d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Even more buffer overflow fixes

Browse Source 
Change CATMODE to 0644, because group man not used
Add immutable sbit to man binary, so if user even got man uid,
he can't replace man binary with fake one

Should go to 2.2

Submitted by: Marc Slemko <marcs@znep.com> with small editing by me
This commit is contained in:
Andrey A. Chernov 1996-12-19 10:45:16 +00:00
parent 95d98df162
commit 9730ef2973
2 changed files with 52 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
gnu/usr.bin/man/man/Makefile
View File

@ -2,6 +2,7 @@ PROG= man
SRCS= man.c manpath.c glob.c
BINOWN= man
BINMODE=4555
INSTALLFLAGS+= -fschg
.if exists(${.OBJDIR}/../lib)
LIBDESTDIR= ${.OBJDIR}/../lib
@ -19,7 +20,7 @@ MAN1= ${.CURDIR}/man.1
.endif
CFLAGS+= -I${.CURDIR}/../lib -DSTDC_HEADERS -DPOSIX -DHAS_TROFF
CFLAGS+= -DDO_COMPRESS -DALT_SYSTEMS -DSETREUID -DCATMODE=0664
CFLAGS+= -DDO_COMPRESS -DALT_SYSTEMS -DSETREUID -DCATMODE=0644
CLEANFILES+= ${MAN1}
MANDEPEND+= ${MAN1}

100
gnu/usr.bin/man/man/man.c
View File

@ -435,9 +435,7 @@ man_getopt (argc, argv)
fprintf (stderr, "Alternate system `%s' specified\n",
alt_system_name);
strcpy (buf, p);
strcat (buf, "/");
strcat (buf, alt_system_name);
snprintf(buf, sizeof(buf), "%s/%s", p, alt_system_name);
mp = add_dir_to_mpath_list (mp, buf);
}
@ -537,15 +535,17 @@ convert_name (name, to_cat)
#ifdef DO_COMPRESS
if (to_cat)
{
int len = strlen (name) + 3;
int olen = strlen(name);
int cextlen = strlen(COMPRESS_EXT);
int len = olen + cextlen;
to_name = (char *) malloc (len);
to_name = malloc (len+1);
if (to_name == NULL)
gripe_alloc (len, "to_name");
gripe_alloc (len+1, "to_name");
strcpy (to_name, name);
olen -= cextlen;
/* Avoid tacking it on twice */
if (strcmp(name + (len - (3 + cextlen)), COMPRESS_EXT))
if (olen >= 1 && strcmp(name + olen, COMPRESS_EXT) != 0)
strcat (to_name, COMPRESS_EXT);
}
else
@ -749,8 +749,10 @@ ultimate_source (name, path)
char *beg;
char *end;
strcpy (ult, name);
strcpy (buf, name);
strncpy (ult, name, sizeof(ult)-1);
ult[sizeof(ult)-1] = '\0';
strncpy (buf, name, sizeof(buf)-1);
ult[sizeof(buf)-1] = '\0';
next:
@ -775,11 +777,8 @@ ultimate_source (name, path)
*end = '\0';
strcpy (ult, path);
strcat (ult, "/");
strcat (ult, beg);
strcpy (buf, ult);
snprintf(ult, sizeof(ult), "%s/%s", path, beg);
snprintf(buf, sizeof(buf), "%s", ult);
goto next;
}
@ -791,34 +790,34 @@ ultimate_source (name, path)
}
void
add_directive (first, d, file, buf)
add_directive (first, d, file, buf, bufsize)
int *first;
char *d;
char *file;
char *buf;
int bufsize;
{
if (strcmp (d, "") != 0)
{
if (*first)
{
*first = 0;
strcpy (buf, d);
strcat (buf, " ");
strcat (buf, file);
snprintf(buf, bufsize, "%s %s", d, file);
}
else
{
strcat (buf, " | ");
strcat (buf, d);
strncat (buf, " | ", bufsize-strlen(buf)-1);
strncat (buf, d, bufsize-strlen(buf)-1);
}
}
}
int
parse_roff_directive (cp, file, buf)
parse_roff_directive (cp, file, buf, bufsize)
char *cp;
char *file;
char *buf;
int bufsize;
{
char c;
int first = 1;
@ -834,9 +833,9 @@ parse_roff_directive (cp, file, buf)
fprintf (stderr, "found eqn(1) directive\n");
if (troff)
add_directive (&first, EQN, file, buf);
add_directive (&first, EQN, file, buf, bufsize);
else
add_directive (&first, NEQN, file, buf);
add_directive (&first, NEQN, file, buf, bufsize);
break;
@ -845,7 +844,7 @@ parse_roff_directive (cp, file, buf)
if (debug)
fprintf (stderr, "found grap(1) directive\n");
add_directive (&first, GRAP, file, buf);
add_directive (&first, GRAP, file, buf, bufsize);
break;
@ -854,7 +853,7 @@ parse_roff_directive (cp, file, buf)
if (debug)
fprintf (stderr, "found pic(1) directive\n");
add_directive (&first, PIC, file, buf);
add_directive (&first, PIC, file, buf, bufsize);
break;
@ -864,7 +863,7 @@ parse_roff_directive (cp, file, buf)
fprintf (stderr, "found tbl(1) directive\n");
tbl_found++;
add_directive (&first, TBL, file, buf);
add_directive (&first, TBL, file, buf, bufsize);
break;
case 'v':
@ -872,7 +871,7 @@ parse_roff_directive (cp, file, buf)
if (debug)
fprintf (stderr, "found vgrind(1) directive\n");
add_directive (&first, VGRIND, file, buf);
add_directive (&first, VGRIND, file, buf, bufsize);
break;
case 'r':
@ -880,7 +879,7 @@ parse_roff_directive (cp, file, buf)
if (debug)
fprintf (stderr, "found refer(1) directive\n");
add_directive (&first, REFER, file, buf);
add_directive (&first, REFER, file, buf, bufsize);
break;
case ' ':
@ -903,19 +902,19 @@ parse_roff_directive (cp, file, buf)
#ifdef HAS_TROFF
if (troff)
{
strcat (buf, " | ");
strcat (buf, TROFF);
strncat (buf, " | ", bufsize-strlen(buf)-1);
strncat (buf, TROFF, bufsize-strlen(buf)-1);
}
else
#endif
{
strcat (buf, " | ");
strcat (buf, NROFF);
strncat (buf, " | ", bufsize-strlen(buf)-1);
strncat (buf, NROFF, bufsize-strlen(buf)-1);
}
if (tbl_found && !troff && strcmp (COL, "") != 0)
{
strcat (buf, " | ");
strcat (buf, COL);
strncat (buf, " | ", bufsize-strlen(buf)-1);
strncat (buf, COL, bufsize-strlen(buf)-1);
}
return 0;
@ -936,7 +935,7 @@ make_roff_command (file)
if (debug)
fprintf (stderr, "parsing directive from command line\n");
status = parse_roff_directive (roff_directive, file, buf);
status = parse_roff_directive (roff_directive, file, buf, sizeof(buf));
if (status == 0)
return buf;
@ -948,13 +947,13 @@ make_roff_command (file)
if ((fp = fopen (file, "r")) != NULL)
{
cp = line;
fgets (line, 100, fp);
fgets (line, BUFSIZ, fp);
if (*cp++ == '\'' && *cp++ == '\\' && *cp++ == '"' && *cp++ == ' ')
{
if (debug)
fprintf (stderr, "parsing directive from file\n");
status = parse_roff_directive (cp, file, buf);
status = parse_roff_directive (cp, file, buf, sizeof(buf));
fclose (fp);
@ -980,7 +979,7 @@ make_roff_command (file)
if (debug)
fprintf (stderr, "parsing directive from environment\n");
status = parse_roff_directive (cp, file, buf);
status = parse_roff_directive (cp, file, buf, sizeof(buf));
if (status == 0)
return buf;
@ -1000,13 +999,13 @@ make_roff_command (file)
{
if (strcmp (TBL, "") != 0)
{
strcat (buf, TBL);
strcat (buf, " | ");
strcat (buf, TROFF);
strncat(buf, TBL, sizeof(buf)-strlen(buf)-1);
strncat(buf, " | ", sizeof(buf)-strlen(buf)-1);
strncat(buf, TROFF, sizeof(buf)-strlen(buf)-1);
}
else
{
strcat (buf, TROFF);
strncat(buf, TROFF, sizeof(buf)-strlen(buf)-1);
}
}
else
@ -1014,19 +1013,19 @@ make_roff_command (file)
{
if (strcmp (TBL, "") != 0)
{
strcat (buf, TBL);
strcat (buf, " | ");
strcat (buf, NROFF);
strncat(buf, TBL, sizeof(buf)-strlen(buf)-1);
strncat(buf, " | ", sizeof(buf)-strlen(buf)-1);
strncat(buf, NROFF, sizeof(buf)-strlen(buf)-1);
}
else
{
strcpy (buf, NROFF);
strncpy (buf, NROFF, sizeof(buf));
}
if (strcmp (COL, "") != 0)
{
strcat (buf, " | ");
strcat (buf, COL);
strncat (buf, " | ", sizeof(buf)-strlen(buf)-1);
strncat (buf, COL, sizeof(buf)-strlen(buf)-1);
}
}
return buf;
@ -1514,7 +1513,8 @@ get_section_list ()
int i;
char *p;
char *end;
static char *tmp_section_list[100];
#define TMP_SECTION_LIST_SIZE 100
static char *tmp_section_list[TMP_SECTION_LIST_SIZE];
if (colon_sep_section_list == NULL)
{
@ -1529,7 +1529,7 @@ get_section_list ()
}
i = 0;
for (p = colon_sep_section_list; ; p = end+1)
for (p = colon_sep_section_list; i < TMP_SECTION_LIST_SIZE ; p = end+1)
{
if ((end = strchr (p, ':')) != NULL)
*end = '\0';