svn commit: r316799 - head/sbin/restore

Thu, 13 Apr 2017 17:15:06 -0700 

Author: cem
Date: Fri Apr 14 00:14:40 2017
New Revision: 316799
URL: https://svnweb.freebsd.org/changeset/base/316799

Log:
  restore(8): Prevent some heap overflows
  
  The environment variable TMPDIR was copied unchecked into a fixed-size heap
  buffer.  Use a length-limiting snprintf in place of ordinary sprintf to
  prevent the overflow.  Long TMPDIR variables can still cause odd truncated
  filenames, which may be undesirable.
  
  Reported by:  Coverity (CWE-120)
  CIDs:         1006706, 1006707
  Sponsored by: Dell EMC Isilon

Modified:
  head/sbin/restore/dirs.c

Modified: head/sbin/restore/dirs.c
==============================================================================
--- head/sbin/restore/dirs.c    Fri Apr 14 00:13:33 2017        (r316798)
+++ head/sbin/restore/dirs.c    Fri Apr 14 00:14:40 2017        (r316799)
@@ -140,7 +140,8 @@ extractdirs(int genmode)
        vprintf(stdout, "Extract directories from tape\n");
        if ((tmpdir = getenv("TMPDIR")) == NULL || tmpdir[0] == '\0')
                tmpdir = _PATH_TMP;
-       (void) sprintf(dirfile, "%s/rstdir%jd", tmpdir, (intmax_t)dumpdate);
+       (void) snprintf(dirfile, sizeof(dirfile), "%s/rstdir%jd", tmpdir,
+           (intmax_t)dumpdate);
        if (command != 'r' && command != 'R') {
                (void) strcat(dirfile, "-XXXXXX");
                fd = mkstemp(dirfile);
@@ -153,8 +154,8 @@ extractdirs(int genmode)
                done(1);
        }
        if (genmode != 0) {
-               (void) sprintf(modefile, "%s/rstmode%jd", tmpdir,
-                   (intmax_t)dumpdate);
+               (void) snprintf(modefile, sizeof(modefile), "%s/rstmode%jd",
+                   tmpdir, (intmax_t)dumpdate);
                if (command != 'r' && command != 'R') {
                        (void) strcat(modefile, "-XXXXXX");
                        fd = mkstemp(modefile);
@@ -568,8 +569,8 @@ setdirmodes(int flags)
        if ((tmpdir = getenv("TMPDIR")) == NULL || tmpdir[0] == '\0')
                tmpdir = _PATH_TMP;
        if (command == 'r' || command == 'R')
-               (void) sprintf(modefile, "%s/rstmode%jd", tmpdir,
-                   (intmax_t)dumpdate);
+               (void) snprintf(modefile, sizeof(modefile), "%s/rstmode%jd",
+                   tmpdir, (intmax_t)dumpdate);
        if (modefile[0] == '#') {
                panic("modefile not defined\n");
                fprintf(stderr, "directory mode, owner, and times not set\n");
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to