From 7524a0790d23f2ecfad3e98c058f58d7dc01a655 Mon Sep 17 00:00:00 2001 From: Kris Kennaway Date: Thu, 5 Oct 2000 02:49:49 +0000 Subject: [PATCH] * Buffer-safe string function cleanup. There are a couple of strcpy() and strcat()s which would be more difficult to fix, but I think they're safe anyway. * Don't crash at runtime by overflowing a buffer with constant data in print-icmp.c on a long hostname. * Don't overflow a static buffer by trying to decode an AFS ACL into a buffer which is way too small for it. Reviewed by: -audit --- contrib/tcpdump/addrtoname.c | 6 +++--- contrib/tcpdump/print-atalk.c | 4 ++-- contrib/tcpdump/print-fr.c | 6 ++++-- contrib/tcpdump/print-icmp.c | 38 +++++++++++++++++----------------- contrib/tcpdump/print-sunrpc.c | 6 ++++-- 5 files changed, 32 insertions(+), 28 deletions(-) diff --git a/contrib/tcpdump/addrtoname.c b/contrib/tcpdump/addrtoname.c index 99134e94cb6a..c1f220821c08 100644 --- a/contrib/tcpdump/addrtoname.c +++ b/contrib/tcpdump/addrtoname.c @@ -559,7 +559,7 @@ tcpport_string(u_short port) tp->addr = i; tp->nxt = newhnamemem(); - (void)sprintf(buf, "%u", i); + (void)snprintf(buf, sizeof(buf), "%u", i); tp->name = savestr(buf); return (tp->name); } @@ -578,7 +578,7 @@ udpport_string(register u_short port) tp->addr = i; tp->nxt = newhnamemem(); - (void)sprintf(buf, "%u", i); + (void)snprintf(buf, sizeof(buf), "%u", i); tp->name = savestr(buf); return (tp->name); } @@ -604,7 +604,7 @@ init_servarray(void) while (table->name) table = table->nxt; if (nflag) { - (void)sprintf(buf, "%d", port); + (void)snprintf(buf, sizeof(buf), "%d", port); table->name = savestr(buf); } else table->name = savestr(sv->s_name); diff --git a/contrib/tcpdump/print-atalk.c b/contrib/tcpdump/print-atalk.c index 869881fa014f..2b77ecd35579 100644 --- a/contrib/tcpdump/print-atalk.c +++ b/contrib/tcpdump/print-atalk.c @@ -500,7 +500,7 @@ ataddr_string(u_short atnet, u_char athost) { register struct hnamemem *tp, *tp2; register int i = (atnet << 8) | athost; - char nambuf[256]; + char nambuf[MAXHOSTNAMELEN + 20]; static int first = 1; FILE *fp; @@ -545,7 +545,7 @@ ataddr_string(u_short atnet, u_char athost) if (tp2->addr == i) { tp->addr = (atnet << 8) | athost; tp->nxt = newhnamemem(); - (void)sprintf(nambuf, "%s.%d", tp2->name, athost); + (void)snprintf(nambuf, sizeof(nambuf), "%s.%d", tp2->name, athost); tp->name = savestr(nambuf); return (tp->name); } diff --git a/contrib/tcpdump/print-fr.c b/contrib/tcpdump/print-fr.c index 80364d3a12ea..70393387f210 100644 --- a/contrib/tcpdump/print-fr.c +++ b/contrib/tcpdump/print-fr.c @@ -17,6 +17,8 @@ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. + * + * $FreeBSD$ */ #ifndef lint @@ -395,12 +397,12 @@ q933_print(const u_char *p, int length) break; case LINK_VERIFY_IE_91: case LINK_VERIFY_IE_94: - sprintf(temp_str,"TX Seq: %3d, RX Seq: %3d", + snprintf(temp_str, sizeof(temp_str), "TX Seq: %3d, RX Seq: %3d", ptemp[2], ptemp[3]); decode_str = temp_str; break; case PVC_STATUS_IE: - sprintf(temp_str,"DLCI %d: status %s %s", + snprintf(temp_str,sizeof(temp_str), "DLCI %d: status %s %s", ((ptemp[2]&0x3f)<<4)+ ((ptemp[3]&0x78)>>3), ptemp[4] & 0x8 ?"new,":" ", ptemp[4] & 0x2 ?"Active":"Inactive"); diff --git a/contrib/tcpdump/print-icmp.c b/contrib/tcpdump/print-icmp.c index ca2bf07afb26..a4b3dd6206df 100644 --- a/contrib/tcpdump/print-icmp.c +++ b/contrib/tcpdump/print-icmp.c @@ -177,7 +177,7 @@ icmp_print(register const u_char *bp, u_int plen, register const u_char *bp2) register const struct ip *oip; register const struct udphdr *ouh; register u_int hlen, dport, mtu; - char buf[256]; + char buf[MAXHOSTNAMELEN + 100]; dp = (struct icmp *)bp; ip = (struct ip *)bp2; @@ -198,7 +198,7 @@ icmp_print(register const u_char *bp, u_int plen, register const u_char *bp2) case ICMP_UNREACH_PROTOCOL: TCHECK(dp->icmp_ip.ip_p); - (void)sprintf(buf, "%s protocol %d unreachable", + (void)snprintf(buf, sizeof(buf), "%s protocol %d unreachable", ipaddr_string(&dp->icmp_ip.ip_dst), dp->icmp_ip.ip_p); break; @@ -212,21 +212,21 @@ icmp_print(register const u_char *bp, u_int plen, register const u_char *bp2) switch (oip->ip_p) { case IPPROTO_TCP: - (void)sprintf(buf, + (void)snprintf(buf, sizeof(buf), "%s tcp port %s unreachable", ipaddr_string(&oip->ip_dst), tcpport_string(dport)); break; case IPPROTO_UDP: - (void)sprintf(buf, + (void)snprintf(buf, sizeof(buf), "%s udp port %s unreachable", ipaddr_string(&oip->ip_dst), udpport_string(dport)); break; default: - (void)sprintf(buf, + (void)snprintf(buf, sizeof(buf), "%s protocol %d port %d unreachable", ipaddr_string(&oip->ip_dst), oip->ip_p, dport); @@ -241,11 +241,11 @@ icmp_print(register const u_char *bp, u_int plen, register const u_char *bp2) mp = (struct mtu_discovery *)&dp->icmp_void; mtu = EXTRACT_16BITS(&mp->nexthopmtu); if (mtu) - (void)sprintf(buf, + (void)snprintf(buf, sizeof(buf), "%s unreachable - need to frag (mtu %d)", ipaddr_string(&dp->icmp_ip.ip_dst), mtu); else - (void)sprintf(buf, + (void)snprintf(buf, sizeof(buf), "%s unreachable - need to frag", ipaddr_string(&dp->icmp_ip.ip_dst)); } @@ -254,7 +254,7 @@ icmp_print(register const u_char *bp, u_int plen, register const u_char *bp2) default: fmt = tok2str(unreach2str, "#%d %%s unreachable", dp->icmp_code); - (void)sprintf(buf, fmt, + (void)snprintf(buf, sizeof(buf), fmt, ipaddr_string(&dp->icmp_ip.ip_dst)); break; } @@ -264,7 +264,7 @@ icmp_print(register const u_char *bp, u_int plen, register const u_char *bp2) TCHECK(dp->icmp_ip.ip_dst); fmt = tok2str(type2str, "redirect-#%d %%s to net %%s", dp->icmp_code); - (void)sprintf(buf, fmt, + (void)snprintf(buf, sizeof(buf), fmt, ipaddr_string(&dp->icmp_ip.ip_dst), ipaddr_string(&dp->icmp_gwaddr)); break; @@ -284,30 +284,30 @@ icmp_print(register const u_char *bp, u_int plen, register const u_char *bp2) cp = buf + strlen(buf); lifetime = EXTRACT_16BITS(&ihp->ird_lifetime); if (lifetime < 60) - (void)sprintf(cp, "%u", lifetime); + (void)snprintf(cp, sizeof(buf) - strlen(buf), "%u", lifetime); else if (lifetime < 60 * 60) - (void)sprintf(cp, "%u:%02u", + (void)snprintf(cp, sizeof(buf) - strlen(buf), "%u:%02u", lifetime / 60, lifetime % 60); else - (void)sprintf(cp, "%u:%02u:%02u", + (void)snprintf(cp, sizeof(buf) - strlen(buf), "%u:%02u:%02u", lifetime / 3600, (lifetime % 3600) / 60, lifetime % 60); cp = buf + strlen(buf); num = ihp->ird_addrnum; - (void)sprintf(cp, " %d:", num); + (void)snprintf(cp, sizeof(buf) - strlen(buf), " %d:", num); cp = buf + strlen(buf); size = ihp->ird_addrsiz; if (size != 2) { - (void)sprintf(cp, " [size %d]", size); + (void)snprintf(cp, sizeof(buf) - strlen(buf), " [size %d]", size); break; } idp = (struct id_rdiscovery *)&dp->icmp_data; while (num-- > 0) { TCHECK(*idp); - (void)sprintf(cp, " {%s %u}", + (void)snprintf(cp, sizeof(buf) - strlen(buf), " {%s %u}", ipaddr_string(&idp->ird_addr), EXTRACT_32BITS(&idp->ird_pref)); cp = buf + strlen(buf); @@ -328,25 +328,25 @@ icmp_print(register const u_char *bp, u_int plen, register const u_char *bp2) break; default: - (void)sprintf(buf, "time exceeded-#%d", dp->icmp_code); + (void)snprintf(buf, sizeof(buf), "time exceeded-#%d", dp->icmp_code); break; } break; case ICMP_PARAMPROB: if (dp->icmp_code) - (void)sprintf(buf, "parameter problem - code %d", + (void)snprintf(buf, sizeof(buf), "parameter problem - code %d", dp->icmp_code); else { TCHECK(dp->icmp_pptr); - (void)sprintf(buf, "parameter problem - octet %d", + (void)snprintf(buf, sizeof(buf), "parameter problem - octet %d", dp->icmp_pptr); } break; case ICMP_MASKREPLY: TCHECK(dp->icmp_mask); - (void)sprintf(buf, "address mask is 0x%08x", + (void)snprintf(buf, sizeof(buf), "address mask is 0x%08x", (u_int32_t)ntohl(dp->icmp_mask)); break; diff --git a/contrib/tcpdump/print-sunrpc.c b/contrib/tcpdump/print-sunrpc.c index 54dcf66a2f49..ddac9138321e 100644 --- a/contrib/tcpdump/print-sunrpc.c +++ b/contrib/tcpdump/print-sunrpc.c @@ -132,7 +132,9 @@ progstr(prog) rp = getrpcbynumber(prog); if (rp == NULL) (void) sprintf(buf, "#%u", prog); - else - strcpy(buf, rp->r_name); + else { + strncpy(buf, rp->r_name, sizeof(buf)-1); + buf[sizeof(buf)-1] = '\0'; + } return (buf); }