From 5f87a7b6b1748c38c91dde923094a526aea9cd28 Mon Sep 17 00:00:00 2001 From: Warner Losh Date: Tue, 29 Jul 1997 04:17:19 +0000 Subject: [PATCH] Fix boatloads of buffer overflows from the OpenBSD tree. Be pedantic about always using sizeof(blah) vs sizeof (blah) or sizeof blah. Obtained from:OpenBSD --- usr.sbin/lpr/common_source/common.c | 4 +- usr.sbin/lpr/common_source/recvjob.c | 27 +++++---- usr.sbin/lpr/common_source/rmjob.c | 6 +- usr.sbin/lpr/common_source/startdaemon.c | 2 +- usr.sbin/lpr/lpc/cmds.c | 41 ++++++++------ usr.sbin/lpr/lpd/printjob.c | 70 ++++++++++++++---------- usr.sbin/lpr/lpd/recvjob.c | 27 +++++---- usr.sbin/lpr/lpr/lpr.c | 4 +- usr.sbin/lpr/runqueue/printjob.c | 70 ++++++++++++++---------- 9 files changed, 151 insertions(+), 100 deletions(-) diff --git a/usr.sbin/lpr/common_source/common.c b/usr.sbin/lpr/common_source/common.c index 8c777748a422..6cb40984851e 100644 --- a/usr.sbin/lpr/common_source/common.c +++ b/usr.sbin/lpr/common_source/common.c @@ -193,14 +193,14 @@ getline(cfp) register char *lp = line; register c; - while ((c = getc(cfp)) != '\n') { + while ((c = getc(cfp)) != '\n' && linel+1 < sizeof(line)) { if (c == EOF) return(0); if (c == '\t') { do { *lp++ = ' '; linel++; - } while ((linel & 07) != 0); + } while ((linel & 07) != 0 && linel+1 < sizeof(line)); continue; } *lp++ = c; diff --git a/usr.sbin/lpr/common_source/recvjob.c b/usr.sbin/lpr/common_source/recvjob.c index 3bfbb9935821..5c1d0277d903 100644 --- a/usr.sbin/lpr/common_source/recvjob.c +++ b/usr.sbin/lpr/common_source/recvjob.c @@ -65,10 +65,10 @@ static char sccsid[] = "@(#)recvjob.c 8.2 (Berkeley) 4/27/95"; #define ack() (void) write(1, sp, 1); -static char dfname[256]; /* data files */ +static char dfname[NAME_MAX]; /* data files */ static int minfree; /* keep at least minfree blocks available */ static char *sp = ""; -static char tfname[256]; /* tmp copy of cf before linking */ +static char tfname[NAME_MAX]; /* tmp copy of cf before linking */ static int chksize __P((int)); static void frecverr __P((const char *, ...)); @@ -94,7 +94,7 @@ recvjob() frecverr("unknown printer %s", printer); else if (status == -3) fatal("potential reference loop detected in printcap file"); - + if (cgetstr(bp, "lf", &LF) == -1) LF = _PATH_CONSOLE; if (cgetstr(bp, "sd", &SD) == -1) @@ -146,10 +146,13 @@ readjob() do { if ((size = read(1, cp, 1)) != 1) { if (size < 0) - frecverr("%s: Lost connection",printer); + frecverr("%s: Lost connection", + printer); return(nfiles); } - } while (*cp++ != '\n'); + } while (*cp++ != '\n' && (cp - line + 1) < sizeof(line)); + if (cp - line + 1 >= sizeof(line)) + frecverr("readjob overflow"); *--cp = '\0'; cp = line; switch (*cp++) { @@ -169,10 +172,14 @@ readjob() * something different than what gethostbyaddr() * returns */ - strcpy(cp + 6, from); - strncpy(tfname, cp, sizeof tfname-1); - tfname[sizeof tfname-1] = '\0'; + strncpy(cp + 6, from, sizeof(line) + line - cp - 7); + line[sizeof(line) - 1 ] = '\0'; + strncpy(tfname, cp, sizeof(tfname) - 1); + tfname[sizeof (tfname) - 1] = '\0'; tfname[0] = 't'; + if (strchr(tfname, '/')) + frecverr("readjob: %s: illegal path name", + tfname); if (!chksize(size)) { (void) write(1, "\2", 1); continue; @@ -198,8 +205,8 @@ readjob() (void) write(1, "\2", 1); continue; } - (void) strncpy(dfname, cp, sizeof dfname-1); - dfname[sizeof dfname-1] = '\0'; + (void) strncpy(dfname, cp, sizeof(dfname) - 1); + dfname[sizeof(dfname) - 1] = '\0'; if (strchr(dfname, '/')) frecverr("readjob: %s: illegal path name", dfname); diff --git a/usr.sbin/lpr/common_source/rmjob.c b/usr.sbin/lpr/common_source/rmjob.c index a04b4832d076..c5f79d44863a 100644 --- a/usr.sbin/lpr/common_source/rmjob.c +++ b/usr.sbin/lpr/common_source/rmjob.c @@ -88,7 +88,7 @@ rmjob() if (cgetstr(bp,"lo", &LO) < 0) LO = DEFLOCK; cgetstr(bp, "rm", &RM); - if (cp = checkremote()) + if ((cp = checkremote())) printf("Warning: %s\n", cp); /* @@ -325,12 +325,12 @@ rmremote() (void)snprintf(buf, sizeof(buf), "\5%s %s", RP, all ? "-all" : person); cp = buf; - for (i = 0; i < users; i++) { + for (i = 0; i < users && cp-buf+1+strlen(user[i]) < sizeof(buf); i++) { cp += strlen(cp); *cp++ = ' '; strcpy(cp, user[i]); } - for (i = 0; i < requests; i++) { + for (i = 0; i < requests && cp-buf+10 < sizeof(buf); i++) { cp += strlen(cp); (void) sprintf(cp, " %d", requ[i]); } diff --git a/usr.sbin/lpr/common_source/startdaemon.c b/usr.sbin/lpr/common_source/startdaemon.c index a876c1eb98a9..13722f4533f6 100644 --- a/usr.sbin/lpr/common_source/startdaemon.c +++ b/usr.sbin/lpr/common_source/startdaemon.c @@ -83,7 +83,7 @@ startdaemon(printer) return(0); } seteuid(uid); - if (snprintf(buf, sizeof buf, "\1%s\n", printer) > sizeof buf-1) { + if (snprintf(buf, sizeof(buf), "\1%s\n", printer) > sizeof(buf)-1) { close(s); return (0); } diff --git a/usr.sbin/lpr/lpc/cmds.c b/usr.sbin/lpr/lpc/cmds.c index c3b8632e0d93..b772ed38cc2a 100644 --- a/usr.sbin/lpr/lpc/cmds.c +++ b/usr.sbin/lpr/lpc/cmds.c @@ -200,11 +200,11 @@ upstat(msg) char *msg; { register int fd; - char statfile[BUFSIZ]; + char statfile[MAXPATHLEN]; if (cgetstr(bp, "st", &ST) == -1) ST = DEFSTAT; - (void) sprintf(statfile, "%s/%s", SD, ST); + (void) snprintf(statfile, sizeof(statfile), "%s/%s", SD, ST); umask(0); fd = open(statfile, O_WRONLY|O_CREAT, 0664); if (fd < 0 || flock(fd, LOCK_EX) < 0) { @@ -240,7 +240,8 @@ clean(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; cleanpr(); @@ -390,7 +391,8 @@ enable(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; enablepr(); @@ -458,7 +460,8 @@ disable(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; disablepr(); @@ -535,7 +538,8 @@ down(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; putmsg(argc - 2, argv + 2); @@ -614,7 +618,7 @@ putmsg(argc, argv) cp1 = buf; while (--argc >= 0) { cp2 = *argv++; - while ((*cp1++ = *cp2++)) + while ((cp1 - buf) < sizeof(buf) && (*cp1++ = *cp2++)) ; cp1[-1] = ' '; } @@ -656,7 +660,8 @@ restart(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; abortpr(0); @@ -701,7 +706,8 @@ startcmd(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; startpr(1); @@ -770,7 +776,8 @@ status(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; prstat(); @@ -810,7 +817,7 @@ prstat() if (cgetstr(bp, "st", &ST) == -1) ST = DEFSTAT; printf("%s:\n", printer); - (void) sprintf(line, "%s/%s", SD, LO); + (void) snprintf(line, sizeof(line), "%s/%s", SD, LO); if (stat(line, &stbuf) >= 0) { printf("\tqueuing is %s\n", (stbuf.st_mode & 010) ? "disabled" : "enabled"); @@ -844,7 +851,7 @@ prstat() } (void) close(fd); /* print out the contents of the status file, if it exists */ - (void) sprintf(line, "%s/%s", SD, ST); + (void) snprintf(line, sizeof(line), "%s/%s", SD, ST); fd = open(line, O_RDONLY); if (fd >= 0) { (void) flock(fd, LOCK_SH); @@ -880,7 +887,8 @@ stop(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; stoppr(); @@ -1049,8 +1057,8 @@ doarg(job) FILE *fp; /* - * Look for a job item consisting of system name, colon, number - * (example: ucbarpa:114) + * Look for a job item consisting of system name, colon, number + * (example: ucbarpa:114) */ if ((cp = strchr(job, ':')) != NULL) { machine = job; @@ -1128,7 +1136,8 @@ up(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; startpr(2); diff --git a/usr.sbin/lpr/lpd/printjob.c b/usr.sbin/lpr/lpd/printjob.c index 84240d281056..3d1400f1cb7b 100644 --- a/usr.sbin/lpr/lpd/printjob.c +++ b/usr.sbin/lpr/lpd/printjob.c @@ -219,7 +219,7 @@ again: errcnt = 0; restart: (void) lseek(lfd, pidoff, 0); - (void) sprintf(line, "%s\n", q->q_name); + (void) snprintf(line, sizeof(line), "%s\n", q->q_name); i = strlen(line); if (write(lfd, line, i) != i) syslog(LOG_ERR, "%s: %s: %m", printer, LO); @@ -266,7 +266,7 @@ again: syslog(LOG_WARNING, "%s: job could not be %s (%s)", printer, remote ? "sent to remote host" : "printed", q->q_name); if (i == REPRINT) { - /* insure we don't attempt this job again */ + /* ensure we don't attempt this job again */ (void) unlink(q->q_name); q->q_name[0] = 'd'; (void) unlink(q->q_name); @@ -332,7 +332,7 @@ printit(file) */ for (i = 0; i < 4; i++) strcpy(fonts[i], ifonts[i]); - sprintf(&width[2], "%d", PW); + sprintf(&width[2], "%ld", PW); strcpy(indent+2, "0"); /* @@ -377,13 +377,17 @@ printit(file) while (getline(cfp)) switch (line[0]) { case 'H': - strcpy(fromhost, line+1); - if (class[0] == '\0') - strncpy(class, line+1, sizeof(class)-1); + strncpy(fromhost, line+1, sizeof(fromhost) - 1); + fromhost[sizeof(fromhost) - 1] = '\0'; + if (class[0] == '\0') { + strncpy(class, line+1, sizeof(class) - 1); + class[sizeof(class) - 1] = '\0'; + } continue; case 'P': - strncpy(logname, line+1, sizeof(logname)-1); + strncpy(logname, line+1, sizeof(logname) - 1); + logname[sizeof(logname) - 1] = '\0'; if (RS) { /* restricted */ if (getpwnam(logname) == NULL) { bombed = NOACCT; @@ -407,21 +411,24 @@ printit(file) continue; case 'J': - if (line[1] != '\0') - strncpy(jobname, line+1, sizeof(jobname)-1); - else + if (line[1] != '\0') { + strncpy(jobname, line+1, sizeof(jobname) - 1); + jobname[sizeof(jobname) - 1] = '\0'; + } else strcpy(jobname, " "); continue; case 'C': if (line[1] != '\0') - strncpy(class, line+1, sizeof(class)-1); + strncpy(class, line+1, sizeof(class) - 1); else if (class[0] == '\0') gethostname(class, sizeof(class)); + class[sizeof(class) - 1] = '\0'; continue; case 'T': /* header title for pr */ - strncpy(title, line+1, sizeof(title)-1); + strncpy(title, line+1, sizeof(title) - 1); + title[sizeof(title) - 1] = '\0'; continue; case 'L': /* identification line */ @@ -433,16 +440,21 @@ printit(file) case '2': case '3': case '4': - if (line[1] != '\0') - strcpy(fonts[line[0]-'1'], line+1); + if (line[1] != '\0') { + strncpy(fonts[line[0]-'1'], line+1, + 50-1); + fonts[line[0]-'1'][50-1] = '\0'; + } continue; case 'W': /* page width */ - strncpy(width+2, line+1, sizeof(width)-3); + strncpy(width+2, line+1, sizeof(width) - 3); + width[2+sizeof(width) - 3] = '\0'; continue; case 'I': /* indent amount */ - strncpy(indent+2, line+1, sizeof(indent)-3); + strncpy(indent+2, line+1, sizeof(indent) - 3); + indent[2+sizeof(indent) - 3] = '\0'; continue; default: /* some file to print */ @@ -486,6 +498,8 @@ pass2: continue; case 'U': + if (strchr(line+1, '/')) + continue; (void) unlink(line+1); } /* @@ -709,7 +723,7 @@ start: tof = 0; /* Copy filter output to "lf" logfile */ - if (fp = fopen(tempfile, "r")) { + if ((fp = fopen(tempfile, "r"))) { while (fgets(buf, sizeof(buf), fp)) fputs(buf, stderr); fclose(fp); @@ -783,9 +797,9 @@ sendit(file) } else if (line[0] == 'H') { strcpy(fromhost, line+1); if (class[0] == '\0') - strncpy(class, line+1, sizeof(class)-1); + strncpy(class, line+1, sizeof(class) - 1); } else if (line[0] == 'P') { - strncpy(logname, line+1, sizeof(logname)-1); + strncpy(logname, line+1, sizeof(logname) - 1); if (RS) { /* restricted */ if (getpwnam(logname) == NULL) { sendmail(line+1, NOACCT); @@ -794,7 +808,7 @@ sendit(file) } } } else if (line[0] == 'I') { - strncpy(indent+2, line+1, sizeof(indent)-3); + strncpy(indent+2, line+1, sizeof(indent) - 3); } else if (line[0] >= 'a' && line[0] <= 'z') { strcpy(last, line); while (i = getline(cfp)) @@ -825,7 +839,7 @@ sendit(file) */ fseek(cfp, 0L, 0); while (getline(cfp)) - if (line[0] == 'U') + if (line[0] == 'U' && !strchr(line+1, '/')) (void) unlink(line+1); /* * clean-up in case another control file exists @@ -1335,18 +1349,18 @@ init() FF = DEFFF; if (cgetnum(bp, "pw", &PW) < 0) PW = DEFWIDTH; - sprintf(&width[2], "%d", PW); + sprintf(&width[2], "%ld", PW); if (cgetnum(bp, "pl", &PL) < 0) PL = DEFLENGTH; - sprintf(&length[2], "%d", PL); + sprintf(&length[2], "%ld", PL); if (cgetnum(bp,"px", &PX) < 0) PX = 0; - sprintf(&pxwidth[2], "%d", PX); + sprintf(&pxwidth[2], "%ld", PX); if (cgetnum(bp, "py", &PY) < 0) PY = 0; - sprintf(&pxlength[2], "%d", PY); + sprintf(&pxlength[2], "%ld", PY); cgetstr(bp, "rm", &RM); - if (s = checkremote()) + if ((s = checkremote())) syslog(LOG_WARNING, s); cgetstr(bp, "af", &AF); @@ -1514,13 +1528,13 @@ static void openrem() { register int i, n; - int resp, port; + int resp; for (i = 1; ; i = i < 256 ? i << 1 : i) { resp = -1; pfd = getport(RM, 0); if (pfd >= 0) { - (void) sprintf(line, "\2%s\n", RP); + (void) snprintf(line, sizeof(line), "\2%s\n", RP); n = strlen(line); if (write(pfd, line, n) == n && (resp = response()) == '\0') diff --git a/usr.sbin/lpr/lpd/recvjob.c b/usr.sbin/lpr/lpd/recvjob.c index 3bfbb9935821..5c1d0277d903 100644 --- a/usr.sbin/lpr/lpd/recvjob.c +++ b/usr.sbin/lpr/lpd/recvjob.c @@ -65,10 +65,10 @@ static char sccsid[] = "@(#)recvjob.c 8.2 (Berkeley) 4/27/95"; #define ack() (void) write(1, sp, 1); -static char dfname[256]; /* data files */ +static char dfname[NAME_MAX]; /* data files */ static int minfree; /* keep at least minfree blocks available */ static char *sp = ""; -static char tfname[256]; /* tmp copy of cf before linking */ +static char tfname[NAME_MAX]; /* tmp copy of cf before linking */ static int chksize __P((int)); static void frecverr __P((const char *, ...)); @@ -94,7 +94,7 @@ recvjob() frecverr("unknown printer %s", printer); else if (status == -3) fatal("potential reference loop detected in printcap file"); - + if (cgetstr(bp, "lf", &LF) == -1) LF = _PATH_CONSOLE; if (cgetstr(bp, "sd", &SD) == -1) @@ -146,10 +146,13 @@ readjob() do { if ((size = read(1, cp, 1)) != 1) { if (size < 0) - frecverr("%s: Lost connection",printer); + frecverr("%s: Lost connection", + printer); return(nfiles); } - } while (*cp++ != '\n'); + } while (*cp++ != '\n' && (cp - line + 1) < sizeof(line)); + if (cp - line + 1 >= sizeof(line)) + frecverr("readjob overflow"); *--cp = '\0'; cp = line; switch (*cp++) { @@ -169,10 +172,14 @@ readjob() * something different than what gethostbyaddr() * returns */ - strcpy(cp + 6, from); - strncpy(tfname, cp, sizeof tfname-1); - tfname[sizeof tfname-1] = '\0'; + strncpy(cp + 6, from, sizeof(line) + line - cp - 7); + line[sizeof(line) - 1 ] = '\0'; + strncpy(tfname, cp, sizeof(tfname) - 1); + tfname[sizeof (tfname) - 1] = '\0'; tfname[0] = 't'; + if (strchr(tfname, '/')) + frecverr("readjob: %s: illegal path name", + tfname); if (!chksize(size)) { (void) write(1, "\2", 1); continue; @@ -198,8 +205,8 @@ readjob() (void) write(1, "\2", 1); continue; } - (void) strncpy(dfname, cp, sizeof dfname-1); - dfname[sizeof dfname-1] = '\0'; + (void) strncpy(dfname, cp, sizeof(dfname) - 1); + dfname[sizeof(dfname) - 1] = '\0'; if (strchr(dfname, '/')) frecverr("readjob: %s: illegal path name", dfname); diff --git a/usr.sbin/lpr/lpr/lpr.c b/usr.sbin/lpr/lpr/lpr.c index c4ba2321ecde..de0be2ab905a 100644 --- a/usr.sbin/lpr/lpr/lpr.c +++ b/usr.sbin/lpr/lpr/lpr.c @@ -45,7 +45,7 @@ static char copyright[] = #ifndef lint static char sccsid[] = "From: @(#)lpr.c 8.4 (Berkeley) 4/28/95" - "\n$Id: lpr.c,v 1.17 1997/07/23 00:49:37 imp Exp $\n"; + "\n$Id: lpr.c,v 1.18 1997/07/23 20:53:38 imp Exp $\n"; #endif /* not lint */ /* @@ -140,7 +140,7 @@ main(argc, argv) signal(SIGTERM, cleanup); name = argv[0]; - gethostname(host, sizeof (host)); + gethostname(host, sizeof(host)); openlog("lpd", 0, LOG_LPR); errs = 0; diff --git a/usr.sbin/lpr/runqueue/printjob.c b/usr.sbin/lpr/runqueue/printjob.c index 84240d281056..3d1400f1cb7b 100644 --- a/usr.sbin/lpr/runqueue/printjob.c +++ b/usr.sbin/lpr/runqueue/printjob.c @@ -219,7 +219,7 @@ again: errcnt = 0; restart: (void) lseek(lfd, pidoff, 0); - (void) sprintf(line, "%s\n", q->q_name); + (void) snprintf(line, sizeof(line), "%s\n", q->q_name); i = strlen(line); if (write(lfd, line, i) != i) syslog(LOG_ERR, "%s: %s: %m", printer, LO); @@ -266,7 +266,7 @@ again: syslog(LOG_WARNING, "%s: job could not be %s (%s)", printer, remote ? "sent to remote host" : "printed", q->q_name); if (i == REPRINT) { - /* insure we don't attempt this job again */ + /* ensure we don't attempt this job again */ (void) unlink(q->q_name); q->q_name[0] = 'd'; (void) unlink(q->q_name); @@ -332,7 +332,7 @@ printit(file) */ for (i = 0; i < 4; i++) strcpy(fonts[i], ifonts[i]); - sprintf(&width[2], "%d", PW); + sprintf(&width[2], "%ld", PW); strcpy(indent+2, "0"); /* @@ -377,13 +377,17 @@ printit(file) while (getline(cfp)) switch (line[0]) { case 'H': - strcpy(fromhost, line+1); - if (class[0] == '\0') - strncpy(class, line+1, sizeof(class)-1); + strncpy(fromhost, line+1, sizeof(fromhost) - 1); + fromhost[sizeof(fromhost) - 1] = '\0'; + if (class[0] == '\0') { + strncpy(class, line+1, sizeof(class) - 1); + class[sizeof(class) - 1] = '\0'; + } continue; case 'P': - strncpy(logname, line+1, sizeof(logname)-1); + strncpy(logname, line+1, sizeof(logname) - 1); + logname[sizeof(logname) - 1] = '\0'; if (RS) { /* restricted */ if (getpwnam(logname) == NULL) { bombed = NOACCT; @@ -407,21 +411,24 @@ printit(file) continue; case 'J': - if (line[1] != '\0') - strncpy(jobname, line+1, sizeof(jobname)-1); - else + if (line[1] != '\0') { + strncpy(jobname, line+1, sizeof(jobname) - 1); + jobname[sizeof(jobname) - 1] = '\0'; + } else strcpy(jobname, " "); continue; case 'C': if (line[1] != '\0') - strncpy(class, line+1, sizeof(class)-1); + strncpy(class, line+1, sizeof(class) - 1); else if (class[0] == '\0') gethostname(class, sizeof(class)); + class[sizeof(class) - 1] = '\0'; continue; case 'T': /* header title for pr */ - strncpy(title, line+1, sizeof(title)-1); + strncpy(title, line+1, sizeof(title) - 1); + title[sizeof(title) - 1] = '\0'; continue; case 'L': /* identification line */ @@ -433,16 +440,21 @@ printit(file) case '2': case '3': case '4': - if (line[1] != '\0') - strcpy(fonts[line[0]-'1'], line+1); + if (line[1] != '\0') { + strncpy(fonts[line[0]-'1'], line+1, + 50-1); + fonts[line[0]-'1'][50-1] = '\0'; + } continue; case 'W': /* page width */ - strncpy(width+2, line+1, sizeof(width)-3); + strncpy(width+2, line+1, sizeof(width) - 3); + width[2+sizeof(width) - 3] = '\0'; continue; case 'I': /* indent amount */ - strncpy(indent+2, line+1, sizeof(indent)-3); + strncpy(indent+2, line+1, sizeof(indent) - 3); + indent[2+sizeof(indent) - 3] = '\0'; continue; default: /* some file to print */ @@ -486,6 +498,8 @@ pass2: continue; case 'U': + if (strchr(line+1, '/')) + continue; (void) unlink(line+1); } /* @@ -709,7 +723,7 @@ start: tof = 0; /* Copy filter output to "lf" logfile */ - if (fp = fopen(tempfile, "r")) { + if ((fp = fopen(tempfile, "r"))) { while (fgets(buf, sizeof(buf), fp)) fputs(buf, stderr); fclose(fp); @@ -783,9 +797,9 @@ sendit(file) } else if (line[0] == 'H') { strcpy(fromhost, line+1); if (class[0] == '\0') - strncpy(class, line+1, sizeof(class)-1); + strncpy(class, line+1, sizeof(class) - 1); } else if (line[0] == 'P') { - strncpy(logname, line+1, sizeof(logname)-1); + strncpy(logname, line+1, sizeof(logname) - 1); if (RS) { /* restricted */ if (getpwnam(logname) == NULL) { sendmail(line+1, NOACCT); @@ -794,7 +808,7 @@ sendit(file) } } } else if (line[0] == 'I') { - strncpy(indent+2, line+1, sizeof(indent)-3); + strncpy(indent+2, line+1, sizeof(indent) - 3); } else if (line[0] >= 'a' && line[0] <= 'z') { strcpy(last, line); while (i = getline(cfp)) @@ -825,7 +839,7 @@ sendit(file) */ fseek(cfp, 0L, 0); while (getline(cfp)) - if (line[0] == 'U') + if (line[0] == 'U' && !strchr(line+1, '/')) (void) unlink(line+1); /* * clean-up in case another control file exists @@ -1335,18 +1349,18 @@ init() FF = DEFFF; if (cgetnum(bp, "pw", &PW) < 0) PW = DEFWIDTH; - sprintf(&width[2], "%d", PW); + sprintf(&width[2], "%ld", PW); if (cgetnum(bp, "pl", &PL) < 0) PL = DEFLENGTH; - sprintf(&length[2], "%d", PL); + sprintf(&length[2], "%ld", PL); if (cgetnum(bp,"px", &PX) < 0) PX = 0; - sprintf(&pxwidth[2], "%d", PX); + sprintf(&pxwidth[2], "%ld", PX); if (cgetnum(bp, "py", &PY) < 0) PY = 0; - sprintf(&pxlength[2], "%d", PY); + sprintf(&pxlength[2], "%ld", PY); cgetstr(bp, "rm", &RM); - if (s = checkremote()) + if ((s = checkremote())) syslog(LOG_WARNING, s); cgetstr(bp, "af", &AF); @@ -1514,13 +1528,13 @@ static void openrem() { register int i, n; - int resp, port; + int resp; for (i = 1; ; i = i < 256 ? i << 1 : i) { resp = -1; pfd = getport(RM, 0); if (pfd >= 0) { - (void) sprintf(line, "\2%s\n", RP); + (void) snprintf(line, sizeof(line), "\2%s\n", RP); n = strlen(line); if (write(pfd, line, n) == n && (resp = response()) == '\0')