From 354a4db3b5ff4e1a474ecd6a53a6b494699bb7e5 Mon Sep 17 00:00:00 2001 From: imp Date: Sun, 27 Oct 1996 03:06:52 +0000 Subject: lpc/cmds.c: From NetBSD via OpenBSD to fix NetBSD PR #506 More descriptive message for printer status (OpenBSD: 1.2) Various warnings cleaned up (OpenBSD: 1.4) lpc/lpc.c: Various warnings cleaned up (OpenBSD: 1.3) lpd/lpd.c: Remove trailing blank lines (OpenBSD: 1.2) Potential umask problem with creating /dev/printer (OpenBSD: 1.4 and 1.5) Ftp bounce attack (untested on FreeBSD) (OpenBSD: 1.6, 1.8, 1.9) Fencepost in strncpy (OpenBSD: 1.6) lpd/printjob.c: Fix from freebsd for waiting for an exiting filter, that appears not in the FreeBSD CVS tree. (OpenBSD: 1.6) lpd/recvjob.c: Buffer overflow protection: use strncpy rather than strcpy. (OpenBSD: 1.3) lpr/lpr.c: NetBSD change of return type for main() (OpenBSD: 1.2) Restrict time running as root (OpenBSD: 1.7) Use getcwd rather than getwd (from NetBSD) Use snprintf rather than sprintf (OpenBSD: 1.8) Minor tweak to end of loop and buffer overflow sanity. card() overflow already in FreeBSD (OpenBSD: 1.9) lptest/lptest.c: void -> int return type of main, from NetBSD via OpenBSD (OpenBSD: 1.2) pac/pac.c: void -> int return type of main, from NetBSD via OpenBSD (OpenBSD: 1.3) Obtained from: OpenBSD --- usr.sbin/lpr/common_source/recvjob.c | 6 ++++-- usr.sbin/lpr/lpc/cmds.c | 8 ++++---- usr.sbin/lpr/lpc/lpc.c | 2 +- usr.sbin/lpr/lpd/lpd.c | 38 +++++++++++++++++++++++------------- usr.sbin/lpr/lpd/printjob.c | 2 ++ usr.sbin/lpr/lpd/recvjob.c | 6 ++++-- usr.sbin/lpr/lpr/lpr.c | 27 +++++++++++++------------ usr.sbin/lpr/lptest/lptest.c | 2 +- usr.sbin/lpr/pac/pac.c | 2 +- usr.sbin/lpr/runqueue/printjob.c | 2 ++ 10 files changed, 57 insertions(+), 38 deletions(-) (limited to 'usr.sbin/lpr') diff --git a/usr.sbin/lpr/common_source/recvjob.c b/usr.sbin/lpr/common_source/recvjob.c index fb307c5..040db82 100644 --- a/usr.sbin/lpr/common_source/recvjob.c +++ b/usr.sbin/lpr/common_source/recvjob.c @@ -170,7 +170,8 @@ readjob() * returns */ strcpy(cp + 6, from); - strcpy(tfname, cp); + strncpy(tfname, cp, sizeof tfname-1); + tfname[sizeof tfname-1] = '\0'; tfname[0] = 't'; if (!chksize(size)) { (void) write(1, "\2", 1); @@ -197,7 +198,8 @@ readjob() (void) write(1, "\2", 1); continue; } - (void) strcpy(dfname, cp); + (void) strncpy(dfname, cp, sizeof dfname-1); + dfname[sizeof dfname-1] = '\0'; if (index(dfname, '/')) frecverr("readjob: %s: illegal path name", dfname); diff --git a/usr.sbin/lpr/lpc/cmds.c b/usr.sbin/lpr/lpc/cmds.c index 84c6a4d..722e81b 100644 --- a/usr.sbin/lpr/lpc/cmds.c +++ b/usr.sbin/lpr/lpc/cmds.c @@ -277,7 +277,7 @@ sortq(a, b) d1 = (struct dirent **)a; d2 = (struct dirent **)b; - if (c1 = strcmp((*d1)->d_name + 3, (*d2)->d_name + 3)) + if ((c1 = strcmp((*d1)->d_name + 3, (*d2)->d_name + 3))) return(c1); c1 = (*d1)->d_name[0]; c2 = (*d2)->d_name[0]; @@ -305,7 +305,7 @@ cleanpr() SD = _PATH_DEFSPOOL; printf("%s:\n", printer); - for (lp = line, cp = SD; *lp++ = *cp++; ) + for (lp = line, cp = SD; (*lp++ = *cp++); ) ; lp[-1] = '/'; @@ -592,7 +592,7 @@ putmsg(argc, argv) cp1 = buf; while (--argc >= 0) { cp2 = *argv++; - while (*cp1++ = *cp2++) + while ((*cp1++ = *cp2++)) ; cp1[-1] = ' '; } @@ -815,7 +815,7 @@ prstat() fd = open(line, O_RDONLY); if (fd < 0 || flock(fd, LOCK_SH|LOCK_NB) == 0) { (void) close(fd); /* unlocks as well */ - printf("\tno daemon present\n"); + printf("\tprinter idle\n"); return; } (void) close(fd); diff --git a/usr.sbin/lpr/lpc/lpc.c b/usr.sbin/lpr/lpc/lpc.c index f2938a6..5135163 100644 --- a/usr.sbin/lpr/lpc/lpc.c +++ b/usr.sbin/lpr/lpc/lpc.c @@ -178,7 +178,7 @@ getcmd(name) longest = 0; nmatches = 0; found = 0; - for (c = cmdtab; p = c->c_name; c++) { + for (c = cmdtab; (p = c->c_name); c++) { for (q = name; *q == *p++; q++) if (*q == 0) /* exact match? */ return(c); diff --git a/usr.sbin/lpr/lpd/lpd.c b/usr.sbin/lpr/lpd/lpd.c index feae8e7..898fc48 100644 --- a/usr.sbin/lpr/lpd/lpd.c +++ b/usr.sbin/lpr/lpd/lpd.c @@ -179,6 +179,7 @@ main(argc, argv) } #define mask(s) (1 << ((s) - 1)) omask = sigblock(mask(SIGHUP)|mask(SIGINT)|mask(SIGQUIT)|mask(SIGTERM)); + (void) umask(07); signal(SIGHUP, mcleanup); signal(SIGINT, mcleanup); signal(SIGQUIT, mcleanup); @@ -193,6 +194,7 @@ main(argc, argv) syslog(LOG_ERR, "ubind: %m"); exit(1); } + (void) umask(0); sigsetmask(omask); FD_ZERO(&defreadfds); FD_SET(funix, &defreadfds); @@ -245,6 +247,10 @@ main(argc, argv) domain = AF_INET, fromlen = sizeof(frominet); s = accept(finet, (struct sockaddr *)&frominet, &fromlen); + if (frominet.sin_port == htons(20)) { + close(s); + continue; + } } if (s < 0) { if (errno != EINTR) @@ -494,9 +500,11 @@ chkhost(f) register struct hostent *hp; register FILE *hostf; int first = 1; + int good = 0; f->sin_port = ntohs(f->sin_port); - if (f->sin_family != AF_INET || f->sin_port >= IPPORT_RESERVED) + if (f->sin_family != AF_INET || f->sin_port >= IPPORT_RESERVED || + f->sin_port == htons(20)) fatal("Malformed from address"); /* Need real hostname for temporary filenames */ @@ -506,10 +514,24 @@ chkhost(f) fatal("Host name for your address (%s) unknown", inet_ntoa(f->sin_addr)); - (void) strncpy(fromb, hp->h_name, sizeof(fromb)); + (void) strncpy(fromb, hp->h_name, sizeof(fromb) - 1); from[sizeof(fromb) - 1] = '\0'; from = fromb; + /* Check for spoof, ala rlogind */ + hp = gethostbyname(fromb); + if (!hp) + fatal("hostname for your address (%s) unknown", + inet_ntoa(f->sin_addr)); + for (; good == 0 && hp->h_addr_list[0] != NULL; hp->h_addr_list++) { + if (!bcmp(hp->h_addr_list[0], (caddr_t)&f->sin_addr, + sizeof(f->sin_addr))) + good = 1; + } + if (good == 0) + fatal("address for your hostname (%s) not matched", + inet_ntoa(f->sin_addr)); + hostf = fopen(_PATH_HOSTSEQUIV, "r"); again: if (hostf) { @@ -528,15 +550,3 @@ again: fatal("Your host does not have line printer access"); /*NOTREACHED*/ } - - - - - - - - - - - - diff --git a/usr.sbin/lpr/lpd/printjob.c b/usr.sbin/lpr/lpd/printjob.c index e7e8324..d47d3f0 100644 --- a/usr.sbin/lpr/lpd/printjob.c +++ b/usr.sbin/lpr/lpd/printjob.c @@ -288,6 +288,8 @@ again: if (TR != NULL) /* output trailer */ (void) write(ofd, TR, strlen(TR)); } + (void) close(ofd); + (void) wait(NULL); (void) unlink(tempfile); exit(0); } diff --git a/usr.sbin/lpr/lpd/recvjob.c b/usr.sbin/lpr/lpd/recvjob.c index fb307c5..040db82 100644 --- a/usr.sbin/lpr/lpd/recvjob.c +++ b/usr.sbin/lpr/lpd/recvjob.c @@ -170,7 +170,8 @@ readjob() * returns */ strcpy(cp + 6, from); - strcpy(tfname, cp); + strncpy(tfname, cp, sizeof tfname-1); + tfname[sizeof tfname-1] = '\0'; tfname[0] = 't'; if (!chksize(size)) { (void) write(1, "\2", 1); @@ -197,7 +198,8 @@ readjob() (void) write(1, "\2", 1); continue; } - (void) strcpy(dfname, cp); + (void) strncpy(dfname, cp, sizeof dfname-1); + dfname[sizeof dfname-1] = '\0'; if (index(dfname, '/')) frecverr("readjob: %s: illegal path name", dfname); diff --git a/usr.sbin/lpr/lpr/lpr.c b/usr.sbin/lpr/lpr/lpr.c index 4bb3643..cb041f3 100644 --- a/usr.sbin/lpr/lpr/lpr.c +++ b/usr.sbin/lpr/lpr/lpr.c @@ -45,7 +45,7 @@ static char copyright[] = #ifndef lint static char sccsid[] = "From: @(#)lpr.c 8.4 (Berkeley) 4/28/95" - "\n$Id: lpr.c,v 1.8 1996/10/25 18:14:48 imp Exp $\n"; + "\n$Id: lpr.c,v 1.9 1996/10/26 00:46:34 imp Exp $\n"; #endif /* not lint */ /* @@ -113,7 +113,7 @@ static int nfile __P((char *)); static int test __P((char *)); static void usage __P((void)); -void +int main(argc, argv) int argc; char *argv[]; @@ -272,7 +272,7 @@ main(argc, argv) /* * Check to make sure queuing is enabled if userid is not root. */ - (void) sprintf(buf, "%s/%s", SD, LO); + (void) snprintf(buf, sizeof(buf), "%s/%s", SD, LO); if (userid && stat(buf, &stb) == 0 && (stb.st_mode & 010)) fatal2("Printer queue is disabled"); /* @@ -321,7 +321,8 @@ main(argc, argv) continue; /* file unreasonable */ if (sflag && (cp = linked(arg)) != NULL) { - (void) sprintf(buf, "%d %d", statb.st_dev, statb.st_ino); + (void) snprintf(buf, sizeof(buf), "%d %d", statb.st_dev, + statb.st_ino); card('S', buf); if (format == 'p') card('T', title ? title : arg); @@ -339,12 +340,12 @@ main(argc, argv) printf("%s: %s: not linked, copying instead\n", name, arg); if ((i = open(arg, O_RDONLY)) < 0) { printf("%s: cannot open %s\n", name, arg); - continue; + } else { + copy(i, arg); + (void) close(i); + if (f && unlink(arg) < 0) + printf("%s: %s: not removed\n", name, arg); } - copy(i, arg); - (void) close(i); - if (f && unlink(arg) < 0) - printf("%s: %s: not removed\n", name, arg); } if (nact) { @@ -434,7 +435,7 @@ linked(file) static char buf[BUFSIZ]; if (*file != '/') { - if (getwd(buf) == NULL) + if (getcwd(buf,sizeof(buf)) == NULL) return(NULL); while (file[0] == '.') { switch (file[1]) { @@ -693,7 +694,7 @@ mktemps() register char *cp; char buf[BUFSIZ]; - (void) sprintf(buf, "%s/.seq", SD); + (void) snprintf(buf, sizeof(buf), "%s/.seq", SD); if ((fd = open(buf, O_RDWR|O_CREAT, 0661)) < 0) { printf("%s: cannot create %s\n", name, buf); exit(1); @@ -717,7 +718,7 @@ mktemps() inchar = strlen(SD) + 3; n = (n + 1) % 1000; (void) lseek(fd, (off_t)0, 0); - sprintf(buf, "%03d\n", n); + snprintf(buf, sizeof(buf), "%03d\n", n); (void) write(fd, buf, strlen(buf)); (void) close(fd); /* unlocks as well */ } @@ -734,7 +735,7 @@ lmktemp(id, num, len) if ((s = malloc(len)) == NULL) fatal2("out of memory"); - (void) sprintf(s, "%s/%sA%03d%s", SD, id, num, host); + (void) snprintf(s, len, "%s/%sA%03d%s", SD, id, num, host); return(s); } diff --git a/usr.sbin/lpr/lptest/lptest.c b/usr.sbin/lpr/lptest/lptest.c index 5ce80b5..1cf2206 100644 --- a/usr.sbin/lpr/lptest/lptest.c +++ b/usr.sbin/lpr/lptest/lptest.c @@ -48,7 +48,7 @@ static char sccsid[] = "@(#)lptest.c 8.1 (Berkeley) 6/6/93"; /* * lptest -- line printer test program (and other devices). */ -void +int main(argc, argv) int argc; char **argv; diff --git a/usr.sbin/lpr/pac/pac.c b/usr.sbin/lpr/pac/pac.c index 17e207e..692f005 100644 --- a/usr.sbin/lpr/pac/pac.c +++ b/usr.sbin/lpr/pac/pac.c @@ -98,7 +98,7 @@ static struct hent *lookup __P((char [])); static int qucmp __P((const void *, const void *)); static void rewrite __P((void)); -void +int main(argc, argv) int argc; char **argv; diff --git a/usr.sbin/lpr/runqueue/printjob.c b/usr.sbin/lpr/runqueue/printjob.c index e7e8324..d47d3f0 100644 --- a/usr.sbin/lpr/runqueue/printjob.c +++ b/usr.sbin/lpr/runqueue/printjob.c @@ -288,6 +288,8 @@ again: if (TR != NULL) /* output trailer */ (void) write(ofd, TR, strlen(TR)); } + (void) close(ofd); + (void) wait(NULL); (void) unlink(tempfile); exit(0); } -- cgit v1.1