diff options
author | Andrew Tridgell <tridge@samba.org> | 1998-05-11 06:38:36 +0000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 1998-05-11 06:38:36 +0000 |
commit | 3dfc0c847240ac7e12c39f4ed9c31a888949ade1 (patch) | |
tree | 305f006b62ed9dcdca0f751dbf40d2a34ee054df /source3/smbd | |
parent | ffc88e2d26217f99c34ce24c0836bec3c809ca1a (diff) | |
download | samba-3dfc0c847240ac7e12c39f4ed9c31a888949ade1.tar.gz samba-3dfc0c847240ac7e12c39f4ed9c31a888949ade1.tar.bz2 samba-3dfc0c847240ac7e12c39f4ed9c31a888949ade1.zip |
changed to use slprintf() instead of sprintf() just about
everywhere. I've implemented slprintf() as a bounds checked sprintf()
using mprotect() and a non-writeable page.
This should prevent any sprintf based security holes.
(This used to be commit ee09e9dadb69aaba5a751dd20ccc6d587d841bd6)
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/message.c | 2 | ||||
-rw-r--r-- | source3/smbd/password.c | 14 | ||||
-rw-r--r-- | source3/smbd/reply.c | 10 | ||||
-rw-r--r-- | source3/smbd/server.c | 8 | ||||
-rw-r--r-- | source3/smbd/trans2.c | 4 | ||||
-rw-r--r-- | source3/smbd/uid.c | 2 |
6 files changed, 20 insertions, 20 deletions
diff --git a/source3/smbd/message.c b/source3/smbd/message.c index 24477f31ff..b368c4d031 100644 --- a/source3/smbd/message.c +++ b/source3/smbd/message.c @@ -53,7 +53,7 @@ static void msg_deliver(void) } /* put it in a temporary file */ - sprintf(s,"%s/msg.XXXXXX",tmpdir()); + slprintf(s,sizeof(s)-1, "%s/msg.XXXXXX",tmpdir()); fstrcpy(name,(char *)mktemp(s)); fd = open(name,O_WRONLY|O_CREAT|O_TRUNC|O_EXCL,0600); diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 8dfae21ad1..67de0523e8 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -1044,7 +1044,7 @@ BOOL smb_password_ok(struct smb_passwd *smb_pass, use it (ie. does it exist in the smbpasswd file). */ DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); - if (smb_password_check(nt_pass, (uchar *)smb_pass->smb_nt_passwd, challenge)) + if (smb_password_check((char *)nt_pass, (uchar *)smb_pass->smb_nt_passwd, challenge)) { DEBUG(4,("smb_password_ok: NT MD4 password check succeeded\n")); return(True); @@ -1063,7 +1063,7 @@ BOOL smb_password_ok(struct smb_passwd *smb_pass, return True; } - if((smb_pass->smb_passwd != NULL) && smb_password_check(lm_pass, (uchar *)smb_pass->smb_passwd, challenge)) + if((smb_pass->smb_passwd != NULL) && smb_password_check((char *)lm_pass, (uchar *)smb_pass->smb_passwd, challenge)) { DEBUG(4,("smb_password_ok: LM MD4 password check succeeded\n")); return(True); @@ -1153,7 +1153,7 @@ BOOL password_ok(char *user,char *password, int pwlen, struct passwd *pwd) return(False); } - if(smb_password_ok( smb_pass, password, password)) + if(smb_password_ok( smb_pass, (unsigned char *)password,(uchar *)password)) { update_protected_database(user,True); return(True); @@ -1704,7 +1704,7 @@ BOOL check_hosts_equiv(char *user) char *home = get_home_dir(user); if (home) { extern int Client; - sprintf(rhostsfile, "%s/.rhosts", home); + slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home); if (check_user_equiv(user,client_name(Client),rhostsfile)) return(True); } @@ -1953,8 +1953,8 @@ BOOL domain_client_validate( char *user, char *domain, DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n")); generate_random_buffer( local_challenge, 8, False); - SMBencrypt( smb_apasswd, local_challenge, local_lm_response); - SMBNTencrypt( smb_ntpasswd, local_challenge, local_nt_reponse); + SMBencrypt( (uchar *)smb_apasswd, local_challenge, local_lm_response); + SMBNTencrypt((uchar *)smb_ntpasswd, local_challenge, local_nt_reponse); smb_apasslen = 24; smb_ntpasslen = 24; smb_apasswd = (char *)local_lm_response; @@ -2127,7 +2127,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); /* We really don't care what LUID we give the user. */ generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); - if(cli_nt_login_network(&cli, domain, user, smb_uid_low, local_challenge, + if(cli_nt_login_network(&cli, domain, user, smb_uid_low, (char *)local_challenge, smb_apasswd, smb_ntpasswd, &ctr, &info3) == False) { DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \ %s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 1567e52777..b8270495fd 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -1149,7 +1149,7 @@ int reply_search(char *inbuf,char *outbuf, int dum_size, int dum_buffsize) smb_setlen(outbuf,outsize - 4); if ((! *directory) && dptr_path(dptr_num)) - sprintf(directory,"(%s)",dptr_path(dptr_num)); + slprintf(directory, sizeof(directory)-1, "(%s)",dptr_path(dptr_num)); DEBUG(4,("%s %s mask=%s path=%s cnum=%d dtype=%d nument=%d of %d\n", timestring(), @@ -1716,7 +1716,7 @@ int reply_unlink(char *inbuf,char *outbuf, int dum_size, int dum_buffsize) if(!mask_match(fname, mask, case_sensitive, False)) continue; error = ERRnoaccess; - sprintf(fname,"%s/%s",directory,dname); + slprintf(fname,sizeof(fname)-1, "%s/%s",directory,dname); if (!can_delete(fname,cnum,dirtype)) continue; if (!sys_unlink(fname)) count++; DEBUG(3,("reply_unlink : doing unlink on %s\n",fname)); @@ -2622,7 +2622,7 @@ int reply_printopen(char *inbuf,char *outbuf, int dum_size, int dum_buffsize) if (strlen(s) > 10) s[10] = 0; - sprintf(fname,"%s.XXXXXX",s); + slprintf(fname,sizeof(fname)-1, "%s.XXXXXX",s); } fnum = find_free_file(); @@ -3238,7 +3238,7 @@ int reply_mv(char *inbuf,char *outbuf, int dum_size, int dum_buffsize) if(!mask_match(fname, mask, case_sensitive, False)) continue; error = ERRnoaccess; - sprintf(fname,"%s/%s",directory,dname); + slprintf(fname,sizeof(fname)-1,"%s/%s",directory,dname); if (!can_rename(fname,cnum)) { DEBUG(6,("rename %s refused\n", fname)); continue; @@ -3451,7 +3451,7 @@ int reply_copy(char *inbuf,char *outbuf, int dum_size, int dum_buffsize) if(!mask_match(fname, mask, case_sensitive, False)) continue; error = ERRnoaccess; - sprintf(fname,"%s/%s",directory,dname); + slprintf(fname,sizeof(fname)-1, "%s/%s",directory,dname); strcpy(destname,newname); if (resolve_wildcards(fname,destname) && copy_file(directory,newname,cnum,ofun, diff --git a/source3/smbd/server.c b/source3/smbd/server.c index e4c00c141f..7788b142e0 100644 --- a/source3/smbd/server.c +++ b/source3/smbd/server.c @@ -563,7 +563,7 @@ BOOL unix_convert(char *name,int cnum,pstring saved_last_component, BOOL *bad_pa { char *s; fstring name2; - sprintf(name2,"%.6s.XXXXXX",remote_machine); + slprintf(name2,sizeof(name2)-1,"%.6s.XXXXXX",remote_machine); /* sanitise the name */ for (s=name2 ; *s ; s++) if (!issafe(*s)) *s = '_'; @@ -754,8 +754,8 @@ int disk_free(char *path,int *bsize,int *dfree,int *dsize) pstring syscmd; pstring outfile; - sprintf(outfile,"%s/dfree.smb.%d",tmpdir(),(int)getpid()); - sprintf(syscmd,"%s %s",df_command,path); + slprintf(outfile,sizeof(outfile)-1, "%s/dfree.smb.%d",tmpdir(),(int)getpid()); + slprintf(syscmd,sizeof(syscmd)-1,"%s %s",df_command,path); standard_sub_basic(syscmd); ret = smbrun(syscmd,outfile,False); @@ -1439,7 +1439,7 @@ static void check_magic(int fnum,int cnum) if (*lp_magicoutput(SNUM(cnum))) pstrcpy(magic_output,lp_magicoutput(SNUM(cnum))); else - sprintf(magic_output,"%s.out",fname); + slprintf(magic_output,sizeof(fname)-1, "%s.out",fname); chmod(fname,0755); ret = smbrun(fname,magic_output,False); diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index af70064ef4..fb45efcc0b 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -772,7 +772,7 @@ static int call_trans2findfirst(char *inbuf, char *outbuf, int bufsize, int cnum send_trans2_replies( outbuf, bufsize, params, 10, pdata, PTR_DIFF(p,pdata)); if ((! *directory) && dptr_path(dptr_num)) - sprintf(directory,"(%s)",dptr_path(dptr_num)); + slprintf(directory,sizeof(directory)-1, "(%s)",dptr_path(dptr_num)); DEBUG(4,("%s %s mask=%s directory=%s cnum=%d dirtype=%d numentries=%d\n", timestring(), @@ -985,7 +985,7 @@ resume_key = %d resume name = %s continue=%d level = %d\n", send_trans2_replies( outbuf, bufsize, params, 8, pdata, PTR_DIFF(p,pdata)); if ((! *directory) && dptr_path(dptr_num)) - sprintf(directory,"(%s)",dptr_path(dptr_num)); + slprintf(directory,sizeof(directory)-1, "(%s)",dptr_path(dptr_num)); DEBUG(3,("%s %s mask=%s directory=%s cnum=%d dirtype=%d numentries=%d\n", timestring(), diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index a8e340e46f..749248ac86 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -420,7 +420,7 @@ int smbrun(char *cmd,char *outfile,BOOL shared) return(1); } - sprintf(syscmd,"%s %d %d \"(%s 2>&1) > %s\"", + slprintf(syscmd,sizeof(syscmd)-1,"%s %d %d \"(%s 2>&1) > %s\"", path,uid,gid,cmd, outfile?outfile:"/dev/null"); |