This is a security audit change of the main source.

It removed all ocurrences of the following functions :

sprintf
strcpy
strcat

The replacements are slprintf, safe_strcpy and safe_strcat.

It should not be possible to use code in Samba that uses
sprintf, strcpy or strcat, only the safe_equivalents.

Once Andrew has fixed the slprintf implementation then
this code will be moved back to the 1.9.18 code stream.

Jeremy.
(This used to be commit 2d774454005f0b54e5684cf618da7060594dfcbb)

6 files changed, 50 insertions, 50 deletions

diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index 8b4001827c..9dfd482da3 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -89,7 +89,7 @@ char *cli_errstr(struct cli_state *cli)
     char *nt_msg = get_nt_error_msg(cli->nt_error);
 
     if(nt_msg == NULL)
-      sprintf(error_message, "NT code %d", cli->nt_error);
+      slprintf(error_message, sizeof(fstring) - 1, "NT code %d", cli->nt_error);
     else
       fstrcpy(error_message, nt_msg);
 
@@ -100,7 +100,7 @@ char *cli_errstr(struct cli_state *cli)
    * Must have been a rap error.
    */
 
-  sprintf(error_message, "code %d", cli->rap_error);
+  slprintf(error_message, sizeof(error_message) - 1, "code %d", cli->rap_error);
     
   for(i = 0; rap_errmap[i].message != NULL; i++) {
     if (rap_errmap[i].err == cli->rap_error) {
@@ -387,16 +387,16 @@ BOOL cli_NetWkstaUserLogon(struct cli_state *cli,char *user, char *workstation)
 	p = param;
 	SSVAL(p,0,132); /* api number */
 	p += 2;
-	strcpy(p,"OOWb54WrLh");
+	pstrcpy(p,"OOWb54WrLh");
 	p = skip_string(p,1);
-	strcpy(p,"WB21BWDWWDDDDDDDzzzD");
+	pstrcpy(p,"WB21BWDWWDDDDDDDzzzD");
 	p = skip_string(p,1);
 	SSVAL(p,0,1);
 	p += 2;
-	strcpy(p,user);
+	pstrcpy(p,user);
 	strupper(p);
 	p += 21; p++; p += 15; p++; 
-	strcpy(p, workstation); 
+	pstrcpy(p, workstation); 
 	strupper(p);
 	p += 16;
 	SSVAL(p, 0, BUFFER_SIZE);
@@ -443,9 +443,9 @@ BOOL cli_RNetShareEnum(struct cli_state *cli, void (*fn)(char *, uint32, char *)
   p = param;
   SSVAL(p,0,0); /* api number */
   p += 2;
-  strcpy(p,"WrLeh");
+  pstrcpy(p,"WrLeh");
   p = skip_string(p,1);
-  strcpy(p,"B13BWz");
+  pstrcpy(p,"B13BWz");
   p = skip_string(p,1);
   SSVAL(p,0,1);
   SSVAL(p,2,BUFFER_SIZE);
@@ -505,10 +505,10 @@ BOOL cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype,
 	p = param;
 	SSVAL(p,0,0x68); /* api number */
 	p += 2;
-	strcpy(p,"WrLehDz");
+	pstrcpy(p,"WrLehDz");
 	p = skip_string(p,1);
   
-	strcpy(p,"B16BBDz");
+	pstrcpy(p,"B16BBDz");
   
 	p = skip_string(p,1);
 	SSVAL(p,0,uLevel);
@@ -625,7 +625,7 @@ BOOL cli_session_setup(struct cli_state *cli,
 		p = smb_buf(cli->outbuf);
 		memcpy(p,pword,passlen);
 		p += passlen;
-		strcpy(p,user);
+		pstrcpy(p,user);
 		strupper(p);
 	} else {
 		set_message(cli->outbuf,13,0,True);
@@ -644,14 +644,14 @@ BOOL cli_session_setup(struct cli_state *cli,
 		p += SVAL(cli->outbuf,smb_vwv7);
 		memcpy(p,ntpass,ntpasslen); 
 		p += SVAL(cli->outbuf,smb_vwv8);
-		strcpy(p,user);
+		pstrcpy(p,user);
 		strupper(p);
 		p = skip_string(p,1);
-		strcpy(p,workgroup);
+		pstrcpy(p,workgroup);
 		strupper(p);
 		p = skip_string(p,1);
-		strcpy(p,"Unix");p = skip_string(p,1);
-		strcpy(p,"Samba");p = skip_string(p,1);
+		pstrcpy(p,"Unix");p = skip_string(p,1);
+		pstrcpy(p,"Samba");p = skip_string(p,1);
 		set_message(cli->outbuf,13,PTR_DIFF(p,smb_buf(cli->outbuf)),False);
 	}
 
@@ -728,9 +728,9 @@ BOOL cli_send_tconX(struct cli_state *cli,
 	p = smb_buf(cli->outbuf);
 	memcpy(p,pword,passlen);
 	p += passlen;
-	strcpy(p,fullshare);
+	fstrcpy(p,fullshare);
 	p = skip_string(p,1);
-	strcpy(p,dev);
+	pstrcpy(p,dev);
 
 	SCVAL(cli->inbuf,smb_rcls, 1);
 
@@ -785,10 +785,10 @@ BOOL cli_mv(struct cli_state *cli, char *fname_src, char *fname_dst)
 
         p = smb_buf(cli->outbuf);
         *p++ = 4;
-        strcpy(p,fname_src);
+        pstrcpy(p,fname_src);
         p = skip_string(p,1);
         *p++ = 4;
-        strcpy(p,fname_dst);
+        pstrcpy(p,fname_dst);
 
         send_smb(cli->fd,cli->outbuf);
         if (!client_receive_smb(cli->fd,cli->inbuf,cli->timeout)) {
@@ -822,7 +822,7 @@ BOOL cli_unlink(struct cli_state *cli, char *fname)
   
 	p = smb_buf(cli->outbuf);
 	*p++ = 4;      
-	strcpy(p,fname);
+	pstrcpy(p,fname);
 
 	send_smb(cli->fd,cli->outbuf);
 	if (!client_receive_smb(cli->fd,cli->inbuf,cli->timeout)) {
@@ -855,7 +855,7 @@ BOOL cli_mkdir(struct cli_state *cli, char *dname)
 
 	p = smb_buf(cli->outbuf);
 	*p++ = 4;      
-	strcpy(p,dname);
+	pstrcpy(p,dname);
 
 	send_smb(cli->fd,cli->outbuf);
 	if (!client_receive_smb(cli->fd,cli->inbuf,cli->timeout)) {
@@ -887,7 +887,7 @@ BOOL cli_rmdir(struct cli_state *cli, char *dname)
 
 	p = smb_buf(cli->outbuf);
 	*p++ = 4;      
-	strcpy(p,dname);
+	pstrcpy(p,dname);
 
 	send_smb(cli->fd,cli->outbuf);
 	if (!client_receive_smb(cli->fd,cli->inbuf,cli->timeout)) {
@@ -952,7 +952,7 @@ int cli_open(struct cli_state *cli, char *fname, int flags, int share_mode)
 	SSVAL(cli->outbuf,smb_vwv8,openfn);
   
 	p = smb_buf(cli->outbuf);
-	strcpy(p,fname);
+	pstrcpy(p,fname);
 	p = skip_string(p,1);
 
 	send_smb(cli->fd,cli->outbuf);
@@ -1179,7 +1179,7 @@ BOOL cli_getatr(struct cli_state *cli, char *fname,
 
 	p = smb_buf(cli->outbuf);
 	*p = 4;
-	strcpy(p+1, fname);
+	pstrcpy(p+1, fname);
 
 	send_smb(cli->fd,cli->outbuf);
 	if (!client_receive_smb(cli->fd,cli->inbuf,cli->timeout)) {
@@ -1228,7 +1228,7 @@ BOOL cli_setatr(struct cli_state *cli, char *fname, int attr, time_t t)
 
 	p = smb_buf(cli->outbuf);
 	*p = 4;
-	strcpy(p+1, fname);
+	pstrcpy(p+1, fname);
 	p = skip_string(p,1);
 	*p = 4;
 
@@ -1450,11 +1450,11 @@ BOOL cli_oem_change_password(struct cli_state *cli, char *user, char *new_passwo
 
   SSVAL(p,0,214); /* SamOEMChangePassword command. */
   p += 2;
-  strcpy(p, "zsT");
+  pstrcpy(p, "zsT");
   p = skip_string(p,1);
-  strcpy(p, "B516B16");
+  pstrcpy(p, "B516B16");
   p = skip_string(p,1);
-  fstrcpy(p,user);
+  pstrcpy(p,user);
   p = skip_string(p,1);
   SSVAL(p,0,532);
   p += 2;
@@ -1546,7 +1546,7 @@ BOOL cli_negprot(struct cli_state *cli)
 	     prots[numprots].name && prots[numprots].prot<=cli->protocol;
 	     numprots++) {
 		*p++ = 2;
-		strcpy(p,prots[numprots].name);
+		pstrcpy(p,prots[numprots].name);
 		p += strlen(p) + 1;
 	}
 
diff --git a/source3/libsmb/credentials.c b/source3/libsmb/credentials.c
index 9f5c70e5e4..c9f7ee429b 100644
--- a/source3/libsmb/credentials.c
+++ b/source3/libsmb/credentials.c
@@ -31,7 +31,7 @@ represent a credential as a string
 char *credstr(uchar *cred)
 {
 	static fstring buf;
-	sprintf(buf,"%02X%02X%02X%02X%02X%02X%02X%02X",
+	slprintf(buf, sizeof(buf) - 1, "%02X%02X%02X%02X%02X%02X%02X%02X",
 		cred[0], cred[1], cred[2], cred[3], 
 		cred[4], cred[5], cred[6], cred[7]);
 	return buf;
diff --git a/source3/libsmb/namequery.c b/source3/libsmb/namequery.c
index 4de10f10ce..7f3d012c30 100644
--- a/source3/libsmb/namequery.c
+++ b/source3/libsmb/namequery.c
@@ -51,15 +51,15 @@ static void _interpret_node_status(char *p, char *master,char *rname)
       type = CVAL(p,15);
       p += 16;
 
-      strcat(flags, (p[0] & 0x80) ? "<GROUP> " : "        ");
-      if ((p[0] & 0x60) == 0x00) strcat(flags,"B ");
-      if ((p[0] & 0x60) == 0x20) strcat(flags,"P ");
-      if ((p[0] & 0x60) == 0x40) strcat(flags,"M ");
-      if ((p[0] & 0x60) == 0x60) strcat(flags,"H ");
-      if (p[0] & 0x10) strcat(flags,"<DEREGISTERING> ");
-      if (p[0] & 0x08) strcat(flags,"<CONFLICT> ");
-      if (p[0] & 0x04) strcat(flags,"<ACTIVE> ");
-      if (p[0] & 0x02) strcat(flags,"<PERMANENT> ");
+      fstrcat(flags, (p[0] & 0x80) ? "<GROUP> " : "        ");
+      if ((p[0] & 0x60) == 0x00) fstrcat(flags,"B ");
+      if ((p[0] & 0x60) == 0x20) fstrcat(flags,"P ");
+      if ((p[0] & 0x60) == 0x40) fstrcat(flags,"M ");
+      if ((p[0] & 0x60) == 0x60) fstrcat(flags,"H ");
+      if (p[0] & 0x10) fstrcat(flags,"<DEREGISTERING> ");
+      if (p[0] & 0x08) fstrcat(flags,"<CONFLICT> ");
+      if (p[0] & 0x04) fstrcat(flags,"<ACTIVE> ");
+      if (p[0] & 0x02) fstrcat(flags,"<PERMANENT> ");
 
       if (master && !*master && type == 0x1d) {
 	StrnCpy(master,qname,15);
@@ -341,9 +341,9 @@ BOOL getlmhostsent( FILE *fp, char *name, int *name_type, struct in_addr *ipaddr
     if (*line == '#')
       continue;
 
-    strcpy(ip,"");
-    strcpy(name,"");
-    strcpy(flags,"");
+    pstrcpy(ip,"");
+    pstrcpy(name,"");
+    pstrcpy(flags,"");
 
     ptr = line;
 
diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c
index 5a8a037ce5..6c178758c6 100644
--- a/source3/libsmb/nmblib.c
+++ b/source3/libsmb/nmblib.c
@@ -252,7 +252,7 @@ static int put_nmb_name(char *buf,int offset,struct nmb_name *name)
     buf1[0] = '*';
     buf1[15] = name->name_type;
   } else {
-    sprintf(buf1,"%-15.15s%c",name->name,name->name_type);
+    slprintf(buf1, sizeof(buf1) - 1,"%-15.15s%c",name->name,name->name_type);
   }
 
   buf[offset] = 0x20;
@@ -270,7 +270,7 @@ static int put_nmb_name(char *buf,int offset,struct nmb_name *name)
   if (name->scope[0]) {
     /* XXXX this scope handling needs testing */
     ret += strlen(name->scope) + 1;
-    strcpy(&buf[offset+1],name->scope);  
+    pstrcpy(&buf[offset+1],name->scope);  
   
     p = &buf[offset+1];
     while ((p = strchr(p,'.'))) {
diff --git a/source3/libsmb/nterr.c b/source3/libsmb/nterr.c
index 0788ae1b60..d2f9335000 100644
--- a/source3/libsmb/nterr.c
+++ b/source3/libsmb/nterr.c
@@ -525,7 +525,7 @@ char *get_nt_error_msg(uint32 nt_code)
 	static pstring msg;
 	int idx = 0;
 
-	strcpy(msg, "Unknown NT error");
+	pstrcpy(msg, "Unknown NT error");
 
         nt_code &= 0xFFFF;
 
@@ -533,7 +533,7 @@ char *get_nt_error_msg(uint32 nt_code)
 	{
 		if (nt_errs[idx].nt_errcode == nt_code)
 		{
-			strcpy(msg, nt_errs[idx].nt_errstr);
+			pstrcpy(msg, nt_errs[idx].nt_errstr);
 			return msg;
 		}
 		idx++;
diff --git a/source3/libsmb/smberr.c b/source3/libsmb/smberr.c
index e8c4544394..c284d18ba6 100644
--- a/source3/libsmb/smberr.c
+++ b/source3/libsmb/smberr.c
@@ -165,18 +165,18 @@ char *smb_errstr(char *inbuf)
 	      if (num == err[j].code)
 		{
 		  if (DEBUGLEVEL > 0)
-		    sprintf(ret,"%s - %s (%s)",err_classes[i].class,
+		    slprintf(ret, sizeof(ret) - 1, "%s - %s (%s)",err_classes[i].class,
 			    err[j].name,err[j].message);
 		  else
-		    sprintf(ret,"%s - %s",err_classes[i].class,err[j].name);
+		    slprintf(ret, sizeof(ret) - 1, "%s - %s",err_classes[i].class,err[j].name);
 		  return ret;
 		}
 	  }
 
-	sprintf(ret,"%s - %d",err_classes[i].class,num);
+	slprintf(ret, sizeof(ret) - 1, "%s - %d",err_classes[i].class,num);
 	return ret;
       }
   
-  sprintf(ret,"Error: Unknown error (%d,%d)",class,num);
+  slprintf(ret, sizeof(ret) - 1, "Error: Unknown error (%d,%d)",class,num);
   return(ret);
 }