From owner-svn-src-head@freebsd.org Thu Apr 13 22:59:19 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 30E81D3D2F5; Thu, 13 Apr 2017 22:59:19 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DCFD1F33; Thu, 13 Apr 2017 22:59:18 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v3DMxIos083418; Thu, 13 Apr 2017 22:59:18 GMT (envelope-from cem@FreeBSD.org) Received: (from cem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v3DMxHPs083416; Thu, 13 Apr 2017 22:59:17 GMT (envelope-from cem@FreeBSD.org) Message-Id: <201704132259.v3DMxHPs083416@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: cem set sender to cem@FreeBSD.org using -f From: Conrad Meyer Date: Thu, 13 Apr 2017 22:59:17 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r316795 - in head/usr.sbin/ctm: ctm_dequeue ctm_smail X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Apr 2017 22:59:19 -0000 Author: cem Date: Thu Apr 13 22:59:17 2017 New Revision: 316795 URL: https://svnweb.freebsd.org/changeset/base/316795 Log: ctm: Fix some trivial argv buffer overruns It may not do the right thing with these obviously wrong inputs, but at least it won't smash the stack. Reported by: Coverity (CWE-120) CIDs: 1006697, 1006698 Sponsored by: Dell EMC Isilon Modified: head/usr.sbin/ctm/ctm_dequeue/ctm_dequeue.c head/usr.sbin/ctm/ctm_smail/ctm_smail.c Modified: head/usr.sbin/ctm/ctm_dequeue/ctm_dequeue.c ============================================================================== --- head/usr.sbin/ctm/ctm_dequeue/ctm_dequeue.c Thu Apr 13 22:07:34 2017 (r316794) +++ head/usr.sbin/ctm/ctm_dequeue/ctm_dequeue.c Thu Apr 13 22:59:17 2017 (r316795) @@ -115,7 +115,8 @@ main(int argc, char **argv) if (ftsent->fts_info != FTS_F || ftsent->fts_name[0] == '.') continue; - sprintf(filename, "%s/%s", queue_dir, ftsent->fts_name); + snprintf(filename, sizeof(filename), "%s/%s", queue_dir, + ftsent->fts_name); fd = open(filename, O_RDONLY); if (fd < 0) { Modified: head/usr.sbin/ctm/ctm_smail/ctm_smail.c ============================================================================== --- head/usr.sbin/ctm/ctm_smail/ctm_smail.c Thu Apr 13 22:07:34 2017 (r316794) +++ head/usr.sbin/ctm/ctm_smail/ctm_smail.c Thu Apr 13 22:59:17 2017 (r316795) @@ -190,13 +190,13 @@ chop_and_send(FILE *dfp, char *delta, lo * Construct the tmp queue file name of a delta piece. */ #define mk_tmp_name(fn,qd,p) \ - sprintf((fn), "%s/.%08ld.%03d", (qd), (long)getpid(), (p)) + snprintf((fn), sizeof(fn), "%s/.%08ld.%03d", (qd), (long)getpid(), (p)) /* * Construct the final queue file name of a delta piece. */ #define mk_queue_name(fn,qd,d,p,n) \ - sprintf((fn), "%s/%s+%03d-%03d", (qd), (d), (p), (n)) + snprintf((fn), sizeof(fn), "%s/%s+%03d-%03d", (qd), (d), (p), (n)) /* * Carve our CTM delta into pieces, encode them, and queue them.