changed to use slprintf() instead of sprintf() just about

everywhere. I've implemented slprintf() as a bounds checked sprintf()
using mprotect() and a non-writeable page.

This should prevent any sprintf based security holes.
(This used to be commit ee09e9dadb69aaba5a751dd20ccc6d587d841bd6)

2 files changed, 6 insertions, 5 deletions

diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index d72040505f..8b4001827c 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -343,8 +343,8 @@ BOOL cli_api_pipe(struct cli_state *cli, char *pipe_name, int pipe_name_len,
                  data, data_count, max_data_count);
 
   return (cli_receive_trans(cli, SMBtrans, 
-                            rparam, rparam_count,
-                            rdata, rdata_count));
+                            rparam, (int *)rparam_count,
+                            rdata, (int *)rdata_count));
 }
 
 /****************************************************************************
@@ -714,7 +714,8 @@ BOOL cli_send_tconX(struct cli_state *cli,
 		memcpy(pword, pass, passlen);
 	}
 
-	sprintf(fullshare, "\\\\%s\\%s", cli->desthost, share);
+	slprintf(fullshare, sizeof(fullshare)-1,
+		 "\\\\%s\\%s", cli->desthost, share);
 
 	set_message(cli->outbuf,4,
 		    2 + strlen(fullshare) + passlen + strlen(dev),True);
diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c
index 9c7b260c59..5a8a037ce5 100644
--- a/source3/libsmb/nmblib.c
+++ b/source3/libsmb/nmblib.c
@@ -294,9 +294,9 @@ char *namestr(struct nmb_name *n)
   char *p = ret[i];
 
   if (!n->scope[0])
-    sprintf(p,"%s<%02x>",n->name,n->name_type);
+    slprintf(p,sizeof(fstring)-1, "%s<%02x>",n->name,n->name_type);
   else
-    sprintf(p,"%s<%02x>.%s",n->name,n->name_type,n->scope);
+    slprintf(p,sizeof(fstring)-1, "%s<%02x>.%s",n->name,n->name_type,n->scope);
 
   i = (i+1)%4;
   return(p);