Date: Mon, 20 Mar 2000 02:12:42 -0500 (EST) From: Mike Heffner <mheffner@mailandnews.com> To: FreeBSD-audit <FreeBSD-audit@freebsd.org> Subject: three small patches - oflows Message-ID: <XFMail.20000320021242.mheffner@mailandnews.com>
next in thread | raw e-mail | index | archive | help
Hi,
Here are three small patches that fix misc. overflows. Could someone take a
quick look at them, and possibly commit :)
- ed patch, fixes "ed [4096]" overflow
Index: bin/ed/main.c
===================================================================
RCS file: /home/ncvs/src/bin/ed/main.c,v
retrieving revision 1.14
diff -u -r1.14 main.c
--- main.c 1999/08/27 23:14:14 1.14
+++ main.c 2000/03/20 07:08:33
@@ -175,7 +175,9 @@
if (read_file(*argv, 0) < 0 && !isatty(0))
quit(2);
else if (**argv != '!')
- strcpy(old_filename, *argv);
+ if(strlcpy(old_filename, *argv,
+ sizeof(old_filename))>=sizeof(old_filename))
+ quit(2);
} else if (argc) {
fputs("?\n", stderr);
if (**argv == '\0')
@@ -1346,7 +1348,7 @@
REALLOC(file, filesz, MAXPATHLEN + 1, NULL);
/* assert: no trailing escape */
- while ((file[i++] = (*s == '\\') ? *++s : *s))
+ while (i < filesz-1 && (file[i++] = (*s == '\\') ? *++s : *s))
s++;
return file;
}
- natd patch, fixes "natd -w [17000] blah" overflow
Index: sbin/natd/natd.c
===================================================================
RCS file: /home/ncvs/src/sbin/natd/natd.c,v
retrieving revision 1.25
diff -u -r1.25 natd.c
--- natd.c 2000/02/25 11:34:38 1.25
+++ natd.c 2000/03/04 03:42:07
@@ -421,9 +421,9 @@
static void ParseArgs (int argc, char** argv)
{
int arg;
- char* parm;
char* opt;
char parmBuf[256];
+ int len; /* bounds checking */
for (arg = 1; arg < argc; arg++) {
@@ -434,23 +434,25 @@
Usage ();
}
- parm = NULL;
parmBuf[0] = '\0';
+ len = 0;
while (arg < argc - 1) {
if (argv[arg + 1][0] == '-')
break;
- if (parm)
- strcat (parmBuf, " ");
+ if (len){
+ strncat (parmBuf, " ", sizeof(parmBuf)-len-1);
+ len += strlen(parmBuf+len);
+ }
++arg;
- parm = parmBuf;
- strcat (parmBuf, argv[arg]);
+ strncat (parmBuf, argv[arg], sizeof(parmBuf)-len-1);
+ len += strlen(parmBuf+len);
}
- ParseOption (opt + 1, parm, 1);
+ ParseOption (opt + 1, (len ? parmBuf : NULL), 1);
}
}
- startslip patch, fixes "startslip -d [8192] -c [8192]" overflow
Index: sbin/startslip/startslip.c
===================================================================
RCS file: /home/ncvs/src/sbin/startslip/startslip.c,v
retrieving revision 1.31
diff -u -r1.31 startslip.c
--- startslip.c 1999/08/28 00:14:27 1.31
+++ startslip.c 2000/03/20 06:57:33
@@ -214,7 +214,9 @@
dvname = devicename;
else
dvname++;
- sprintf(pidfile, PIDFILE, _PATH_VARRUN, dvname);
+ if(snprintf(pidfile, sizeof(pidfile), PIDFILE, _PATH_VARRUN, dvname) >=
+ sizeof(pidfile) )
+ usage();
if ((pfd = fopen(pidfile, "r")) != NULL) {
if (fscanf(pfd, "%ld\n", &lpid) == 1) {
pid = lpid;
Thanks,
/****************************************
* Mike Heffner <spock@techfour.net> *
* Fredericksburg, VA -- ICQ# 882073 *
* Sent at: 20-Mar-2000 -- 01:59:00 EST *
* http://my.ispchannel.com/~mheffner *
****************************************/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.20000320021242.mheffner>