Fix possible buffer overflow with finger and fingerd.

Submitted by: Lukasz Luzar <lluzar@noname.kki.krakow.pl> and Eivind Eklund <eivind@yes.no> This patch is actually a combination of those two patches.
svn path=/head/; revision=50127
1999-08-21 18:25:38 +00:00 · 1999-08-21 18:25:38 +00:00 · e0d8eea175 · 2020-12-20 02:59:44 +00:00
commit e0d8eea175
parent fa62586ae7
1 changed files with 27 additions and 16 deletions
--- a/usr.bin/finger/util.c
+++ b/usr.bin/finger/util.c
@ -39,7 +39,7 @@
 static char sccsid[] = "@(#)util.c	8.3 (Berkeley) 4/28/95";
 #else
 static const char rcsid[] =
-	"$Id$";
+	"$Id: util.c,v 1.5 1997/07/02 06:34:51 charnier Exp $";
 #endif
 #endif /* not lint */

@ -79,7 +79,8 @@ match(pw, user)
 	 * XXX
 	 * Why do we skip asterisks!?!?
 	 */
-	(void)strcpy(p = tbuf, pw->pw_gecos);
+	(void)strncpy(p = tbuf, pw->pw_gecos, sizeof(tbuf));
+	p[sizeof(tbuf) - 1] = '\0';
 	if (*p == '*')
 		++p;

@ -87,13 +88,17 @@ match(pw, user)
 	if ((p = strtok(p, ",")) == NULL)
 		return(0);

-	for (t = name; (*t = *p) != '\0'; ++p)
-		if (*t == '&') {
-			(void)strcpy(t, pw->pw_name);
+	for (t = name; (*t = *p) != '\0' && t - name > sizeof(name); ++p) {
+		if (*t == '&') { 
+			(void)strncpy(t, pw->pw_name, 
+			    sizeof(name) - (t - name));
+			name[sizeof(name) - 1] = '\0';
 			while (*++t);
-		}
-		else
+		} else {
 			++t;
+		}
+	}
+	*t = '\0';
 	for (t = name; (p = strtok(t, "\t ")) != NULL; t = NULL)
 		if (!strcasecmp(p, user))
 			return(1);
@ -267,7 +272,7 @@ prphone(num)
 {
 	register char *p;
 	int len;
-	static char pbuf[15];
+	static char pbuf[20];

 	/* don't touch anything if the user has their own formatting */
 	for (p = num; *p; ++p)
@ -346,22 +351,27 @@ userinfo(pn, pw)
 	pn->shell = strdup(pw->pw_shell);

 	/* why do we skip asterisks!?!? */
-	(void)strcpy(bp = tbuf, pw->pw_gecos);
+	(void)strncpy(bp = tbuf, pw->pw_gecos, sizeof(tbuf));
+	bp[sizeof(tbuf) - 1] = '\0';
 	if (*bp == '*')
 		++bp;

 	/* ampersands get replaced by the login name */
 	if (!(p = strsep(&bp, ",")))
 		return;
-	for (t = name; (*t = *p) != '\0'; ++p)
+	for (t = name; (*t = *p) != '\0' && t < name + sizeof(name); ++p) {
 		if (*t == '&') {
-			(void)strcpy(t, pw->pw_name);
+			(void)strncpy(t, pw->pw_name, 
+			    sizeof(name) - (t - name));
+			name[sizeof(name) - 1] = '\0';
 			if (islower(*t))
 				*t = toupper(*t);
 			while (*++t);
-		}
-		else
+		} else {
 			++t;
+		}
+	}
+	*t = '\0';
 	pn->realname = strdup(name);
 	pn->office = ((p = strsep(&bp, ",")) && *p) ?
 	    strdup(p) : NULL;
@ -369,7 +379,7 @@ userinfo(pn, pw)
 	    strdup(p) : NULL;
 	pn->homephone = ((p = strsep(&bp, ",")) && *p) ?
 	    strdup(p) : NULL;
-	(void)sprintf(tbuf,"%s/%s", _PATH_MAILDIR, pw->pw_name);
+	(void)snprintf(tbuf, sizeof(tbuf), "%s/%s", _PATH_MAILDIR, pw->pw_name);
 	pn->mailrecv = -1;		/* -1 == not_valid */
 	if (stat(tbuf, &sb) < 0) {
 		if (errno != ENOENT) {
@ -396,9 +406,10 @@ hide(pw)
 	if (!pw->pw_dir)
 		return 0;

-	sprintf (buf, "%s/.nofinger", pw->pw_dir);
+	snprintf(buf, sizeof(buf), "%s/.nofinger", pw->pw_dir);
+	buf[sizeof(buf) - 1] = '\0';

-	if (access (buf, F_OK) == 0)
+	if (access(buf, F_OK) == 0)
 		return 1;

 	return 0;