Buffer overflow from OpenBSD:

Rev 1.4 deraadt: (partial from full commit, other files not done yet) proactive bounds checking; help from millert Rev 1.5 millert: Possible buf oflow. Plus minor style nits to keep the style police happy (I hope) Obtained from: OpenBSD
1997-02-09 05:19:03 +00:00 · 1997-02-09 05:19:03 +00:00 · d583a7c3cb
parent c50189d7ba
commit d583a7c3cb
1 changed files with 8 additions and 5 deletions
--- a/usr.sbin/lpr/common_source/displayq.c
+++ b/usr.sbin/lpr/common_source/displayq.c
@ -199,13 +199,14 @@ displayq(format)
 	 */
 	if (nitems)
 		putchar('\n');
-	(void) sprintf(line, "%c%s", format + '\3', RP);
+	(void) snprintf(line, sizeof(line), "%c%s", format + '\3', RP);
 	cp = line;
-	for (i = 0; i < requests; i++) {
+	for (i = 0; i < requests && cp-line+10 < sizeof(line); i++) {
 		cp += strlen(cp);
 		(void) sprintf(cp, " %d", requ[i]);
 	}
-	for (i = 0; i < users; i++) {
+	for (i = 0; i < users && cp - line + 1 + strlen(user[i]) < 
+		sizeof(line); i++) {
 		cp += strlen(cp);
 		*cp++ = ' ';
 		(void) strcpy(cp, user[i]);
@ -295,8 +296,10 @@ inform(cf)
 		default: /* some format specifer and file name? */
 			if (line[0] < 'a' || line[0] > 'z')
 				continue;
-			if (j == 0 || strcmp(file, line+1) != 0)
-				(void) strcpy(file, line+1);
+			if (j == 0 || strcmp(file, line+1) != 0) {
+				(void) strncpy(file, line+1, sizeof(file) - 1);
+				file[sizeof(file) - 1] = '\0';
+			}
 			j++;
 			continue;
 		case 'N':