diff options
| author | Alan Somers <asomers@FreeBSD.org> | 2018-07-22 17:10:12 +0000 |
|---|---|---|
| committer | Alan Somers <asomers@FreeBSD.org> | 2018-07-22 17:10:12 +0000 |
| commit | ca2d3691c3430908847f44f1b2198b5c5298fac5 (patch) | |
| tree | b802dfb2d5ef7efe7eec5c76b5d6f030d03536ca /libexec/tftpd | |
| parent | 9898e6dff2f065cab43ae322763b9bb7b550b3dd (diff) | |
| download | src-ca2d3691c3430908847f44f1b2198b5c5298fac5.tar.gz src-ca2d3691c3430908847f44f1b2198b5c5298fac5.zip | |
Fix several Coverity warnings in tftp
Some of the changes are in the libexec/tftpd directory, but to functions that
are only used by tftp(1) (they share some code).
* strcpy => strlcpy (1006793, 1006794, 1006796, 1006741)
* Unchecked return value and TOCTTOU (1009314)
* NULL pointer dereference (1018035, 1018036)
Reported by: Coverity
CID: 1006793, 1006794, 1006796, 1006741, 1009314, 1018035
CID: 1018036
MFC after: 2 weeks
Notes
Notes:
svn path=/head/; revision=336609
Diffstat (limited to 'libexec/tftpd')
| -rw-r--r-- | libexec/tftpd/tftp-io.c | 13 | ||||
| -rw-r--r-- | libexec/tftpd/tftp-utils.c | 7 |
2 files changed, 11 insertions, 9 deletions
diff --git a/libexec/tftpd/tftp-io.c b/libexec/tftpd/tftp-io.c index 192097b5bf54..962fe5579e0f 100644 --- a/libexec/tftpd/tftp-io.c +++ b/libexec/tftpd/tftp-io.c @@ -40,6 +40,7 @@ __FBSDID("$FreeBSD$"); #include <errno.h> #include <setjmp.h> #include <signal.h> +#include <stddef.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -193,16 +194,16 @@ send_wrq(int peer, char *filename, char *mode) tp = (struct tftphdr *)buf; tp->th_opcode = htons((u_short)WRQ); - size = 2; + size = offsetof(struct tftphdr, th_stuff); bp = tp->th_stuff; - strcpy(bp, filename); + strlcpy(bp, filename, sizeof(buf) - size); bp += strlen(filename); *bp = 0; bp++; size += strlen(filename) + 1; - strcpy(bp, mode); + strlcpy(bp, mode, sizeof(buf) - size); bp += strlen(mode); *bp = 0; bp++; @@ -241,16 +242,16 @@ send_rrq(int peer, char *filename, char *mode) tp = (struct tftphdr *)buf; tp->th_opcode = htons((u_short)RRQ); - size = 2; + size = offsetof(struct tftphdr, th_stuff); bp = tp->th_stuff; - strcpy(bp, filename); + strlcpy(bp, filename, sizeof(buf) - size); bp += strlen(filename); *bp = 0; bp++; size += strlen(filename) + 1; - strcpy(bp, mode); + strlcpy(bp, mode, sizeof(buf) - size); bp += strlen(mode); *bp = 0; bp++; diff --git a/libexec/tftpd/tftp-utils.c b/libexec/tftpd/tftp-utils.c index f9f8f4dc922a..2111e35bb722 100644 --- a/libexec/tftpd/tftp-utils.c +++ b/libexec/tftpd/tftp-utils.c @@ -237,14 +237,15 @@ const char * debug_show(int d) { static char s[100]; + size_t space = sizeof(s); int i = 0; s[0] = '\0'; while (debugs[i].name != NULL) { if (d&debugs[i].value) { - if (s[0] != '\0') - strcat(s, " "); - strcat(s, debugs[i].name); + if (s[0] != '\0') + strlcat(s, " ", space); + strlcat(s, debugs[i].name, space); } i++; } |