diff options
| author |   millert <millert@openbsd.org> | 1996-10-31 22:32:40 +0000 |
|---|---|---|
| committer | millert <millert@openbsd.org> | 1996-10-31 22:32:40 +0000 |
| commit | 7416c11c70afbf22f11cce56925bb2fe99c04bc7 (patch) | |
| tree | 1d5217177a15e96f97b437565033879af3b54ef3 | |
| parent | nobody gid == nobody uid (32767) (diff) | |
| download | wireguard-openbsd-7416c11c70afbf22f11cce56925bb2fe99c04bc7.tar.xz wireguard-openbsd-7416c11c70afbf22f11cce56925bb2fe99c04bc7.zip | |
buf oflows pendantry
| -rw-r--r-- | usr.sbin/lpr/lpc/cmds.c | 56 | ||||
| -rw-r--r-- | usr.sbin/lpr/lpc/lpc.c | 3 |
2 files changed, 35 insertions, 24 deletions
diff --git a/usr.sbin/lpr/lpc/cmds.c b/usr.sbin/lpr/lpc/cmds.c index 550db9f9303..512d5c50005 100644 --- a/usr.sbin/lpr/lpc/cmds.c +++ b/usr.sbin/lpr/lpc/cmds.c @@ -104,7 +104,8 @@ doabort(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; abortpr(1); @@ -137,7 +138,7 @@ abortpr(dis) SD = _PATH_DEFSPOOL; if (cgetstr(bp, "lo", &LO) == -1) LO = DEFLOCK; - (void) sprintf(line, "%s/%s", SD, LO); + (void) snprintf(line, sizeof(line), "%s/%s", SD, LO); printf("%s:\n", printer); /* @@ -196,11 +197,11 @@ upstat(msg) char *msg; { register int fd; - char statfile[BUFSIZ]; + char statfile[MAXPATHLEN]; if (cgetstr(bp, "st", &ST) == -1) ST = DEFSTAT; - (void) sprintf(statfile, "%s/%s", SD, ST); + (void) snprintf(statfile, sizeof(statfile), "%s/%s", SD, ST); umask(0); fd = open(statfile, O_WRONLY|O_CREAT, 0664); if (fd < 0 || flock(fd, LOCK_EX) < 0) { @@ -236,7 +237,8 @@ clean(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; cleanpr(); @@ -310,7 +312,7 @@ cleanpr() SD = _PATH_DEFSPOOL; printf("%s:\n", printer); - for (lp = line, cp = SD; (*lp++ = *cp++); ) + for (lp = line, cp = SD; (lp - line) < sizeof(line) && (*lp++ = *cp++);) ; lp[-1] = '/'; @@ -384,7 +386,8 @@ enable(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; enablepr(); @@ -415,7 +418,7 @@ enablepr() SD = _PATH_DEFSPOOL; if (cgetstr(bp, "lo", &LO) == -1) LO = DEFLOCK; - (void) sprintf(line, "%s/%s", SD, LO); + (void) snprintf(line, sizeof(line), "%s/%s", SD, LO); printf("%s:\n", printer); /* @@ -452,7 +455,8 @@ disable(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; disablepr(); @@ -484,7 +488,7 @@ disablepr() SD = _PATH_DEFSPOOL; if (cgetstr(bp, "lo", &LO) == -1) LO = DEFLOCK; - (void) sprintf(line, "%s/%s", SD, LO); + (void) snprintf(line, sizeof(line), "%s/%s", SD, LO); printf("%s:\n", printer); /* * Turn on the group execute bit of the lock file to disable queuing. @@ -529,7 +533,8 @@ down(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; putmsg(argc - 2, argv + 2); @@ -570,7 +575,7 @@ putmsg(argc, argv) * Turn on the group execute bit of the lock file to disable queuing and * turn on the owner execute bit of the lock file to disable printing. */ - (void) sprintf(line, "%s/%s", SD, LO); + (void) snprintf(line, sizeof(line), "%s/%s", SD, LO); seteuid(euid); if (stat(line, &stbuf) >= 0) { if (chmod(line, (stbuf.st_mode & 0777) | 0110) < 0) @@ -591,7 +596,7 @@ putmsg(argc, argv) /* * Write the message into the status file. */ - (void) sprintf(line, "%s/%s", SD, ST); + (void) snprintf(line, sizeof(line), "%s/%s", SD, ST); fd = open(line, O_WRONLY|O_CREAT, 0664); if (fd < 0 || flock(fd, LOCK_EX) < 0) { printf("\tcannot create status file\n"); @@ -608,7 +613,7 @@ putmsg(argc, argv) cp1 = buf; while (--argc >= 0) { cp2 = *argv++; - while ((*cp1++ = *cp2++)) + while ((cp1 - buf) < sizeof(buf) && (*cp1++ = *cp2++)) ; cp1[-1] = ' '; } @@ -650,7 +655,8 @@ restart(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; abortpr(0); @@ -695,7 +701,8 @@ startcmd(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; startpr(1); @@ -727,7 +734,7 @@ startpr(enable) SD = _PATH_DEFSPOOL; if (cgetstr(bp, "lo", &LO) == -1) LO = DEFLOCK; - (void) sprintf(line, "%s/%s", SD, LO); + (void) snprintf(line, sizeof(line), "%s/%s", SD, LO); printf("%s:\n", printer); /* @@ -764,7 +771,8 @@ status(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; prstat(); @@ -804,7 +812,7 @@ prstat() if (cgetstr(bp, "st", &ST) == -1) ST = DEFSTAT; printf("%s:\n", printer); - (void) sprintf(line, "%s/%s", SD, LO); + (void) snprintf(line, sizeof(line), "%s/%s", SD, LO); if (stat(line, &stbuf) >= 0) { printf("\tqueuing is %s\n", (stbuf.st_mode & 010) ? "disabled" : "enabled"); @@ -838,7 +846,7 @@ prstat() } (void) close(fd); putchar('\t'); - (void) sprintf(line, "%s/%s", SD, ST); + (void) snprintf(line, sizeof(line), "%s/%s", SD, ST); fd = open(line, O_RDONLY); if (fd >= 0) { (void) flock(fd, LOCK_SH); @@ -870,7 +878,8 @@ stop(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; stoppr(); @@ -902,7 +911,7 @@ stoppr() SD = _PATH_DEFSPOOL; if (cgetstr(bp, "lo", &LO) == -1) LO = DEFLOCK; - (void) sprintf(line, "%s/%s", SD, LO); + (void) snprintf(line, sizeof(line), "%s/%s", SD, LO); printf("%s:\n", printer); /* @@ -1118,7 +1127,8 @@ up(argc, argv) while (cgetnext(&bp, printcapdb) > 0) { cp1 = prbuf; cp2 = bp; - while ((c = *cp2++) && c != '|' && c != ':') + while ((c = *cp2++) && c != '|' && c != ':' && + (cp1 - prbuf) < sizeof(prbuf)) *cp1++ = c; *cp1 = '\0'; startpr(2); diff --git a/usr.sbin/lpr/lpc/lpc.c b/usr.sbin/lpr/lpc/lpc.c index 2a740b7d4f9..5f898cbf6d5 100644 --- a/usr.sbin/lpr/lpc/lpc.c +++ b/usr.sbin/lpr/lpc/lpc.c @@ -213,7 +213,8 @@ makeargv() register int n = 0; margc = 0; - for (cp = cmdline; *cp && n < MAX_MARGV; n++) { + for (cp = cmdline; *cp && (cp - cmdline) < sizeof(cmdline) && + n < MAX_MARGV; n++) { while (isspace(*cp)) cp++; if (*cp == '\0') |