From owner-freebsd-audit Sat Nov 11 8:14:21 2000 Delivered-To: freebsd-audit@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 5ED3D37B479 for ; Sat, 11 Nov 2000 08:14:14 -0800 (PST) Received: from earth.causticlabs.com (oca-pm3-3-146.hitter.net [207.192.76.146]) by peitho.fxp.org (Postfix) with ESMTP id 5A9A61360E for ; Sat, 11 Nov 2000 11:14:18 -0500 (EST) Received: by earth.causticlabs.com (Postfix, from userid 1000) id 2221A7C93; Sat, 11 Nov 2000 11:14:09 -0500 (EST) Date: Sat, 11 Nov 2000 11:14:08 -0500 From: Chris Faulhaber To: freebsd-audit@FreeBSD.org Subject: config(8) patch Message-ID: <20001111111408.A28197@earth.causticlabs.com> Mail-Followup-To: Chris Faulhaber , freebsd-audit@FreeBSD.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="cWoXeonUoKmBZSoM" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline The attached diff for config(8) fixes the following: 1) numerous places where the return value of malloc(2) is not checked 2) allocate [MAXPATHLEN + 1] to ensure room for MAXPATHLEN and '\0' 3) use strlcpy(3) instead of strcpy(3), especially when copying from the command line (optarg) 4) correct usage(s) of strcpy(3)/strcat(3) combination by using snprintf(3) 5) change mkdir(2) mode from 0777 to 0755 -- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="config.diff" Index: config.y =================================================================== RCS file: /home/ncvs/src/usr.sbin/config/config.y,v retrieving revision 1.46 diff -u -r1.46 config.y --- config.y 2000/10/14 08:33:19 1.46 +++ config.y 2000/11/11 16:05:21 @@ -131,6 +131,8 @@ = { struct cputype *cp = (struct cputype *)malloc(sizeof (struct cputype)); + if (!cp) + err(1, "malloc failed"); memset(cp, 0, sizeof(*cp)); cp->cpu_name = $2; cp->cpu_next = cputype; @@ -165,6 +167,8 @@ Save_id = { struct opt *op = (struct opt *)malloc(sizeof (struct opt)); + if (!op) + err(1, "malloc failed"); memset(op, 0, sizeof(*op)); op->op_name = ns("KERNEL"); op->op_ownfile = 0; @@ -190,6 +194,8 @@ = { struct opt *op = (struct opt *)malloc(sizeof (struct opt)); char *s; + if (!op) + err(1, "malloc failed"); memset(op, 0, sizeof(*op)); op->op_name = $1; op->op_next = opt; @@ -209,6 +215,8 @@ Save_id EQUALS Opt_value = { struct opt *op = (struct opt *)malloc(sizeof (struct opt)); + if (!op) + err(1, "malloc failed"); memset(op, 0, sizeof(*op)); op->op_name = $1; op->op_next = opt; @@ -243,6 +251,8 @@ Save_id EQUALS Opt_value = { struct opt *op = (struct opt *)malloc(sizeof (struct opt)); + if (!op) + err(1, "malloc failed"); memset(op, 0, sizeof(*op)); op->op_name = $1; op->op_ownfile = 0; /* for now */ @@ -291,6 +301,8 @@ struct device *np; np = (struct device *) malloc(sizeof *np); + if (!np) + err(1, "malloc failed"); memset(np, 0, sizeof(*np)); *np = *dp; np->d_name = dp->d_name; Index: main.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/config/main.c,v retrieving revision 1.40 diff -u -r1.40 main.c --- main.c 2000/09/29 13:30:24 1.40 +++ main.c 2000/11/11 16:06:41 @@ -69,8 +69,8 @@ #define CDIR "../../compile/" char * PREFIX; -char destdir[MAXPATHLEN]; -char srcdir[MAXPATHLEN]; +char destdir[MAXPATHLEN + 1]; +char srcdir[MAXPATHLEN + 1]; static int no_config_clobber = TRUE; int debugging; @@ -96,7 +96,7 @@ switch (ch) { case 'd': if (*destdir == '\0') - strcpy(destdir, optarg); + strlcpy(destdir, optarg, sizeof(destdir)); else errx(2, "directory already set"); break; @@ -133,13 +133,12 @@ destdir[--len] = '\0'; get_srcdir(); } else { - strcpy(destdir, CDIR); - strcat(destdir, PREFIX); + snprintf(destdir, sizeof(destdir), "%s%s", CDIR, PREFIX); } p = path((char *)NULL); if (stat(p, &buf)) { - if (mkdir(p, 0777)) + if (mkdir(p, 0755)) err(2, "%s", p); } else if ((buf.st_mode & S_IFMT) != S_IFDIR) { @@ -156,7 +155,7 @@ err(2, "%s", tmp); } fprintf(stderr, "Done.\n"); - if (mkdir(p, 0777)) + if (mkdir(p, 0755)) err(2, "%s", p); } @@ -346,6 +345,8 @@ char *cp; cp = malloc((size_t)(strlen(destdir) + (file ? strlen(file) : 0) + 2)); + if (!cp) + err(1, "malloc failed"); (void) strcpy(cp, destdir); if (file) { (void) strcat(cp, "/"); Index: mkheaders.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/config/mkheaders.c,v retrieving revision 1.16 diff -u -r1.16 mkheaders.c --- mkheaders.c 2000/06/13 22:28:41 1.16 +++ mkheaders.c 2000/11/11 16:05:22 @@ -147,6 +147,8 @@ if (cp == (char *)EOF) break; fl = (struct file_list *) malloc(sizeof *fl); + if (!fl) + err(1, "malloc failed"); bzero(fl, sizeof(*fl)); fl->f_fn = inw; /* malloced */ fl->f_type = inc; @@ -164,6 +166,8 @@ } if (oldcount == -1) { fl = (struct file_list *) malloc(sizeof *fl); + if (!fl) + err(1, "malloc failed"); bzero(fl, sizeof(*fl)); fl->f_fn = ns(name); fl->f_type = count; @@ -191,8 +195,7 @@ { static char hbuf[80]; - (void) strcpy(hbuf, path(dev)); - (void) strcat(hbuf, ".h"); + snprintf(hbuf, sizeof(hbuf), "%s.h", path(dev)); return (hbuf); } Index: mkmakefile.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/config/mkmakefile.c,v retrieving revision 1.55 diff -u -r1.55 mkmakefile.c --- mkmakefile.c 2000/08/25 19:30:03 1.55 +++ mkmakefile.c 2000/11/11 16:05:22 @@ -120,6 +120,8 @@ struct file_list *fp; fp = (struct file_list *) malloc(sizeof *fp); + if (!fp) + err(1, "malloc failed"); bzero(fp, sizeof *fp); if (fcur == 0) fcur = ftab = fp; @@ -494,6 +496,8 @@ } if (std) { dp = (struct device *) malloc(sizeof *dp); + if (!dp) + err(1, "malloc failed"); bzero(dp, sizeof *dp); dp->d_type = DEVICE; dp->d_name = ns(wd); Index: mkoptions.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/config/mkoptions.c,v retrieving revision 1.20 diff -u -r1.20 mkoptions.c --- mkoptions.c 2000/09/29 13:30:24 1.20 +++ mkoptions.c 2000/11/11 16:05:22 @@ -80,6 +80,8 @@ /* Fake the cpu types as options. */ for (cp = cputype; cp != NULL; cp = cp->cpu_next) { op = (struct opt *)malloc(sizeof(*op)); + if (!op) + err(1, "malloc failed"); memset(op, 0, sizeof(*op)); op->op_name = ns(cp->cpu_name); op->op_next = opt; @@ -103,6 +105,8 @@ /* Fake MAXUSERS as an option. */ op = (struct opt *)malloc(sizeof(*op)); + if (!op) + err(1, "malloc failed"); memset(op, 0, sizeof(*op)); op->op_name = "MAXUSERS"; snprintf(buf, sizeof(buf), "%d", maxusers); @@ -217,6 +221,8 @@ tidy++; } else { op = (struct opt *) malloc(sizeof *op); + if (!op) + err(1, "malloc failed"); bzero(op, sizeof(*op)); op->op_name = inw; op->op_value = invalue; @@ -244,6 +250,8 @@ if (value && !seen) { /* New option appears */ op = (struct opt *) malloc(sizeof *op); + if (!op) + err(1, "malloc failed"); bzero(op, sizeof(*op)); op->op_name = ns(name); op->op_value = value ? ns(value) : NULL; @@ -367,6 +375,8 @@ } po = (struct opt_list *) malloc(sizeof *po); + if (!po) + err(1, "malloc failed"); bzero(po, sizeof(*po)); po->o_name = this; po->o_file = val; --cWoXeonUoKmBZSoM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message