lpc/cmds.c:

From NetBSD via OpenBSD to fix NetBSD PR #506 More descriptive message for printer status (OpenBSD: 1.2) Various warnings cleaned up (OpenBSD: 1.4) lpc/lpc.c: Various warnings cleaned up (OpenBSD: 1.3) lpd/lpd.c: Remove trailing blank lines (OpenBSD: 1.2) Potential umask problem with creating /dev/printer (OpenBSD: 1.4 and 1.5) Ftp bounce attack (untested on FreeBSD) (OpenBSD: 1.6, 1.8, 1.9) Fencepost in strncpy (OpenBSD: 1.6) lpd/printjob.c: Fix from freebsd for waiting for an exiting filter, that appears not in the FreeBSD CVS tree. (OpenBSD: 1.6) lpd/recvjob.c: Buffer overflow protection: use strncpy rather than strcpy. (OpenBSD: 1.3) lpr/lpr.c: NetBSD change of return type for main() (OpenBSD: 1.2) Restrict time running as root (OpenBSD: 1.7) Use getcwd rather than getwd (from NetBSD) Use snprintf rather than sprintf (OpenBSD: 1.8) Minor tweak to end of loop and buffer overflow sanity. card() overflow already in FreeBSD (OpenBSD: 1.9) lptest/lptest.c: void -> int return type of main, from NetBSD via OpenBSD (OpenBSD: 1.2) pac/pac.c: void -> int return type of main, from NetBSD via OpenBSD (OpenBSD: 1.3) Obtained from: OpenBSD
1996-10-27 03:06:52 +00:00 · 1996-10-27 03:06:52 +00:00 · bc407914f9
commit bc407914f9
parent 9c91ce9853
10 changed files with 57 additions and 38 deletions
--- a/usr.sbin/lpr/common_source/recvjob.c
+++ b/usr.sbin/lpr/common_source/recvjob.c
@ -170,7 +170,8 @@ readjob()
 			 * returns
 			 */
 			strcpy(cp + 6, from);
-			strcpy(tfname, cp);
+			strncpy(tfname, cp, sizeof tfname-1);
+			tfname[sizeof tfname-1] = '\0';
 			tfname[0] = 't';
 			if (!chksize(size)) {
 				(void) write(1, "\2", 1);
@ -197,7 +198,8 @@ readjob()
 				(void) write(1, "\2", 1);
 				continue;
 			}
-			(void) strcpy(dfname, cp);
+			(void) strncpy(dfname, cp, sizeof dfname-1);
+			dfname[sizeof dfname-1] = '\0';
 			if (index(dfname, '/'))
 				frecverr("readjob: %s: illegal path name",
 					dfname);
--- a/usr.sbin/lpr/lpc/cmds.c
+++ b/usr.sbin/lpr/lpc/cmds.c
@ -277,7 +277,7 @@ sortq(a, b)

 	d1 = (struct dirent **)a;
 	d2 = (struct dirent **)b;
-	if (c1 = strcmp((*d1)->d_name + 3, (*d2)->d_name + 3))
+	if ((c1 = strcmp((*d1)->d_name + 3, (*d2)->d_name + 3)))
 		return(c1);
 	c1 = (*d1)->d_name[0];
 	c2 = (*d2)->d_name[0];
@ -305,7 +305,7 @@ cleanpr()
 		SD = _PATH_DEFSPOOL;
 	printf("%s:\n", printer);

-	for (lp = line, cp = SD; *lp++ = *cp++; )
+	for (lp = line, cp = SD; (*lp++ = *cp++); )
 		;
 	lp[-1] = '/';

@ -592,7 +592,7 @@ putmsg(argc, argv)
 	cp1 = buf;
 	while (--argc >= 0) {
 		cp2 = *argv++;
-		while (*cp1++ = *cp2++)
+		while ((*cp1++ = *cp2++))
 			;
 		cp1[-1] = ' ';
 	}
@ -815,7 +815,7 @@ prstat()
 	fd = open(line, O_RDONLY);
 	if (fd < 0 || flock(fd, LOCK_SH|LOCK_NB) == 0) {
 		(void) close(fd);	/* unlocks as well */
-		printf("\tno daemon present\n");
+		printf("\tprinter idle\n");
 		return;
 	}
 	(void) close(fd);
--- a/usr.sbin/lpr/lpc/lpc.c
+++ b/usr.sbin/lpr/lpc/lpc.c
@ -178,7 +178,7 @@ getcmd(name)
 	longest = 0;
 	nmatches = 0;
 	found = 0;
-	for (c = cmdtab; p = c->c_name; c++) {
+	for (c = cmdtab; (p = c->c_name); c++) {
 		for (q = name; *q == *p++; q++)
 			if (*q == 0)		/* exact match? */
 				return(c);
--- a/usr.sbin/lpr/lpd/lpd.c
+++ b/usr.sbin/lpr/lpd/lpd.c
@ -179,6 +179,7 @@ main(argc, argv)
 	}
 #define	mask(s)	(1 << ((s) - 1))
 	omask = sigblock(mask(SIGHUP)|mask(SIGINT)|mask(SIGQUIT)|mask(SIGTERM));
+	(void) umask(07);
 	signal(SIGHUP, mcleanup);
 	signal(SIGINT, mcleanup);
 	signal(SIGQUIT, mcleanup);
@ -193,6 +194,7 @@ main(argc, argv)
 		syslog(LOG_ERR, "ubind: %m");
 		exit(1);
 	}
+	(void) umask(0);
 	sigsetmask(omask);
 	FD_ZERO(&defreadfds);
 	FD_SET(funix, &defreadfds);
@ -245,6 +247,10 @@ main(argc, argv)
 			domain = AF_INET, fromlen = sizeof(frominet);
 			s = accept(finet,
 			    (struct sockaddr *)&frominet, &fromlen);
+			if (frominet.sin_port == htons(20)) {
+				close(s);
+				continue;
+			}
 		}
 		if (s < 0) {
 			if (errno != EINTR)
@ -494,9 +500,11 @@ chkhost(f)
 	register struct hostent *hp;
 	register FILE *hostf;
 	int first = 1;
+	int good = 0;

 	f->sin_port = ntohs(f->sin_port);
-	if (f->sin_family != AF_INET || f->sin_port >= IPPORT_RESERVED)
+	if (f->sin_family != AF_INET || f->sin_port >= IPPORT_RESERVED ||
+	    f->sin_port == htons(20))
 		fatal("Malformed from address");

 	/* Need real hostname for temporary filenames */
@ -506,10 +514,24 @@ chkhost(f)
 		fatal("Host name for your address (%s) unknown",
 			inet_ntoa(f->sin_addr));

-	(void) strncpy(fromb, hp->h_name, sizeof(fromb));
+	(void) strncpy(fromb, hp->h_name, sizeof(fromb) - 1);
 	from[sizeof(fromb) - 1] = '\0';
 	from = fromb;

+	/* Check for spoof, ala rlogind */
+	hp = gethostbyname(fromb);
+	if (!hp)
+		fatal("hostname for your address (%s) unknown",
+		    inet_ntoa(f->sin_addr));
+	for (; good == 0 && hp->h_addr_list[0] != NULL; hp->h_addr_list++) {
+		if (!bcmp(hp->h_addr_list[0], (caddr_t)&f->sin_addr,
+		    sizeof(f->sin_addr)))
+			good = 1;
+	}
+	if (good == 0)
+		fatal("address for your hostname (%s) not matched",
+		    inet_ntoa(f->sin_addr));
+
 	hostf = fopen(_PATH_HOSTSEQUIV, "r");
 again:
 	if (hostf) {
@ -528,15 +550,3 @@ again:
 	fatal("Your host does not have line printer access");
 	/*NOTREACHED*/
 }
-
-
-
-
-
-
-
-
-
-
-
-
--- a/usr.sbin/lpr/lpd/printjob.c
+++ b/usr.sbin/lpr/lpd/printjob.c
@ -288,6 +288,8 @@ again:
 			if (TR != NULL)		/* output trailer */
 				(void) write(ofd, TR, strlen(TR));
 		}
+		(void) close(ofd);
+		(void) wait(NULL);
 		(void) unlink(tempfile);
 		exit(0);
 	}
--- a/usr.sbin/lpr/lpd/recvjob.c
+++ b/usr.sbin/lpr/lpd/recvjob.c
@ -170,7 +170,8 @@ readjob()
 			 * returns
 			 */
 			strcpy(cp + 6, from);
-			strcpy(tfname, cp);
+			strncpy(tfname, cp, sizeof tfname-1);
+			tfname[sizeof tfname-1] = '\0';
 			tfname[0] = 't';
 			if (!chksize(size)) {
 				(void) write(1, "\2", 1);
@ -197,7 +198,8 @@ readjob()
 				(void) write(1, "\2", 1);
 				continue;
 			}
-			(void) strcpy(dfname, cp);
+			(void) strncpy(dfname, cp, sizeof dfname-1);
+			dfname[sizeof dfname-1] = '\0';
 			if (index(dfname, '/'))
 				frecverr("readjob: %s: illegal path name",
 					dfname);
--- a/usr.sbin/lpr/lpr/lpr.c
+++ b/usr.sbin/lpr/lpr/lpr.c
@ -45,7 +45,7 @@ static char copyright[] =

 #ifndef lint
 static char sccsid[] = "From: @(#)lpr.c	8.4 (Berkeley) 4/28/95"
-	"\n$Id: lpr.c,v 1.8 1996/10/25 18:14:48 imp Exp $\n";
+	"\n$Id: lpr.c,v 1.9 1996/10/26 00:46:34 imp Exp $\n";
 #endif /* not lint */

 /*
@ -113,7 +113,7 @@ static int	 nfile __P((char *));
 static int	 test __P((char *));
 static void	 usage __P((void));

-void
+int
 main(argc, argv)
 	int argc;
 	char *argv[];
@ -272,7 +272,7 @@ main(argc, argv)
 	/*
 	 * Check to make sure queuing is enabled if userid is not root.
 	 */
-	(void) sprintf(buf, "%s/%s", SD, LO);
+	(void) snprintf(buf, sizeof(buf), "%s/%s", SD, LO);
 	if (userid && stat(buf, &stb) == 0 && (stb.st_mode & 010))
 		fatal2("Printer queue is disabled");
 	/*
@ -321,7 +321,8 @@ main(argc, argv)
 			continue;	/* file unreasonable */

 		if (sflag && (cp = linked(arg)) != NULL) {
-			(void) sprintf(buf, "%d %d", statb.st_dev, statb.st_ino);
+			(void) snprintf(buf, sizeof(buf), "%d %d", statb.st_dev,
+				statb.st_ino);
 			card('S', buf);
 			if (format == 'p')
 				card('T', title ? title : arg);
@ -339,12 +340,12 @@ main(argc, argv)
 			printf("%s: %s: not linked, copying instead\n", name, arg);
 		if ((i = open(arg, O_RDONLY)) < 0) {
 			printf("%s: cannot open %s\n", name, arg);
-			continue;
+		} else {
+			copy(i, arg);
+			(void) close(i);
+			if (f && unlink(arg) < 0)
+				printf("%s: %s: not removed\n", name, arg);
 		}
-		copy(i, arg);
-		(void) close(i);
-		if (f && unlink(arg) < 0)
-			printf("%s: %s: not removed\n", name, arg);
 	}

 	if (nact) {
@ -434,7 +435,7 @@ linked(file)
 	static char buf[BUFSIZ];

 	if (*file != '/') {
-		if (getwd(buf) == NULL)
+		if (getcwd(buf,sizeof(buf)) == NULL)
 			return(NULL);
 		while (file[0] == '.') {
 			switch (file[1]) {
@ -693,7 +694,7 @@ mktemps()
 	register char *cp;
 	char buf[BUFSIZ];

-	(void) sprintf(buf, "%s/.seq", SD);
+	(void) snprintf(buf, sizeof(buf), "%s/.seq", SD);
 	if ((fd = open(buf, O_RDWR|O_CREAT, 0661)) < 0) {
 		printf("%s: cannot create %s\n", name, buf);
 		exit(1);
@ -717,7 +718,7 @@ mktemps()
 	inchar = strlen(SD) + 3;
 	n = (n + 1) % 1000;
 	(void) lseek(fd, (off_t)0, 0);
-	sprintf(buf, "%03d\n", n);
+	snprintf(buf, sizeof(buf), "%03d\n", n);
 	(void) write(fd, buf, strlen(buf));
 	(void) close(fd);	/* unlocks as well */
 }
@ -734,7 +735,7 @@ lmktemp(id, num, len)

 	if ((s = malloc(len)) == NULL)
 		fatal2("out of memory");
-	(void) sprintf(s, "%s/%sA%03d%s", SD, id, num, host);
+	(void) snprintf(s, len, "%s/%sA%03d%s", SD, id, num, host);
 	return(s);
 }

--- a/usr.sbin/lpr/lptest/lptest.c
+++ b/usr.sbin/lpr/lptest/lptest.c
@ -48,7 +48,7 @@ static char sccsid[] = "@(#)lptest.c	8.1 (Berkeley) 6/6/93";
 /*
 * lptest -- line printer test program (and other devices).
 */
-void
+int
 main(argc, argv)
 	int argc;
 	char **argv;
--- a/usr.sbin/lpr/pac/pac.c
+++ b/usr.sbin/lpr/pac/pac.c
@ -98,7 +98,7 @@ static struct	hent *lookup __P((char []));
 static int	qucmp __P((const void *, const void *));
 static void	rewrite __P((void));

-void
+int
 main(argc, argv)
 	int argc;
 	char **argv;
--- a/usr.sbin/lpr/runqueue/printjob.c
+++ b/usr.sbin/lpr/runqueue/printjob.c
@ -288,6 +288,8 @@ again:
 			if (TR != NULL)		/* output trailer */
 				(void) write(ofd, TR, strlen(TR));
 		}
+		(void) close(ofd);
+		(void) wait(NULL);
 		(void) unlink(tempfile);
 		exit(0);
 	}