Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 13 Apr 2017 22:59:17 +0000 (UTC)
From:      Conrad Meyer <cem@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r316795 - in head/usr.sbin/ctm: ctm_dequeue ctm_smail
Message-ID:  <201704132259.v3DMxHPs083416@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: cem
Date: Thu Apr 13 22:59:17 2017
New Revision: 316795
URL: https://svnweb.freebsd.org/changeset/base/316795

Log:
  ctm: Fix some trivial argv buffer overruns
  
  It may not do the right thing with these obviously wrong inputs, but at
  least it won't smash the stack.
  
  Reported by:	Coverity (CWE-120)
  CIDs:		1006697, 1006698
  Sponsored by:	Dell EMC Isilon

Modified:
  head/usr.sbin/ctm/ctm_dequeue/ctm_dequeue.c
  head/usr.sbin/ctm/ctm_smail/ctm_smail.c

Modified: head/usr.sbin/ctm/ctm_dequeue/ctm_dequeue.c
==============================================================================
--- head/usr.sbin/ctm/ctm_dequeue/ctm_dequeue.c	Thu Apr 13 22:07:34 2017	(r316794)
+++ head/usr.sbin/ctm/ctm_dequeue/ctm_dequeue.c	Thu Apr 13 22:59:17 2017	(r316795)
@@ -115,7 +115,8 @@ main(int argc, char **argv)
 	if (ftsent->fts_info != FTS_F || ftsent->fts_name[0] == '.')
 	    continue;
 
-	sprintf(filename, "%s/%s", queue_dir, ftsent->fts_name);
+	snprintf(filename, sizeof(filename), "%s/%s", queue_dir,
+	    ftsent->fts_name);
 	fd = open(filename, O_RDONLY);
 	if (fd < 0)
 	{

Modified: head/usr.sbin/ctm/ctm_smail/ctm_smail.c
==============================================================================
--- head/usr.sbin/ctm/ctm_smail/ctm_smail.c	Thu Apr 13 22:07:34 2017	(r316794)
+++ head/usr.sbin/ctm/ctm_smail/ctm_smail.c	Thu Apr 13 22:59:17 2017	(r316795)
@@ -190,13 +190,13 @@ chop_and_send(FILE *dfp, char *delta, lo
  * Construct the tmp queue file name of a delta piece.
  */
 #define mk_tmp_name(fn,qd,p) \
-    sprintf((fn), "%s/.%08ld.%03d", (qd), (long)getpid(), (p))
+    snprintf((fn), sizeof(fn), "%s/.%08ld.%03d", (qd), (long)getpid(), (p))
 
 /*
  * Construct the final queue file name of a delta piece.
  */
 #define mk_queue_name(fn,qd,d,p,n) \
-    sprintf((fn), "%s/%s+%03d-%03d", (qd), (d), (p), (n))
+    snprintf((fn), sizeof(fn), "%s/%s+%03d-%03d", (qd), (d), (p), (n))
 
 /*
  * Carve our CTM delta into pieces, encode them, and queue them.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201704132259.v3DMxHPs083416>