From a51cfac66561e49404427c1f83558e065a044bd9 Mon Sep 17 00:00:00 2001 From: imp Date: Tue, 9 Jun 1998 04:17:29 +0000 Subject: [PATCH] o Use snprintf rather than sprintf o Add more checks for buffer overflows o Use snprintf rather than strcat/cpy and have better checks for max length exceeded. Most of these changes are not exploitable buffer overruns, but it never hurts to be safe. Inspired by and obtained from: OpenBSD --- usr.bin/systat/disks.c | 6 ++++-- usr.bin/systat/iostat.c | 2 +- usr.bin/systat/main.c | 4 ++-- usr.bin/systat/mbufs.c | 6 +++--- usr.bin/systat/netstat.c | 14 ++++++++------ usr.bin/systat/pigs.c | 2 +- usr.bin/systat/swap.c | 15 ++++++++++----- usr.bin/systat/vmstat.c | 6 +++--- 8 files changed, 32 insertions(+), 23 deletions(-) diff --git a/usr.bin/systat/disks.c b/usr.bin/systat/disks.c index f1ec4abfb0cc..1e97fdbefda4 100644 --- a/usr.bin/systat/disks.c +++ b/usr.bin/systat/disks.c @@ -128,8 +128,10 @@ dkinit() dk_select = (int *)calloc(dk_ndrive, sizeof (int)); for (cp = buf, i = 0; i < dk_ndrive; i++) { dr_name[i] = cp; - sprintf(dr_name[i], "dk%d", i); - cp += strlen(dr_name[i]) + 1; + snprintf(cp, sizeof(buf) - (cp - buf), "dk%d", i); + cp += strlen(cp) + 1; + if (cp > buf + sizeof(buf)) + errx(1, "buf too small in dkinit, aborting"); if (dk_mspw[i] != 0.0) dk_select[i] = 1; } diff --git a/usr.bin/systat/iostat.c b/usr.bin/systat/iostat.c index 33e99690978d..cc8bacf439e4 100644 --- a/usr.bin/systat/iostat.c +++ b/usr.bin/systat/iostat.c @@ -354,7 +354,7 @@ histogram(val, colwidth, scale) k = MIN(v, colwidth); if (v > colwidth) { - sprintf(buf, "%4.1f", val); + snprintf(buf, sizeof(buf), "%4.1f", val); k -= strlen(buf); while (k--) waddch(wnd, 'X'); diff --git a/usr.bin/systat/main.c b/usr.bin/systat/main.c index 7b5580547454..3a97aa379136 100644 --- a/usr.bin/systat/main.c +++ b/usr.bin/systat/main.c @@ -42,7 +42,7 @@ static char copyright[] = static char sccsid[] = "@(#)main.c 8.1 (Berkeley) 6/6/93"; #endif static const char rcsid[] = - "$Id: main.c,v 1.6 1997/08/13 06:45:10 charnier Exp $"; + "$Id: main.c,v 1.7 1997/08/26 10:59:26 charnier Exp $"; #endif /* not lint */ #include @@ -258,7 +258,7 @@ error(fmt, va_alist) if (wnd) { getyx(stdscr, oy, ox); - (void) vsprintf(buf, fmt, ap); + (void) vsnprintf(buf, sizeof(buf), fmt, ap); clrtoeol(); standout(); mvaddstr(CMDLINE, 0, buf); diff --git a/usr.bin/systat/mbufs.c b/usr.bin/systat/mbufs.c index 08e4347d43df..dc27c5fee27e 100644 --- a/usr.bin/systat/mbufs.c +++ b/usr.bin/systat/mbufs.c @@ -34,7 +34,7 @@ #ifndef lint static char sccsid[] = "@(#)mbufs.c 8.1 (Berkeley) 6/6/93"; static const char rcsid[] = - "$Id: mbufs.c,v 1.5 1997/02/24 20:59:03 wollman Exp $"; + "$Id: mbufs.c,v 1.6 1997/09/24 02:43:40 wollman Exp $"; #endif /* not lint */ #include @@ -121,7 +121,7 @@ showmbufs() mvwprintw(wnd, 1+j, 0, "%-10.10s", mtnames[index]); wmove(wnd, 1 + j, 10); if (max > 60) { - sprintf(buf, " %d", max); + snprintf(buf, sizeof(buf), " %d", max); max = 60; while (max--) waddch(wnd, 'X'); @@ -136,7 +136,7 @@ showmbufs() if (mb->m_mbufs) { mvwprintw(wnd, 1+j, 0, "%-10.10s", "free"); if (mb->m_mbufs > 60) { - sprintf(buf, " %d", mb->m_mbufs); + snprintf(buf, sizeof(buf), " %d", mb->m_mbufs); mb->m_mbufs = 60; while (mb->m_mbufs--) waddch(wnd, 'X'); diff --git a/usr.bin/systat/netstat.c b/usr.bin/systat/netstat.c index b8be4936914e..1e587e9a0dc9 100644 --- a/usr.bin/systat/netstat.c +++ b/usr.bin/systat/netstat.c @@ -36,7 +36,7 @@ static char sccsid[] = "@(#)netstat.c 8.1 (Berkeley) 6/6/93"; */ static const char rcsid[] = - "$Id$"; + "$Id: netstat.c,v 1.8 1997/02/22 19:57:16 peter Exp $"; #endif /* not lint */ /* @@ -372,14 +372,16 @@ inetprint(in, port, proto) struct servent *sp = 0; char line[80], *cp, *index(); - sprintf(line, "%.*s.", 16, inetname(*in)); + snprintf(line, sizeof(line), "%.*s.", 16, inetname(*in)); cp = index(line, '\0'); if (!nflag && port) sp = getservbyport(port, proto); if (sp || port == 0) - sprintf(cp, "%.8s", sp ? sp->s_name : "*"); + snprintf(cp, sizeof(line) - (cp - line), "%.8s", + sp ? sp->s_name : "*"); else - sprintf(cp, "%d", ntohs((u_short)port)); + snprintf(cp, sizeof(line) - (cp - line), "%d", + ntohs((u_short)port)); /* pad to full column to clear any garbage */ cp = index(line, '\0'); while (cp - line < 22) @@ -420,11 +422,11 @@ inetname(in) if (in.s_addr == INADDR_ANY) strcpy(line, "*"); else if (cp) - strcpy(line, cp); + snprintf(line, sizeof(line), "%s", cp); else { in.s_addr = ntohl(in.s_addr); #define C(x) ((x) & 0xff) - sprintf(line, "%u.%u.%u.%u", C(in.s_addr >> 24), + snprintf(line, sizeof(line), "%u.%u.%u.%u", C(in.s_addr >> 24), C(in.s_addr >> 16), C(in.s_addr >> 8), C(in.s_addr)); } return (line); diff --git a/usr.bin/systat/pigs.c b/usr.bin/systat/pigs.c index f637a6381cdb..e14d3ebece72 100644 --- a/usr.bin/systat/pigs.c +++ b/usr.bin/systat/pigs.c @@ -125,7 +125,7 @@ showpigs() wmove(wnd, y, 0); wclrtoeol(wnd); mvwaddstr(wnd, y, 0, uname); - sprintf(pidname, "%10.10s", pname); + snprintf(pidname, sizeof(pidname), "%10.10s", pname); mvwaddstr(wnd, y, 9, pidname); wmove(wnd, y, 20); for (j = pt[k].pt_pctcpu*factor + 0.5; j > 0; j--) diff --git a/usr.bin/systat/swap.c b/usr.bin/systat/swap.c index 3c27e1c992f8..33b56edddcc4 100644 --- a/usr.bin/systat/swap.c +++ b/usr.bin/systat/swap.c @@ -36,7 +36,7 @@ static char sccsid[] = "@(#)swap.c 8.3 (Berkeley) 4/29/95"; #endif static const char rcsid[] = - "$Id$"; + "$Id: swap.c,v 1.5 1997/07/06 04:37:22 bde Exp $"; #endif /* not lint */ /* @@ -122,17 +122,22 @@ initswap() { int i; char msgbuf[BUFSIZ]; + char *cp; static int once = 0; u_long ptr; if (once) return (1); if (kvm_nlist(kd, syms)) { - strcpy(msgbuf, "systat: swap: cannot find"); - for (i = 0; syms[i].n_name != NULL; i++) { + snprintf(msgbuf, sizeof(msgbuf), "systat: swap: cannot find"); + cp = msgbuf + strlen(msgbuf) + 1; + for (i = 0; + syms[i].n_name != NULL && cp - msgbuf < sizeof(msgbuf); + i++) { if (syms[i].n_value == 0) { - strcat(msgbuf, " "); - strcat(msgbuf, syms[i].n_name); + snprintf(cp, sizeof(msgbuf) - (cp - msgbuf), + " %s", syms[i].n_name); + cp += strlen(cp) + 1; } } error(msgbuf); diff --git a/usr.bin/systat/vmstat.c b/usr.bin/systat/vmstat.c index ad35b557c2dd..c699a84976f1 100644 --- a/usr.bin/systat/vmstat.c +++ b/usr.bin/systat/vmstat.c @@ -36,7 +36,7 @@ static char sccsid[] = "@(#)vmstat.c 8.2 (Berkeley) 1/12/94"; #endif static const char rcsid[] = - "$Id: vmstat.c,v 1.23 1997/09/25 01:14:25 peter Exp $"; + "$Id: vmstat.c,v 1.24 1998/05/27 21:01:37 jhay Exp $"; #endif /* not lint */ /* @@ -585,7 +585,7 @@ putint(n, l, c, w) addch(' '); return; } - sprintf(b, "%*d", w, n); + snprintf(b, sizeof(b), "%*d", w, n); if (strlen(b) > w) { while (w-- > 0) addch('*'); @@ -607,7 +607,7 @@ putfloat(f, l, c, w, d, nz) addch(' '); return; } - sprintf(b, "%*.*f", w, d, f); + snprintf(b, sizeof(b), "%*.*f", w, d, f); if (strlen(b) > w) { while (--w >= 0) addch('*');