On Thu, 09 Aug 2012 07:40:43 +0200, Marc Balmer wrote:
> A few more sprintf() to snprintf() conversion.
>
> We need to find a proper way to replace strcpy() and strcat(), maybe
> keep a local copy of strlcpy() and strlcat() from OpenBSD around
> somewhere? Other suggestions?
+1
Or link with -lbsd, which is provided on most Linux distributions
nowadays. The hard part is to do the replacement work. If someone is
interested, I can send them a full build log on OpenBSD, where the
linker warns about the use of unsafe functions.
> >From 6aba055101e8b7c2f0155d76e872125dfd69ef8c Mon Sep 17 00:00:00 2001
> From: Marc Balmer <m...@msys.ch>
> Date: Thu, 9 Aug 2012 07:38:39 +0200
> Subject: [PATCH 2/2] Fix more sprintf calls.
>
> ---
> cde/lib/csa/convert4-5.c | 31 ++++++++++++++++---------------
> cde/lib/csa/iso8601.c | 2 +-
> cde/lib/csa/laccess.c | 2 +-
> cde/lib/csa/lutil.c | 5 +++--
> cde/lib/csa/rpccalls.c | 2 +-
> 5 files changed, 22 insertions(+), 20 deletions(-)
>
> diff --git a/cde/lib/csa/convert4-5.c b/cde/lib/csa/convert4-5.c
> index 27a08bf..dfca086 100644
> --- a/cde/lib/csa/convert4-5.c
> +++ b/cde/lib/csa/convert4-5.c
> @@ -144,12 +144,12 @@ _DtCm_appt4_to_attrs(
> ptr2 = (ptr1 ? strchr(ptr1, '.') : NULL);
>
> if (ptr1) {
> - sprintf(buf, "%d:%s%s%s", a4->appt_id.key, calname,
> + snprintf(buf, sizeof buf, "%d:%s%s%s", a4->appt_id.key,
> calname,
> (ptr2 == NULL ? "." : ""),
> (ptr2 == NULL ? _DtCmGetLocalDomain(ptr1+1) :
> ""));
> } else {
> - sprintf(buf, "%d:%s@%s", a4->appt_id.key, calname,
> + snprintf(buf, sizeof buf, "%d:%s@%s", a4->appt_id.key,
> calname,
> _DtCmGetHostAtDomain());
> }
> opq.size = strlen(buf);
> @@ -450,43 +450,44 @@ _RepeatInfoToRule(Appt_4 *a4, cms_attribute_value
> **attrval)
>
> switch (a4->period.period) {
> case daily_4:
> - sprintf(buf, "D1 #%d ", duration);
> + snprintf(buf, sizeof buf, "D1 #%d ", duration);
> break;
> case weekly_4:
> - sprintf(buf, "W1 #%d ", duration);
> + snprintf(buf, sizeof buf, "W1 #%d ", duration);
> break;
> case biweekly_4:
> - sprintf(buf, "W2 #%d ", duration);
> + snprintf(buf, sizeof buf, "W2 #%d ", duration);
> break;
> case monthly_4:
> - sprintf(buf, "MD1 #%d ", duration);
> + snprintf(buf, sizeof buf, "MD1 #%d ", duration);
> break;
> case yearly_4:
> - sprintf(buf, "YM1 #%d ", duration);
> + snprintf(buf, sizeof buf, "YM1 #%d ", duration);
> break;
> case nthWeekday_4:
> - sprintf(buf, "MP1 #%d ", duration);
> + snprintf(buf, sizeof buf, "MP1 #%d ", duration);
> break;
> case everyNthDay_4:
> - sprintf(buf, "D%d #%d ", a4->period.nth, duration);
> + snprintf(buf, sizeof buf, "D%d #%d ", a4->period.nth, duration);
> break;
> case everyNthWeek_4:
> - sprintf(buf, "W%d #%d ", a4->period.nth, duration);
> + snprintf(buf, sizeof buf, "W%d #%d ", a4->period.nth, duration);
> break;
> case everyNthMonth_4:
> - sprintf(buf, "MD%d #%d ", a4->period.nth, duration);
> + snprintf(buf, sizeof buf, "MD%d #%d ", a4->period.nth,
> duration);
> break;
> case monThruFri_4:
> - sprintf(buf, "W1 MO TU WE TH FR #%d ", duration);
> + snprintf(buf, sizeof buf, "W1 MO TU WE TH FR #%d ", duration);
> break;
> case monWedFri_4:
> - sprintf(buf, "W1 MO WE FR #%d ", duration);
> + snprintf(buf, sizeof buf, "W1 MO WE FR #%d ", duration);
> break;
> case tueThur_4:
> - sprintf(buf, "W1 TU TH #%d ", duration);
> + snprintf(buf, sizeof buf, "W1 TU TH #%d ", duration);
> break;
> case daysOfWeek_4:
> - sprintf(buf, "W1 #%d ", duration);
> + snprintf(buf, sizeof buf, "W1 #%d ", duration);
> + /* XXX strcat is unsafe here */
> if (a4->period.nth & 0x1) strcat(buf, "SU ");
> if (a4->period.nth & 0x2) strcat(buf, "MO ");
> if (a4->period.nth & 0x4) strcat(buf, "TU ");
> diff --git a/cde/lib/csa/iso8601.c b/cde/lib/csa/iso8601.c
> index 5893f33..ef7a55c 100644
> --- a/cde/lib/csa/iso8601.c
> +++ b/cde/lib/csa/iso8601.c
> @@ -44,7 +44,7 @@ set_timezone(char *tzname)
> if (tzname==NULL)
> system("unset TZ\n");
> else {
> - sprintf(tzenv, "TZ=%s", tzname);
> + snprintf(tzenv, sizeof tzenv, "TZ=%s", tzname);
> (void) putenv(tzenv);
> tzset();
> }
> diff --git a/cde/lib/csa/laccess.c b/cde/lib/csa/laccess.c
> index 2aea1a6..631f38d 100644
> --- a/cde/lib/csa/laccess.c
> +++ b/cde/lib/csa/laccess.c
> @@ -124,7 +124,7 @@ _DtCmIsSameUser(char *user1, char *user2)
> /* assume user2=user@host[.domain] */
> if (str1 == NULL) {
> str1 = strchr(user1, '@');
> - sprintf(buf, "%s.%s", ++str1, domain);
> + snprintf(buf, sizeof buf, "%s.%s", ++str1, domain);
> str1 = buf;
> } else {
> str1 = strchr(user1, '@');
> diff --git a/cde/lib/csa/lutil.c b/cde/lib/csa/lutil.c
> index 78a9edc..2794832 100644
> --- a/cde/lib/csa/lutil.c
> +++ b/cde/lib/csa/lutil.c
> @@ -115,7 +115,7 @@ _DtCmGetLocalDomain(char *hostname)
> ptr = domain;
> if (hostname == NULL) hostname = _DtCmGetLocalHost();
> while (1) {
> - sprintf(buf, "%s.%s", hostname, ptr);
> + snprintf(buf, sizeof buf, "%s.%s", hostname, ptr);
> if ((cl = clnt_create(buf, 100068, 5, "udp")) == NULL) {
> ptr = strchr(ptr, '.');
> if (ptr)
> @@ -145,9 +145,10 @@ _DtCmGetHostAtDomain()
>
> host = _DtCmGetLocalHost();
> if (strchr(host, '.') == NULL)
> - sprintf(hostname, "%s.%s", host,
> + snprintf(hostname, BUFSIZ, "%s.%s", host,
> _DtCmGetLocalDomain(host));
> else
> + /* XXX strcpy unsafe here */
> strcpy(hostname, host);
> }
>
> diff --git a/cde/lib/csa/rpccalls.c b/cde/lib/csa/rpccalls.c
> index a23d067..30ac82e 100644
> --- a/cde/lib/csa/rpccalls.c
> +++ b/cde/lib/csa/rpccalls.c
> @@ -1451,7 +1451,7 @@ _GetV4UserAccess(Calendar *cal, cms_access_entry *alist)
> return (CSA_SUCCESS);
> }
>
> - sprintf(buf, "%s@%s", user, localhost);
> + snprintf(buf, sizeof buf, "%s@%s", user, localhost);
> for (; alist != NULL; alist = alist->next) {
> if (strcasecmp(alist->user, "world") == 0)
> worldaccess = alist->rights;
> --
> 1.7.2.5
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> cdesktopenv-devel mailing list
> cdesktopenv-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
cdesktopenv-devel mailing list
cdesktopenv-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel
