n", offset, pos); + (void)snprintf(line, sizeof (line), "L%d\n%d\n", offset, pos); return (rmtcall("seek", line)); } @@ -331,7 +331,7 @@ rmtioctl(cmd, count) if (count < 0) return (-1); - (void)sprintf(buf, "I%d\n%d\n", cmd, count); + (void)snprintf(buf, sizeof (buf), "I%d\n%d\n", cmd, count); return (rmtcall("ioctl", buf)); } diff --git a/sbin/dump/main.c b/sbin/dump/main.c index 481fecb..6275168 100644 --- a/sbin/dump/main.c +++ b/sbin/dump/main.c @@ -105,7 +105,8 @@ main(argc, argv) (void)time((time_t *)&spcl.c_date); tsize = 0; /* Default later, based on 'c' option for cart tapes */ - tape = _PATH_DEFTAPE; + if ((tape = getenv("TAPE")) == NULL) + tape = _PATH_DEFTAPE; dumpdates = _PATH_DUMPDATES; temp = _PATH_DTMP; if (TP_BSIZE / DEV_BSIZE == 0 || TP_BSIZE % DEV_BSIZE != 0) @@ -256,6 +257,10 @@ main(argc, argv) tape = index(host, ':'); *tape++ = '\0'; #ifdef RDUMP + if (index(tape, "\n") { + (void)fprintf(stderr, "invalid characters in tape\n"); + exit(X_ABORT); + } if (rmthost(host) == 0) exit(X_ABORT); #else @@ -298,6 +303,8 @@ main(argc, argv) (void)strncpy(spcl.c_filesys, "an unlisted file system", NAMELEN); } + spcl.c_dev[NAMELEN-1]='\0'; + spcl.c_filesys[NAMELEN-1]='\0'; (void)strcpy(spcl.c_label, "none"); (void)gethostname(spcl.c_host, NAMELEN); spcl.c_level = level - '0'; @@ -556,9 +563,10 @@ rawname(cp) return (NULL); *dp = '\0'; (void)strncpy(rawbuf, cp, MAXPATHLEN - 1); + rawbuf[MAXPATHLEN-1] = '\0'; *dp = '/'; - (void)strncat(rawbuf, "/r", MAXPATHLEN-1 - strlen(rawbuf)); - (void)strncat(rawbuf, dp + 1, MAXPATHLEN-1 - strlen(rawbuf)); + (void)strncat(rawbuf, "/r", MAXPATHLEN - 1 - strlen(rawbuf)); + (void)strncat(rawbuf, dp + 1, MAXPATHLEN - 1 - strlen(rawbuf)); return (rawbuf); } diff --git a/sbin/dump/optr.c b/sbin/dump/optr.c index 3c464e4..60a6796 100644 --- a/sbin/dump/optr.c +++ b/sbin/dump/optr.c @@ -244,13 +244,13 @@ static void sendmes(tty, message) char *tty, *message; { - char t[50], buf[BUFSIZ]; + char t[MAXPATHLEN], buf[BUFSIZ]; register char *cp; int lmsg = 1; FILE *f_tty; (void) strcpy(t, _PATH_DEV); - (void) strcat(t, tty); + (void) strncat(t, tty, sizeof t - strlen(_PATH_DEV) - 1); if ((f_tty = fopen(t, "w")) != NULL) { setbuf(f_tty, buf); -- cgit v1.1