Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 21 Mar 2019 21:45:19 +0000 (UTC)
From:      Alan Somers <asomers@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r345389 - in stable/11: libexec/tftpd usr.bin/tftp
Message-ID:  <201903212145.x2LLjJSn027056@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: asomers
Date: Thu Mar 21 21:45:18 2019
New Revision: 345389
URL: https://svnweb.freebsd.org/changeset/base/345389

Log:
  MFC r336609:
  
  Fix several Coverity warnings in tftp
  
  Some of the changes are in the libexec/tftpd directory, but to functions that
  are only used by tftp(1) (they share some code).
  
  * strcpy => strlcpy (1006793, 1006794, 1006796, 1006741)
  * Unchecked return value and TOCTTOU (1009314)
  * NULL pointer dereference (1018035, 1018036)
  
  Reported by:	Coverity
  CID:		1006793, 1006794, 1006796, 1006741, 1009314, 1018035
  CID:		1018036

Modified:
  stable/11/libexec/tftpd/tftp-io.c
  stable/11/libexec/tftpd/tftp-utils.c
  stable/11/usr.bin/tftp/main.c
  stable/11/usr.bin/tftp/tftp.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/libexec/tftpd/tftp-io.c
==============================================================================
--- stable/11/libexec/tftpd/tftp-io.c	Thu Mar 21 21:45:02 2019	(r345388)
+++ stable/11/libexec/tftpd/tftp-io.c	Thu Mar 21 21:45:18 2019	(r345389)
@@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$");
 #include <errno.h>
 #include <setjmp.h>
 #include <signal.h>
+#include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -191,16 +192,16 @@ send_wrq(int peer, char *filename, char *mode)
 
 	tp = (struct tftphdr *)buf;
 	tp->th_opcode = htons((u_short)WRQ);
-	size = 2;
+	size = offsetof(struct tftphdr, th_stuff);
 
 	bp = tp->th_stuff;
-	strcpy(bp, filename);
+	strlcpy(bp, filename, sizeof(buf) - size);
 	bp += strlen(filename);
 	*bp = 0;
 	bp++;
 	size += strlen(filename) + 1;
 
-	strcpy(bp, mode);
+	strlcpy(bp, mode, sizeof(buf) - size);
 	bp += strlen(mode);
 	*bp = 0;
 	bp++;
@@ -239,16 +240,16 @@ send_rrq(int peer, char *filename, char *mode)
 
 	tp = (struct tftphdr *)buf;
 	tp->th_opcode = htons((u_short)RRQ);
-	size = 2;
+	size = offsetof(struct tftphdr, th_stuff);
 
 	bp = tp->th_stuff;
-	strcpy(bp, filename);
+	strlcpy(bp, filename, sizeof(buf) - size);
 	bp += strlen(filename);
 	*bp = 0;
 	bp++;
 	size += strlen(filename) + 1;
 
-	strcpy(bp, mode);
+	strlcpy(bp, mode, sizeof(buf) - size);
 	bp += strlen(mode);
 	*bp = 0;
 	bp++;

Modified: stable/11/libexec/tftpd/tftp-utils.c
==============================================================================
--- stable/11/libexec/tftpd/tftp-utils.c	Thu Mar 21 21:45:02 2019	(r345388)
+++ stable/11/libexec/tftpd/tftp-utils.c	Thu Mar 21 21:45:18 2019	(r345389)
@@ -235,14 +235,15 @@ const char *
 debug_show(int d)
 {
 	static char s[100];
+	size_t space = sizeof(s);
 	int i = 0;
 
 	s[0] = '\0';
 	while (debugs[i].name != NULL) {
 		if (d&debugs[i].value) {
-			if (s[0] != '\0') 
-				strcat(s, " ");
-			strcat(s, debugs[i].name);
+			if (s[0] != '\0')
+				strlcat(s, " ", space);
+			strlcat(s, debugs[i].name, space);
 		}
 		i++;
 	}

Modified: stable/11/usr.bin/tftp/main.c
==============================================================================
--- stable/11/usr.bin/tftp/main.c	Thu Mar 21 21:45:02 2019	(r345388)
+++ stable/11/usr.bin/tftp/main.c	Thu Mar 21 21:45:18 2019	(r345389)
@@ -405,7 +405,7 @@ static void
 settftpmode(const char *newmode)
 {
 
-	strcpy(mode, newmode);
+	strlcpy(mode, newmode, sizeof(mode));
 	if (verbose)
 		printf("mode set to %s\n", mode);
 }
@@ -465,7 +465,10 @@ put(int argc, char *argv[])
 			return;
 		}
 
-		stat(cp, &sb);
+		if (fstat(fd, &sb) < 0) {
+			warn("%s", cp);
+			return;
+		}
 		asprintf(&options[OPT_TSIZE].o_request, "%ju", sb.st_size);
 
 		if (verbose)
@@ -487,7 +490,10 @@ put(int argc, char *argv[])
 			continue;
 		}
 
-		stat(cp, &sb);
+		if (fstat(fd, &sb) < 0) {
+			warn("%s", argv[n]);
+			continue;
+		}
 		asprintf(&options[OPT_TSIZE].o_request, "%ju", sb.st_size);
 
 		if (verbose)

Modified: stable/11/usr.bin/tftp/tftp.c
==============================================================================
--- stable/11/usr.bin/tftp/tftp.c	Thu Mar 21 21:45:02 2019	(r345388)
+++ stable/11/usr.bin/tftp/tftp.c	Thu Mar 21 21:45:18 2019	(r345389)
@@ -48,6 +48,7 @@ __FBSDID("$FreeBSD$");
 
 #include <arpa/tftp.h>
 
+#include <assert.h>
 #include <err.h>
 #include <netdb.h>
 #include <stdio.h>
@@ -83,6 +84,7 @@ xmitfile(int peer, char *port, int fd, char *name, cha
 	if (port == NULL) {
 		struct servent *se;
 		se = getservbyname("tftp", "udp");
+		assert(se != NULL);
 		((struct sockaddr_in *)&peer_sock)->sin_port = se->s_port;
 	} else
 		((struct sockaddr_in *)&peer_sock)->sin_port =
@@ -182,6 +184,7 @@ recvfile(int peer, char *port, int fd, char *name, cha
 	if (port == NULL) {
 		struct servent *se;
 		se = getservbyname("tftp", "udp");
+		assert(se != NULL);
 		((struct sockaddr_in *)&peer_sock)->sin_port = se->s_port;
 	} else
 		((struct sockaddr_in *)&peer_sock)->sin_port =



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201903212145.x2LLjJSn027056>