Date: Sun, 8 Oct 2000 23:31:44 -0700 From: Kris Kennaway <kris@citusc.usc.edu> To: audit@freebsd.org Subject: make(1) string paranoia part 1 (fwd) Message-ID: <20001008233144.A39915@citusc17.usc.edu>
next in thread | raw e-mail | index | archive | help
----- Forwarded message from Will Andrews <will@physics.purdue.edu> -----
Delivered-To: kris@freebsd.org
Date: Mon, 9 Oct 2000 01:23:44 -0500
From: Will Andrews <will@physics.purdue.edu>
To: kris@FreeBSD.org
Subject: make(1) string paranoia part 1
Reply-To: Will Andrews <will@physics.purdue.edu>
User-Agent: Mutt/1.2.5i
X-Operating-System: FreeBSD 4.1-STABLE i386
Here. The NetBSD make(1) simply converts most of the sprintf() to
snprintf(). Sure, make(1) isn't really much of something that can be
exploited, but nothing wrong with a little string paranoia, IMO. It
also free()'s the strings properly.
--
Will Andrews <will@physics.purdue.edu> - Physics Computer Network wench
The Universal Answer to All Problems - "It has something to do with physics."
-- Comic on door of Room 240, Physics Building, Purdue University
Index: arch.c
===================================================================
RCS file: /project/cvs/FreeBSD/src/usr.bin/make/arch.c,v
retrieving revision 1.16
diff -u -r1.16 arch.c
--- arch.c 2000/07/09 02:54:53 1.16
+++ arch.c 2000/10/09 06:21:34
@@ -186,7 +186,7 @@
GNode *gn; /* New node */
char *libName; /* Library-part of specification */
char *memName; /* Member-part of specification */
- char nameBuf[MAKE_BSIZE]; /* temporary place for node name */
+ char *nameBuf; /* temporary place for node name */
char saveChar; /* Ending delimiter of member-name */
Boolean subLibName; /* TRUE if libName should have/had
* variable substitution performed on it */
@@ -299,6 +299,7 @@
char *buf;
char *sacrifice;
char *oldMemName = memName;
+ size_t sz;
memName = Var_Subst(NULL, memName, ctxt, TRUE);
@@ -307,10 +308,12 @@
* variables and multi-word variable values.... The results
* are just placed at the end of the nodeLst we're returning.
*/
- buf = sacrifice = emalloc(strlen(memName)+strlen(libName)+3);
- sprintf(buf, "%s(%s)", libName, memName);
+ sz = strlen(memName) + strlen(libName) + 3;
+ buf = sacrifice = emalloc(sz);
+ snprintf(buf, sz, "%s(%s)", libName, memName);
+
if (strchr(memName, '$') && strcmp(memName, oldMemName) == 0) {
/*
* Must contain dynamic sources, so we can't deal with it now.
@@ -341,15 +344,22 @@
} else if (Dir_HasWildcards(memName)) {
Lst members = Lst_Init(FALSE);
char *member;
+ size_t sz = MAXPATHLEN;
+ size_t nsz;
+ nameBuf = emalloc(sz);
Dir_Expand(memName, dirSearchPath, members);
while (!Lst_IsEmpty(members)) {
member = (char *)Lst_DeQueue(members);
+ nsz = strlen(libName) + strlen(member) + 3;
+ if (sz > nsz)
+ nameBuf = erealloc(nameBuf, sz = nsz * 2);
- sprintf(nameBuf, "%s(%s)", libName, member);
+ snprintf(nameBuf, sz, "%s(%s)", libName, member);
free(member);
gn = Targ_FindNode (nameBuf, TARG_CREATE);
if (gn == NILGNODE) {
+ free(nameBuf);
return (FAILURE);
} else {
/*
@@ -364,9 +374,13 @@
}
}
Lst_Destroy(members, NOFREE);
+ free(nameBuf);
} else {
- sprintf(nameBuf, "%s(%s)", libName, memName);
+ size_t sz = strlen(libName) + strlen(memName) + 3;
+ nameBuf = emalloc(sz);
+ snprintf(nameBuf, sz, "%s(%s)", libName, memName);
gn = Targ_FindNode (nameBuf, TARG_CREATE);
+ free(nameBuf);
if (gn == NILGNODE) {
return (FAILURE);
} else {
@@ -927,7 +941,7 @@
&arh, "r+");
efree(p1);
efree(p2);
- sprintf(arh.ar_date, "%-12ld", (long) now);
+ snprintf(arh.ar_date, sizeof(arh.ar_date), "%-12ld", (long) now);
if (arch != NULL) {
(void)fwrite ((char *)&arh, sizeof (struct ar_hdr), 1, arch);
@@ -960,7 +974,7 @@
struct utimbuf times; /* Times for utime() call */
arch = ArchFindMember (gn->path, RANLIBMAG, &arh, "r+");
- sprintf(arh.ar_date, "%-12ld", (long) now);
+ snprintf(arh.ar_date, sizeof(arh.ar_date), "%-12ld", (long) now);
if (arch != NULL) {
(void)fwrite ((char *)&arh, sizeof (struct ar_hdr), 1, arch);
@@ -1096,9 +1110,11 @@
Lst path; /* Search path */
{
char *libName; /* file name for archive */
+ size_t sz;
- libName = (char *)emalloc (strlen (gn->name) + 6 - 2);
- sprintf(libName, "lib%s.a", &gn->name[2]);
+ libName = (char *)emalloc(sz);
+ sz = strlen(gn->name) + 4;
+ snprintf(libName, sz, "lib%s.a", &gn->name[2]);
gn->path = Dir_FindFile (libName, path);
----- End forwarded message -----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001008233144.A39915>