Examine all occurrences of sprintf(), strcat(), and str[n]cpy()

for possible buffer overflow problems. Replaced most sprintf()'s
with snprintf(); for others cases, added terminating NUL bytes where
appropriate, replaced constants like "16" with sizeof(), etc.

These changes include several bug fixes, but most changes are for
maintainability's sake. Any instance where it wasn't "immediately
obvious" that a buffer overflow could not occur was made safer.

Reviewed by:	Bruce Evans <bde@zeta.org.au>
Reviewed by:	Matthew Dillon <dillon@apollo.backplane.com>
Reviewed by:	Mike Spengler <mks@networkcs.com>

3 files changed, 12 insertions, 8 deletions

diff --git a/sys/fs/coda/coda_vfsops.c b/sys/fs/coda/coda_vfsops.c
index e282911706f1..79ca4652944a 100644
--- a/sys/fs/coda/coda_vfsops.c
+++ b/sys/fs/coda/coda_vfsops.c
@@ -27,7 +27,7 @@
  * Mellon the rights to redistribute these changes without encumbrance.
  * 
  *  	@(#) src/sys/cfs/coda_vfsops.c,v 1.1.1.1 1998/08/29 21:14:52 rvb Exp $
- *  $Id: coda_vfsops.c,v 1.8 1998/11/03 08:55:06 peter Exp $
+ *  $Id: coda_vfsops.c,v 1.9 1998/11/16 19:48:26 rvb Exp $
  * 
  */
 
@@ -47,6 +47,9 @@
 /*
  * HISTORY
  * $Log: coda_vfsops.c,v $
+ * Revision 1.9  1998/11/16 19:48:26  rvb
+ * A few bug fixes for Robert Watson
+ *
  * Revision 1.8  1998/11/03 08:55:06  peter
  * Support KLD.  We register and unregister two modules. "coda" (the vfs)
  * via VFS_SET(), and "codadev" for the cdevsw entry.  From kldstat -v:
@@ -592,8 +595,8 @@ coda_nb_statfs(vfsp, sbp, p)
     sbp->f_files = NB_SFS_SIZ;
     sbp->f_ffree = NB_SFS_SIZ;
     bcopy((caddr_t)&(vfsp->mnt_stat.f_fsid), (caddr_t)&(sbp->f_fsid), sizeof (fsid_t));
-    strcpy(sbp->f_mntonname, "/coda");
-    strcpy(sbp->f_mntfromname, "CODA");
+    snprintf(sbp->f_mntonname, sizeof(sbp->f_mntonname), "/coda");
+    snprintf(sbp->f_mntfromname, sizeof(sbp->f_mntfromname), "CODA");
 /*  MARK_INT_SAT(CODA_STATFS_STATS); */
     return(0);
 }
diff --git a/sys/fs/procfs/procfs_map.c b/sys/fs/procfs/procfs_map.c
index 1a865e669042..4dae10a6fdc0 100644
--- a/sys/fs/procfs/procfs_map.c
+++ b/sys/fs/procfs/procfs_map.c
@@ -36,7 +36,7 @@
  *
  *	@(#)procfs_status.c	8.3 (Berkeley) 2/17/94
  *
- *	$Id: procfs_map.c,v 1.16 1998/02/06 12:13:41 eivind Exp $
+ *	$Id: procfs_map.c,v 1.17 1998/04/29 04:28:22 dyson Exp $
  */
 
 #include <sys/param.h>
@@ -153,7 +153,8 @@ case OBJT_DEVICE:
 		 * format:
 		 *  start, end, resident, private resident, cow, access, type.
 		 */
-		sprintf(mebuffer, "0x%x 0x%x %d %d %d %s%s%s %d %d 0x%x %s %s %s\n",
+		snprintf(mebuffer, sizeof(mebuffer),
+		    "0x%x 0x%x %d %d %d %s%s%s %d %d 0x%x %s %s %s\n",
 			entry->start, entry->end,
 			resident, privateresident, id,
 			(entry->protection & VM_PROT_READ)?"r":"-",
diff --git a/sys/fs/procfs/procfs_vnops.c b/sys/fs/procfs/procfs_vnops.c
index 8a6230eabf01..6879b0874a5a 100644
--- a/sys/fs/procfs/procfs_vnops.c
+++ b/sys/fs/procfs/procfs_vnops.c
@@ -36,7 +36,7 @@
  *
  *	@(#)procfs_vnops.c	8.18 (Berkeley) 5/21/95
  *
- *	$Id: procfs_vnops.c,v 1.60 1998/06/25 16:54:41 dt Exp $
+ *	$Id: procfs_vnops.c,v 1.61 1998/07/11 07:45:46 bde Exp $
  */
 
 /*
@@ -528,7 +528,7 @@ procfs_getattr(ap)
 		vap->va_uid = 0;
 		vap->va_gid = 0;
 		vap->va_size = vap->va_bytes =
-		    sprintf(buf, "%ld", (long)curproc->p_pid);
+		    snprintf(buf, sizeof(buf), "%ld", (long)curproc->p_pid);
 		break;
 	}
 
@@ -944,7 +944,7 @@ procfs_readlink(ap)
 	if (VTOPFS(ap->a_vp)->pfs_fileno != PROCFS_FILENO(0, Pcurproc))
 		return (EINVAL);
 
-	len = sprintf(buf, "%ld", (long)curproc->p_pid);
+	len = snprintf(buf, sizeof(buf), "%ld", (long)curproc->p_pid);
 
 	return (uiomove((caddr_t)buf, len, ap->a_uio));
 }