Date: Sun, 22 Jul 2018 17:10:13 +0000 (UTC) From: Alan Somers <asomers@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r336609 - in head: libexec/tftpd usr.bin/tftp Message-ID: <201807221710.w6MHADvi060173@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: asomers Date: Sun Jul 22 17:10:12 2018 New Revision: 336609 URL: https://svnweb.freebsd.org/changeset/base/336609 Log: Fix several Coverity warnings in tftp Some of the changes are in the libexec/tftpd directory, but to functions that are only used by tftp(1) (they share some code). * strcpy => strlcpy (1006793, 1006794, 1006796, 1006741) * Unchecked return value and TOCTTOU (1009314) * NULL pointer dereference (1018035, 1018036) Reported by: Coverity CID: 1006793, 1006794, 1006796, 1006741, 1009314, 1018035 CID: 1018036 MFC after: 2 weeks Modified: head/libexec/tftpd/tftp-io.c head/libexec/tftpd/tftp-utils.c head/usr.bin/tftp/main.c head/usr.bin/tftp/tftp.c Modified: head/libexec/tftpd/tftp-io.c ============================================================================== --- head/libexec/tftpd/tftp-io.c Sun Jul 22 16:51:11 2018 (r336608) +++ head/libexec/tftpd/tftp-io.c Sun Jul 22 17:10:12 2018 (r336609) @@ -40,6 +40,7 @@ __FBSDID("$FreeBSD$"); #include <errno.h> #include <setjmp.h> #include <signal.h> +#include <stddef.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -193,16 +194,16 @@ send_wrq(int peer, char *filename, char *mode) tp = (struct tftphdr *)buf; tp->th_opcode = htons((u_short)WRQ); - size = 2; + size = offsetof(struct tftphdr, th_stuff); bp = tp->th_stuff; - strcpy(bp, filename); + strlcpy(bp, filename, sizeof(buf) - size); bp += strlen(filename); *bp = 0; bp++; size += strlen(filename) + 1; - strcpy(bp, mode); + strlcpy(bp, mode, sizeof(buf) - size); bp += strlen(mode); *bp = 0; bp++; @@ -241,16 +242,16 @@ send_rrq(int peer, char *filename, char *mode) tp = (struct tftphdr *)buf; tp->th_opcode = htons((u_short)RRQ); - size = 2; + size = offsetof(struct tftphdr, th_stuff); bp = tp->th_stuff; - strcpy(bp, filename); + strlcpy(bp, filename, sizeof(buf) - size); bp += strlen(filename); *bp = 0; bp++; size += strlen(filename) + 1; - strcpy(bp, mode); + strlcpy(bp, mode, sizeof(buf) - size); bp += strlen(mode); *bp = 0; bp++; Modified: head/libexec/tftpd/tftp-utils.c ============================================================================== --- head/libexec/tftpd/tftp-utils.c Sun Jul 22 16:51:11 2018 (r336608) +++ head/libexec/tftpd/tftp-utils.c Sun Jul 22 17:10:12 2018 (r336609) @@ -237,14 +237,15 @@ const char * debug_show(int d) { static char s[100]; + size_t space = sizeof(s); int i = 0; s[0] = '\0'; while (debugs[i].name != NULL) { if (d&debugs[i].value) { - if (s[0] != '\0') - strcat(s, " "); - strcat(s, debugs[i].name); + if (s[0] != '\0') + strlcat(s, " ", space); + strlcat(s, debugs[i].name, space); } i++; } Modified: head/usr.bin/tftp/main.c ============================================================================== --- head/usr.bin/tftp/main.c Sun Jul 22 16:51:11 2018 (r336608) +++ head/usr.bin/tftp/main.c Sun Jul 22 17:10:12 2018 (r336609) @@ -429,7 +429,7 @@ static void settftpmode(const char *newmode) { - strcpy(mode, newmode); + strlcpy(mode, newmode, sizeof(mode)); if (verbose) printf("mode set to %s\n", mode); } @@ -489,7 +489,10 @@ put(int argc, char *argv[]) return; } - stat(cp, &sb); + if (fstat(fd, &sb) < 0) { + warn("%s", cp); + return; + } asprintf(&options[OPT_TSIZE].o_request, "%ju", sb.st_size); if (verbose) @@ -510,7 +513,10 @@ put(int argc, char *argv[]) continue; } - stat(cp, &sb); + if (fstat(fd, &sb) < 0) { + warn("%s", argv[n]); + continue; + } asprintf(&options[OPT_TSIZE].o_request, "%ju", sb.st_size); if (verbose) Modified: head/usr.bin/tftp/tftp.c ============================================================================== --- head/usr.bin/tftp/tftp.c Sun Jul 22 16:51:11 2018 (r336608) +++ head/usr.bin/tftp/tftp.c Sun Jul 22 17:10:12 2018 (r336609) @@ -50,6 +50,7 @@ __FBSDID("$FreeBSD$"); #include <arpa/tftp.h> +#include <assert.h> #include <err.h> #include <netdb.h> #include <stdio.h> @@ -85,6 +86,7 @@ xmitfile(int peer, char *port, int fd, char *name, cha if (port == NULL) { struct servent *se; se = getservbyname("tftp", "udp"); + assert(se != NULL); ((struct sockaddr_in *)&peer_sock)->sin_port = se->s_port; } else ((struct sockaddr_in *)&peer_sock)->sin_port = @@ -184,6 +186,7 @@ recvfile(int peer, char *port, int fd, char *name, cha if (port == NULL) { struct servent *se; se = getservbyname("tftp", "udp"); + assert(se != NULL); ((struct sockaddr_in *)&peer_sock)->sin_port = se->s_port; } else ((struct sockaddr_in *)&peer_sock)->sin_port =
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201807221710.w6MHADvi060173>