This is a security audit change of the main source.

It removed all ocurrences of the following functions :

sprintf
strcpy
strcat

The replacements are slprintf, safe_strcpy and safe_strcat.

It should not be possible to use code in Samba that uses
sprintf, strcpy or strcat, only the safe_equivalents.

Once Andrew has fixed the slprintf implementation then
this code will be moved back to the 1.9.18 code stream.

Jeremy.
(This used to be commit 2d774454005f0b54e5684cf618da7060594dfcbb)

2 files changed, 28 insertions, 27 deletions

diff --git a/source3/passdb/ldap.c b/source3/passdb/ldap.c
index 7af8a1b9f1..0c9847becf 100644
--- a/source3/passdb/ldap.c
+++ b/source3/passdb/ldap.c
@@ -114,7 +114,7 @@ BOOL ldap_search_one_user_by_name(LDAP *ldap_struct, char *user, LDAPMessage **r
 	   in the filter expression, replace %u with the real name
 	   so in ldap filter, %u MUST exist :-)
 	*/	
-	strcpy(filter,lp_ldap_filter());
+	pstrcpy(filter,lp_ldap_filter());
 	string_sub(filter,"%u",user);
 	
 	if ( !ldap_search_one_user(ldap_struct, filter, result) )
@@ -152,7 +152,7 @@ void get_single_attribute(LDAP *ldap_struct, LDAPMessage *entry, char *attribute
 	
 	if ( (valeurs=ldap_get_values(ldap_struct, entry, attribute)) != NULL) 
 	{
-		strcpy(value, valeurs[0]);
+		pstrcpy(value, valeurs[0]);
 		ldap_value_free(valeurs);
 		DEBUG(3,("get_single_attribute:	[%s]=[%s]\n", attribute, value));	
 	}
@@ -451,7 +451,7 @@ void *startldappwent(BOOL update)
 	int scope = LDAP_SCOPE_ONELEVEL;
 	int rc;
 
-	char filter[256];
+	pstring filter;
 
 	if (!ldap_open_connection(&ldap_ent.ldap_struct)) /* open a connection to the server */
 		return NULL;
@@ -464,17 +464,17 @@ void *startldappwent(BOOL update)
 	{
 		case 1:
 		{
-			strcpy(filter, "objectclass=sambaAccount");
+			pstrcpy(filter, "objectclass=sambaAccount");
 			break;
 		}
 		case 2:
 		{
-			strcpy(filter, "objectclass=sambaMachine");
+			pstrcpy(filter, "objectclass=sambaMachine");
 			break;
 		}
 		default:
 		{
-			strcpy(filter, "(|(objectclass=sambaMachine)(objectclass=sambaAccount))");
+			pstrcpy(filter, "(|(objectclass=sambaMachine)(objectclass=sambaAccount))");
 			break;
 		}
 	}
diff --git a/source3/passdb/smbpass.c b/source3/passdb/smbpass.c
index 9c0b276074..aaa4db16ee 100644
--- a/source3/passdb/smbpass.c
+++ b/source3/passdb/smbpass.c
@@ -534,7 +534,7 @@ BOOL add_smbpwd_entry(struct smb_passwd *newpwd)
 
   int fd;
   int new_entry_length;
-  char *new_entry;
+  unsigned char *new_entry;
   long offpos;
   unsigned char *p;
 
@@ -583,19 +583,19 @@ Error was %s\n", newpwd->smb_name, pfile, strerror(errno)));
     return False;
   }
 
-  sprintf(new_entry, "%s:%u:", newpwd->smb_name, (unsigned)newpwd->smb_userid);
+  slprintf(new_entry, new_entry_length - 1, "%s:%u:", newpwd->smb_name, (unsigned)newpwd->smb_userid);
   p = (unsigned char *)&new_entry[strlen(new_entry)];
 
   if(newpwd->smb_passwd != NULL) {
     for( i = 0; i < 16; i++) {
-      sprintf((char *)&p[i*2], "%02X", newpwd->smb_passwd[i]);
+      slprintf((char *)&p[i*2], new_entry_length - (p - new_entry) - 1, "%02X", newpwd->smb_passwd[i]);
     }
   } else {
     i=0;
     if(newpwd->acct_ctrl & ACB_PWNOTREQ)
-      sprintf((char *)p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX");
+      safe_strcpy((char *)p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", new_entry_length - 1 - (p - new_entry));
     else
-      sprintf((char *)p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
+      safe_strcpy((char *)p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", new_entry_length - 1 - (p - new_entry));
   }
   
   p += 32;
@@ -604,13 +604,13 @@ Error was %s\n", newpwd->smb_name, pfile, strerror(errno)));
 
   if(newpwd->smb_nt_passwd != NULL) {
     for( i = 0; i < 16; i++) {
-      sprintf((char *)&p[i*2], "%02X", newpwd->smb_nt_passwd[i]);
+      slprintf((char *)&p[i*2], new_entry_length - 1 - (p - new_entry), "%02X", newpwd->smb_nt_passwd[i]);
     }
   } else {
     if(newpwd->acct_ctrl & ACB_PWNOTREQ)
-      sprintf((char *)p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX");
+      safe_strcpy((char *)p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", new_entry_length - 1 - (p - new_entry));
     else
-      sprintf((char *)p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
+      safe_strcpy((char *)p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", new_entry_length - 1 - (p - new_entry));
   }
 
   p += 32;
@@ -618,7 +618,8 @@ Error was %s\n", newpwd->smb_name, pfile, strerror(errno)));
   *p++ = ':';
 
   /* Add the account encoding and the last change time. */
-  sprintf((char *)p, "%s:LCT-%08X:\n", encode_acct_ctrl(newpwd->acct_ctrl),
+  slprintf((char *)p, new_entry_length - 1 - (p - new_entry),  "%s:LCT-%08X:\n",
+                                  encode_acct_ctrl(newpwd->acct_ctrl),
                      (uint32)time(NULL));
 
 #ifdef DEBUG_PASSWORD
@@ -945,13 +946,13 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd, BOOL override)
   /* Create the 32 byte representation of the new p16 */
   if(pwd->smb_passwd != NULL) {
     for (i = 0; i < 16; i++) {
-      sprintf(&ascii_p16[i*2], "%02X", (uchar) pwd->smb_passwd[i]);
+      slprintf(&ascii_p16[i*2], sizeof(fstring) - 1, "%02X", (uchar) pwd->smb_passwd[i]);
     }
   } else {
     if(pwd->acct_ctrl & ACB_PWNOTREQ)
-      sprintf(ascii_p16, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX");
+      fstrcpy(ascii_p16, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX");
     else
-      sprintf(ascii_p16, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
+      fstrcpy(ascii_p16, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
   }
 
   /* Add on the NT md4 hash */
@@ -959,13 +960,13 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd, BOOL override)
   wr_len = 65;
   if (pwd->smb_nt_passwd != NULL) {
     for (i = 0; i < 16; i++) {
-      sprintf(&ascii_p16[(i*2)+33], "%02X", (uchar) pwd->smb_nt_passwd[i]);
+      slprintf(&ascii_p16[(i*2)+33], sizeof(fstring) - 1, "%02X", (uchar) pwd->smb_nt_passwd[i]);
     }
   } else {
     if(pwd->acct_ctrl & ACB_PWNOTREQ)
-      sprintf(&ascii_p16[33], "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX");
+      fstrcpy(&ascii_p16[33], "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX");
     else
-      sprintf(&ascii_p16[33], "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
+      fstrcpy(&ascii_p16[33], "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
   }
 
   /* Add on the account info bits and the time of last
@@ -1024,10 +1025,10 @@ static void get_trust_account_file_name( char *domain, char *name, char *mac_fil
     return;
   }
 
-  strcat(mac_file, domain);
-  strcat(mac_file, ".");
-  strcat(mac_file, name);
-  strcat(mac_file, ".mac");
+  pstrcat(mac_file, domain);
+  pstrcat(mac_file, ".");
+  pstrcat(mac_file, name);
+  pstrcat(mac_file, ".mac");
 }
  
 /************************************************************************
@@ -1191,9 +1192,9 @@ BOOL set_trust_account_password( unsigned char *md4_new_pwd)
   } 
 
   for (i = 0; i < 16; i++)
-    sprintf(&linebuf[(i*2)], "%02X", md4_new_pwd[i]);
+    slprintf(&linebuf[(i*2)], sizeof(linebuf) -  (i*2) - 1, "%02X", md4_new_pwd[i]);
 
-  sprintf(&linebuf[32], ":TLC-%08X\n", (unsigned)time(NULL));
+  slprintf(&linebuf[32], 32, ":TLC-%08X\n", (unsigned)time(NULL));
 
   if(fwrite( linebuf, 1, 45, mach_passwd_fp)!= 45) {
     DEBUG(0,("set_trust_account_password: Failed to write file. Warning - the trust \