Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 14 Apr 2017 00:14:40 +0000 (UTC)
From:      Conrad Meyer <cem@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r316799 - head/sbin/restore
Message-ID:  <201704140014.v3E0EeC2015639@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: cem
Date: Fri Apr 14 00:14:40 2017
New Revision: 316799
URL: https://svnweb.freebsd.org/changeset/base/316799

Log:
  restore(8): Prevent some heap overflows
  
  The environment variable TMPDIR was copied unchecked into a fixed-size heap
  buffer.  Use a length-limiting snprintf in place of ordinary sprintf to
  prevent the overflow.  Long TMPDIR variables can still cause odd truncated
  filenames, which may be undesirable.
  
  Reported by:	Coverity (CWE-120)
  CIDs:		1006706, 1006707
  Sponsored by:	Dell EMC Isilon

Modified:
  head/sbin/restore/dirs.c

Modified: head/sbin/restore/dirs.c
==============================================================================
--- head/sbin/restore/dirs.c	Fri Apr 14 00:13:33 2017	(r316798)
+++ head/sbin/restore/dirs.c	Fri Apr 14 00:14:40 2017	(r316799)
@@ -140,7 +140,8 @@ extractdirs(int genmode)
 	vprintf(stdout, "Extract directories from tape\n");
 	if ((tmpdir = getenv("TMPDIR")) == NULL || tmpdir[0] == '\0')
 		tmpdir = _PATH_TMP;
-	(void) sprintf(dirfile, "%s/rstdir%jd", tmpdir, (intmax_t)dumpdate);
+	(void) snprintf(dirfile, sizeof(dirfile), "%s/rstdir%jd", tmpdir,
+	    (intmax_t)dumpdate);
 	if (command != 'r' && command != 'R') {
 		(void) strcat(dirfile, "-XXXXXX");
 		fd = mkstemp(dirfile);
@@ -153,8 +154,8 @@ extractdirs(int genmode)
 		done(1);
 	}
 	if (genmode != 0) {
-		(void) sprintf(modefile, "%s/rstmode%jd", tmpdir,
-		    (intmax_t)dumpdate);
+		(void) snprintf(modefile, sizeof(modefile), "%s/rstmode%jd",
+		    tmpdir, (intmax_t)dumpdate);
 		if (command != 'r' && command != 'R') {
 			(void) strcat(modefile, "-XXXXXX");
 			fd = mkstemp(modefile);
@@ -568,8 +569,8 @@ setdirmodes(int flags)
 	if ((tmpdir = getenv("TMPDIR")) == NULL || tmpdir[0] == '\0')
 		tmpdir = _PATH_TMP;
 	if (command == 'r' || command == 'R')
-		(void) sprintf(modefile, "%s/rstmode%jd", tmpdir,
-		    (intmax_t)dumpdate);
+		(void) snprintf(modefile, sizeof(modefile), "%s/rstmode%jd",
+		    tmpdir, (intmax_t)dumpdate);
 	if (modefile[0] == '#') {
 		panic("modefile not defined\n");
 		fprintf(stderr, "directory mode, owner, and times not set\n");

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201704140014.v3E0EeC2015639>