o Use snprintf rather than sprintf

o Add more checks for buffer overflows
o Use snprintf rather than strcat/cpy and have better checks for max
  length exceeded.

Most of these changes are not exploitable buffer overruns, but it never
hurts to be safe.

Inspired by and obtained from: OpenBSD

usr.bin/systat/disks.c

@@ -128,8 +128,10 @@ dkinit()
 	dk_select = (int *)calloc(dk_ndrive, sizeof (int));
 	for (cp = buf, i = 0; i < dk_ndrive; i++) {
 		dr_name[i] = cp;
-		sprintf(dr_name[i], "dk%d", i);
-		cp += strlen(dr_name[i]) + 1;
+		snprintf(cp, sizeof(buf) - (cp - buf), "dk%d", i);
+		cp += strlen(cp) + 1;
+		if (cp > buf + sizeof(buf))
+			errx(1, "buf too small in dkinit, aborting");
 		if (dk_mspw[i] != 0.0)
 			dk_select[i] = 1;
 	}

usr.bin/systat/iostat.c

@@ -354,7 +354,7 @@ histogram(val, colwidth, scale)
 
 	k = MIN(v, colwidth);
 	if (v > colwidth) {
-		sprintf(buf, "%4.1f", val);
+		snprintf(buf, sizeof(buf), "%4.1f", val);
 		k -= strlen(buf);
 		while (k--)
 			waddch(wnd, 'X');

usr.bin/systat/main.c

@@ -42,7 +42,7 @@ static char copyright[] =
 static char sccsid[] = "@(#)main.c	8.1 (Berkeley) 6/6/93";
 #endif
 static const char rcsid[] =
-	"$Id: main.c,v 1.6 1997/08/13 06:45:10 charnier Exp $";
+	"$Id: main.c,v 1.7 1997/08/26 10:59:26 charnier Exp $";
 #endif /* not lint */
 
 #include <sys/param.h>
@@ -258,7 +258,7 @@ error(fmt, va_alist)
 
 	if (wnd) {
 		getyx(stdscr, oy, ox);
-		(void) vsprintf(buf, fmt, ap);
+		(void) vsnprintf(buf, sizeof(buf), fmt, ap);
 		clrtoeol();
 		standout();
 		mvaddstr(CMDLINE, 0, buf);

usr.bin/systat/mbufs.c

@@ -34,7 +34,7 @@
 #ifndef lint
 static char sccsid[] = "@(#)mbufs.c	8.1 (Berkeley) 6/6/93";
 static const char rcsid[] =
-	"$Id: mbufs.c,v 1.5 1997/02/24 20:59:03 wollman Exp $";
+	"$Id: mbufs.c,v 1.6 1997/09/24 02:43:40 wollman Exp $";
 #endif /* not lint */
 
 #include <sys/param.h>
@@ -121,7 +121,7 @@ showmbufs()
 			mvwprintw(wnd, 1+j, 0, "%-10.10s", mtnames[index]);
 		wmove(wnd, 1 + j, 10);
 		if (max > 60) {
-			sprintf(buf, " %d", max);
+			snprintf(buf, sizeof(buf), " %d", max);
 			max = 60;
 			while (max--)
 				waddch(wnd, 'X');
@@ -136,7 +136,7 @@ showmbufs()
 	if (mb->m_mbufs) {
 		mvwprintw(wnd, 1+j, 0, "%-10.10s", "free");
 		if (mb->m_mbufs > 60) {
-			sprintf(buf, " %d", mb->m_mbufs);
+			snprintf(buf, sizeof(buf), " %d", mb->m_mbufs);
 			mb->m_mbufs = 60;
 			while (mb->m_mbufs--)
 				waddch(wnd, 'X');

usr.bin/systat/netstat.c

@@ -36,7 +36,7 @@
 static char sccsid[] = "@(#)netstat.c	8.1 (Berkeley) 6/6/93";
 */
 static const char rcsid[] =
-	"$Id$";
+	"$Id: netstat.c,v 1.8 1997/02/22 19:57:16 peter Exp $";
 #endif /* not lint */
 
 /*
@@ -372,14 +372,16 @@ inetprint(in, port, proto)
 	struct servent *sp = 0;
 	char line[80], *cp, *index();
 
-	sprintf(line, "%.*s.", 16, inetname(*in));
+	snprintf(line, sizeof(line), "%.*s.", 16, inetname(*in));
 	cp = index(line, '\0');
 	if (!nflag && port)
 		sp = getservbyport(port, proto);
 	if (sp || port == 0)
-		sprintf(cp, "%.8s", sp ? sp->s_name : "*");
+		snprintf(cp, sizeof(line) - (cp - line), "%.8s", 
+		    sp ? sp->s_name : "*");
 	else
-		sprintf(cp, "%d", ntohs((u_short)port));
+		snprintf(cp, sizeof(line) - (cp - line), "%d", 
+		    ntohs((u_short)port));
 	/* pad to full column to clear any garbage */
 	cp = index(line, '\0');
 	while (cp - line < 22)
@@ -420,11 +422,11 @@ inetname(in)
 	if (in.s_addr == INADDR_ANY)
 		strcpy(line, "*");
 	else if (cp)
-		strcpy(line, cp);
+		snprintf(line, sizeof(line), "%s", cp);
 	else {
 		in.s_addr = ntohl(in.s_addr);
 #define C(x)	((x) & 0xff)
-		sprintf(line, "%u.%u.%u.%u", C(in.s_addr >> 24),
+		snprintf(line, sizeof(line), "%u.%u.%u.%u", C(in.s_addr >> 24),
 			C(in.s_addr >> 16), C(in.s_addr >> 8), C(in.s_addr));
 	}
 	return (line);

usr.bin/systat/pigs.c

@@ -125,7 +125,7 @@ showpigs()
 		wmove(wnd, y, 0);
 		wclrtoeol(wnd);
 		mvwaddstr(wnd, y, 0, uname);
-		sprintf(pidname, "%10.10s", pname);
+		snprintf(pidname, sizeof(pidname), "%10.10s", pname);
 		mvwaddstr(wnd, y, 9, pidname);
 		wmove(wnd, y, 20);
 		for (j = pt[k].pt_pctcpu*factor + 0.5; j > 0; j--)

usr.bin/systat/swap.c

@@ -36,7 +36,7 @@
 static char sccsid[] = "@(#)swap.c	8.3 (Berkeley) 4/29/95";
 #endif
 static const char rcsid[] =
-	"$Id$";
+	"$Id: swap.c,v 1.5 1997/07/06 04:37:22 bde Exp $";
 #endif /* not lint */
 
 /*
@@ -122,17 +122,22 @@ initswap()
 {
 	int i;
 	char msgbuf[BUFSIZ];
+	char *cp;
 	static int once = 0;
 	u_long ptr;
 
 	if (once)
 		return (1);
 	if (kvm_nlist(kd, syms)) {
-		strcpy(msgbuf, "systat: swap: cannot find");
-		for (i = 0; syms[i].n_name != NULL; i++) {
+		snprintf(msgbuf, sizeof(msgbuf), "systat: swap: cannot find");
+		cp = msgbuf + strlen(msgbuf) + 1;
+		for (i = 0; 
+		    syms[i].n_name != NULL && cp - msgbuf < sizeof(msgbuf); 
+		    i++) {
 			if (syms[i].n_value == 0) {
-				strcat(msgbuf, " ");
-				strcat(msgbuf, syms[i].n_name);
+				snprintf(cp, sizeof(msgbuf) - (cp - msgbuf),
+				    " %s", syms[i].n_name);
+				cp += strlen(cp) + 1;
 			}
 		}
 		error(msgbuf);

usr.bin/systat/vmstat.c

@@ -36,7 +36,7 @@
 static char sccsid[] = "@(#)vmstat.c	8.2 (Berkeley) 1/12/94";
 #endif
 static const char rcsid[] =
-	"$Id: vmstat.c,v 1.23 1997/09/25 01:14:25 peter Exp $";
+	"$Id: vmstat.c,v 1.24 1998/05/27 21:01:37 jhay Exp $";
 #endif /* not lint */
 
 /*
@@ -585,7 +585,7 @@ putint(n, l, c, w)
 			addch(' ');
 		return;
 	}
-	sprintf(b, "%*d", w, n);
+	snprintf(b, sizeof(b), "%*d", w, n);
 	if (strlen(b) > w) {
 		while (w-- > 0)
 			addch('*');
@@ -607,7 +607,7 @@ putfloat(f, l, c, w, d, nz)
 			addch(' ');
 		return;
 	}
-	sprintf(b, "%*.*f", w, d, f);
+	snprintf(b, sizeof(b), "%*.*f", w, d, f);
 	if (strlen(b) > w) {
 		while (--w >= 0)
 			addch('*');