From owner-svn-src-all@freebsd.org Thu Mar 21 21:45:22 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2C3FC15507C2; Thu, 21 Mar 2019 21:45:22 +0000 (UTC) (envelope-from asomers@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 01B15821D7; Thu, 21 Mar 2019 21:45:20 +0000 (UTC) (envelope-from asomers@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id CC1A6EF63; Thu, 21 Mar 2019 21:45:19 +0000 (UTC) (envelope-from asomers@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x2LLjJMh027059; Thu, 21 Mar 2019 21:45:19 GMT (envelope-from asomers@FreeBSD.org) Received: (from asomers@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x2LLjJSn027056; Thu, 21 Mar 2019 21:45:19 GMT (envelope-from asomers@FreeBSD.org) Message-Id: <201903212145.x2LLjJSn027056@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: asomers set sender to asomers@FreeBSD.org using -f From: Alan Somers Date: Thu, 21 Mar 2019 21:45:19 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r345389 - in stable/11: libexec/tftpd usr.bin/tftp X-SVN-Group: stable-11 X-SVN-Commit-Author: asomers X-SVN-Commit-Paths: in stable/11: libexec/tftpd usr.bin/tftp X-SVN-Commit-Revision: 345389 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 01B15821D7 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_SHORT(-0.96)[-0.959,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Mar 2019 21:45:22 -0000 Author: asomers Date: Thu Mar 21 21:45:18 2019 New Revision: 345389 URL: https://svnweb.freebsd.org/changeset/base/345389 Log: MFC r336609: Fix several Coverity warnings in tftp Some of the changes are in the libexec/tftpd directory, but to functions that are only used by tftp(1) (they share some code). * strcpy => strlcpy (1006793, 1006794, 1006796, 1006741) * Unchecked return value and TOCTTOU (1009314) * NULL pointer dereference (1018035, 1018036) Reported by: Coverity CID: 1006793, 1006794, 1006796, 1006741, 1009314, 1018035 CID: 1018036 Modified: stable/11/libexec/tftpd/tftp-io.c stable/11/libexec/tftpd/tftp-utils.c stable/11/usr.bin/tftp/main.c stable/11/usr.bin/tftp/tftp.c Directory Properties: stable/11/ (props changed) Modified: stable/11/libexec/tftpd/tftp-io.c ============================================================================== --- stable/11/libexec/tftpd/tftp-io.c Thu Mar 21 21:45:02 2019 (r345388) +++ stable/11/libexec/tftpd/tftp-io.c Thu Mar 21 21:45:18 2019 (r345389) @@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -191,16 +192,16 @@ send_wrq(int peer, char *filename, char *mode) tp = (struct tftphdr *)buf; tp->th_opcode = htons((u_short)WRQ); - size = 2; + size = offsetof(struct tftphdr, th_stuff); bp = tp->th_stuff; - strcpy(bp, filename); + strlcpy(bp, filename, sizeof(buf) - size); bp += strlen(filename); *bp = 0; bp++; size += strlen(filename) + 1; - strcpy(bp, mode); + strlcpy(bp, mode, sizeof(buf) - size); bp += strlen(mode); *bp = 0; bp++; @@ -239,16 +240,16 @@ send_rrq(int peer, char *filename, char *mode) tp = (struct tftphdr *)buf; tp->th_opcode = htons((u_short)RRQ); - size = 2; + size = offsetof(struct tftphdr, th_stuff); bp = tp->th_stuff; - strcpy(bp, filename); + strlcpy(bp, filename, sizeof(buf) - size); bp += strlen(filename); *bp = 0; bp++; size += strlen(filename) + 1; - strcpy(bp, mode); + strlcpy(bp, mode, sizeof(buf) - size); bp += strlen(mode); *bp = 0; bp++; Modified: stable/11/libexec/tftpd/tftp-utils.c ============================================================================== --- stable/11/libexec/tftpd/tftp-utils.c Thu Mar 21 21:45:02 2019 (r345388) +++ stable/11/libexec/tftpd/tftp-utils.c Thu Mar 21 21:45:18 2019 (r345389) @@ -235,14 +235,15 @@ const char * debug_show(int d) { static char s[100]; + size_t space = sizeof(s); int i = 0; s[0] = '\0'; while (debugs[i].name != NULL) { if (d&debugs[i].value) { - if (s[0] != '\0') - strcat(s, " "); - strcat(s, debugs[i].name); + if (s[0] != '\0') + strlcat(s, " ", space); + strlcat(s, debugs[i].name, space); } i++; } Modified: stable/11/usr.bin/tftp/main.c ============================================================================== --- stable/11/usr.bin/tftp/main.c Thu Mar 21 21:45:02 2019 (r345388) +++ stable/11/usr.bin/tftp/main.c Thu Mar 21 21:45:18 2019 (r345389) @@ -405,7 +405,7 @@ static void settftpmode(const char *newmode) { - strcpy(mode, newmode); + strlcpy(mode, newmode, sizeof(mode)); if (verbose) printf("mode set to %s\n", mode); } @@ -465,7 +465,10 @@ put(int argc, char *argv[]) return; } - stat(cp, &sb); + if (fstat(fd, &sb) < 0) { + warn("%s", cp); + return; + } asprintf(&options[OPT_TSIZE].o_request, "%ju", sb.st_size); if (verbose) @@ -487,7 +490,10 @@ put(int argc, char *argv[]) continue; } - stat(cp, &sb); + if (fstat(fd, &sb) < 0) { + warn("%s", argv[n]); + continue; + } asprintf(&options[OPT_TSIZE].o_request, "%ju", sb.st_size); if (verbose) Modified: stable/11/usr.bin/tftp/tftp.c ============================================================================== --- stable/11/usr.bin/tftp/tftp.c Thu Mar 21 21:45:02 2019 (r345388) +++ stable/11/usr.bin/tftp/tftp.c Thu Mar 21 21:45:18 2019 (r345389) @@ -48,6 +48,7 @@ __FBSDID("$FreeBSD$"); #include +#include #include #include #include @@ -83,6 +84,7 @@ xmitfile(int peer, char *port, int fd, char *name, cha if (port == NULL) { struct servent *se; se = getservbyname("tftp", "udp"); + assert(se != NULL); ((struct sockaddr_in *)&peer_sock)->sin_port = se->s_port; } else ((struct sockaddr_in *)&peer_sock)->sin_port = @@ -182,6 +184,7 @@ recvfile(int peer, char *port, int fd, char *name, cha if (port == NULL) { struct servent *se; se = getservbyname("tftp", "udp"); + assert(se != NULL); ((struct sockaddr_in *)&peer_sock)->sin_port = se->s_port; } else ((struct sockaddr_in *)&peer_sock)->sin_port =