From 0a4eb8fda53940c8123522dffeec2e4517332af6 Mon Sep 17 00:00:00 2001 From: Mithil Poojary Date: Sat, 3 Oct 2020 05:07:48 +0530 Subject: [PATCH] Replace vulnerable functions with safer alternatives --- src/exec.cc | 13 +++++++------ src/irc.cc | 5 +++-- src/linux.cc | 6 +++--- src/mail.cc | 3 ++- src/mboxscan.cc | 3 ++- src/net_stat.cc | 4 ++-- src/tailhead.cc | 2 +- src/template.cc | 3 ++- 8 files changed, 22 insertions(+), 17 deletions(-) diff --git a/src/exec.cc b/src/exec.cc index 65bc1bac..c0aa539f 100644 --- a/src/exec.cc +++ b/src/exec.cc @@ -168,17 +168,18 @@ void exec_cb::work() { // remove backspaced chars, example: "dog^H^H^Hcat" becomes "cat" // string has to end with \0 and it's length should fit in a int #define BACKSPACE 8 -static void remove_deleted_chars(char *string) { +static void remove_deleted_chars(char *string, unsigned int p_max_size) { int i = 0; while (string[i] != 0) { if (string[i] == BACKSPACE) { if (i != 0) { - strcpy(&(string[i - 1]), &(string[i + 1])); + strncpy(&(string[i - 1]), &(string[i + 1]), + strnlen(string, p_max_size) - i + 1); i--; } else { - strcpy( - &(string[i]), - &(string[i + 1])); // necessary for ^H's at the start of a string + strncpy(&(string[i]), &(string[i + 1]), + strnlen(string, p_max_size) - + i); // necessary for ^H's at the start of a string } } else { i++; @@ -229,7 +230,7 @@ void fill_p(const char *buffer, struct text_object *obj, char *p, snprintf(p, p_max_size, "%s", buffer); } - remove_deleted_chars(p); + remove_deleted_chars(p, p_max_size); } /** diff --git a/src/irc.cc b/src/irc.cc index 380cc3e3..cde62046 100644 --- a/src/irc.cc +++ b/src/irc.cc @@ -59,7 +59,8 @@ void addmessage(struct ctx *ctxptr, char *nick, const char *text) { struct ll_text *lastmsg = ctxptr->messages; struct ll_text *newmsg = (struct ll_text *)malloc(sizeof(struct ll_text)); newmsg->text = (char *)malloc(strlen(nick) + strlen(text) + 4); // 4 = ": \n" - sprintf(newmsg->text, "%s: %s\n", nick, text); + snprintf(newmsg->text, strlen(nick) + strlen(text) + 4, "%s: %s\n", nick, + text); newmsg->next = nullptr; int msgcnt = 1; if (!lastmsg) { @@ -107,7 +108,7 @@ void ev_num(irc_session_t *session, unsigned int event, const char *, if (event == 433) { // nick in use int len = strlen(params[1]) + 4; char *newnick = (char *)malloc(len); - strcpy(newnick, params[1]); + strncpy(newnick, len, params[1]); attachment[1] += rand() % 10; attachment[2] += rand() % 10; strncat(newnick, attachment, len - 1); diff --git a/src/linux.cc b/src/linux.cc index 8792d60d..a96ae0f9 100644 --- a/src/linux.cc +++ b/src/linux.cc @@ -580,9 +580,9 @@ void update_net_interfaces(FILE *net_dev_fp, bool is_first_update, nullptr, NULL); ns2->addr = ((struct ifreq *)conf.ifc_buf)[k].ifr_ifru.ifru_addr; char temp_addr[18]; - sprintf(temp_addr, "%u.%u.%u.%u, ", ns2->addr.sa_data[2] & 255, - ns2->addr.sa_data[3] & 255, ns2->addr.sa_data[4] & 255, - ns2->addr.sa_data[5] & 255); + snprintf(temp_addr, sizeof(temp_addr), "%u.%u.%u.%u, ", + ns2->addr.sa_data[2] & 255, ns2->addr.sa_data[3] & 255, + ns2->addr.sa_data[4] & 255, ns2->addr.sa_data[5] & 255); if (nullptr == strstr(ns2->addrs, temp_addr)) strncpy(ns2->addrs + strlen(ns2->addrs), temp_addr, 17); } diff --git a/src/mail.cc b/src/mail.cc index a9be07f1..e74ba487 100644 --- a/src/mail.cc +++ b/src/mail.cc @@ -255,7 +255,8 @@ static void update_mail_count(struct local_mail_s *mail) { NORM_ERR("malloc"); return; } - strcpy(mailflags, strrchr(dirent->d_name, ',')); + strncpy(mailflags, strrchr(dirent->d_name, ','), + strlen(strrchr(dirent->d_name, ','))); if (strchr(mailflags, 'T') == nullptr) { /* The message is not in the trash */ if (strchr(mailflags, 'S') != diff --git a/src/mboxscan.cc b/src/mboxscan.cc index e353060c..baf8eeda 100644 --- a/src/mboxscan.cc +++ b/src/mboxscan.cc @@ -145,7 +145,8 @@ static void mbox_scan(char *args, char *output, size_t max_len) { /* allowing $MAIL in the config */ if (strcmp(mbox_mail_spool, "$MAIL") == 0) { - strcpy(mbox_mail_spool, current_mail_spool.get(*state).c_str()); + strncpy(mbox_mail_spool, current_mail_spool.get(*state).c_str(), + DEFAULT_TEXT_BUFFER_SIZE); } if (stat(mbox_mail_spool, &statbuf) != 0) { diff --git a/src/net_stat.cc b/src/net_stat.cc index 96c537e2..d0c61679 100644 --- a/src/net_stat.cc +++ b/src/net_stat.cc @@ -298,13 +298,13 @@ void print_v6addrs(struct text_object *obj, char *p, unsigned int p_max_size) { // netmask if (ns->v6show_nm) { char netmaskstr[5]; // max 5 chars (/128 + null-terminator) - sprintf(netmaskstr, "/%u", current_v6->netmask); + snprintf(netmaskstr, sizeof(netmaskstr), "/%u", current_v6->netmask); strncat(p, netmaskstr, p_max_size); } // scope if (ns->v6show_sc) { char scopestr[4]; - sprintf(scopestr, "(%c)", current_v6->scope); + snprintf(scopestr, sizeof(scopestr), "(%c)", current_v6->scope); strncat(p, scopestr, p_max_size); } // next (or last) address diff --git a/src/tailhead.cc b/src/tailhead.cc index 482704b5..cc0e8888 100644 --- a/src/tailhead.cc +++ b/src/tailhead.cc @@ -130,7 +130,7 @@ static void print_tailhead(const char *type, struct text_object *obj, char *p, } // use the buffer if possible if (ht->buffer != nullptr) { - strcpy(p, ht->buffer); + strncpy(p, ht->buffer, p_max_size); ht->current_use++; } else { // otherwise find the needed data if (stat(ht->logfile.c_str(), &st) == 0) { diff --git a/src/template.cc b/src/template.cc index 9e7fb72c..133979e7 100644 --- a/src/template.cc +++ b/src/template.cc @@ -84,7 +84,8 @@ static char *backslash_escape(const char *src, char **templates, dup_len += strlen(templates[tmpl_num - 1]); src_dup = static_cast(realloc(src_dup, dup_len * sizeof(char))); - sprintf(src_dup + dup_idx, "%s", templates[tmpl_num - 1]); + snprintf(src_dup + dup_idx, dup_len - dup_idx, "%s", + templates[tmpl_num - 1]); dup_idx += strlen(templates[tmpl_num - 1]); p += digits; }