summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>1998-05-11 06:38:36 +0000
committerAndrew Tridgell <tridge@samba.org>1998-05-11 06:38:36 +0000
commit3dfc0c847240ac7e12c39f4ed9c31a888949ade1 (patch)
tree305f006b62ed9dcdca0f751dbf40d2a34ee054df /source3/smbd
parentffc88e2d26217f99c34ce24c0836bec3c809ca1a (diff)
downloadsamba-3dfc0c847240ac7e12c39f4ed9c31a888949ade1.tar.gz
samba-3dfc0c847240ac7e12c39f4ed9c31a888949ade1.tar.bz2
samba-3dfc0c847240ac7e12c39f4ed9c31a888949ade1.zip
changed to use slprintf() instead of sprintf() just about
everywhere. I've implemented slprintf() as a bounds checked sprintf() using mprotect() and a non-writeable page. This should prevent any sprintf based security holes. (This used to be commit ee09e9dadb69aaba5a751dd20ccc6d587d841bd6)
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/message.c2
-rw-r--r--source3/smbd/password.c14
-rw-r--r--source3/smbd/reply.c10
-rw-r--r--source3/smbd/server.c8
-rw-r--r--source3/smbd/trans2.c4
-rw-r--r--source3/smbd/uid.c2
6 files changed, 20 insertions, 20 deletions
diff --git a/source3/smbd/message.c b/source3/smbd/message.c
index 24477f31ff..b368c4d031 100644
--- a/source3/smbd/message.c
+++ b/source3/smbd/message.c
@@ -53,7 +53,7 @@ static void msg_deliver(void)
}
/* put it in a temporary file */
- sprintf(s,"%s/msg.XXXXXX",tmpdir());
+ slprintf(s,sizeof(s)-1, "%s/msg.XXXXXX",tmpdir());
fstrcpy(name,(char *)mktemp(s));
fd = open(name,O_WRONLY|O_CREAT|O_TRUNC|O_EXCL,0600);
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 8dfae21ad1..67de0523e8 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -1044,7 +1044,7 @@ BOOL smb_password_ok(struct smb_passwd *smb_pass,
use it (ie. does it exist in the smbpasswd file).
*/
DEBUG(4,("smb_password_ok: Checking NT MD4 password\n"));
- if (smb_password_check(nt_pass, (uchar *)smb_pass->smb_nt_passwd, challenge))
+ if (smb_password_check((char *)nt_pass, (uchar *)smb_pass->smb_nt_passwd, challenge))
{
DEBUG(4,("smb_password_ok: NT MD4 password check succeeded\n"));
return(True);
@@ -1063,7 +1063,7 @@ BOOL smb_password_ok(struct smb_passwd *smb_pass,
return True;
}
- if((smb_pass->smb_passwd != NULL) && smb_password_check(lm_pass, (uchar *)smb_pass->smb_passwd, challenge))
+ if((smb_pass->smb_passwd != NULL) && smb_password_check((char *)lm_pass, (uchar *)smb_pass->smb_passwd, challenge))
{
DEBUG(4,("smb_password_ok: LM MD4 password check succeeded\n"));
return(True);
@@ -1153,7 +1153,7 @@ BOOL password_ok(char *user,char *password, int pwlen, struct passwd *pwd)
return(False);
}
- if(smb_password_ok( smb_pass, password, password))
+ if(smb_password_ok( smb_pass, (unsigned char *)password,(uchar *)password))
{
update_protected_database(user,True);
return(True);
@@ -1704,7 +1704,7 @@ BOOL check_hosts_equiv(char *user)
char *home = get_home_dir(user);
if (home) {
extern int Client;
- sprintf(rhostsfile, "%s/.rhosts", home);
+ slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home);
if (check_user_equiv(user,client_name(Client),rhostsfile))
return(True);
}
@@ -1953,8 +1953,8 @@ BOOL domain_client_validate( char *user, char *domain,
DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n"));
generate_random_buffer( local_challenge, 8, False);
- SMBencrypt( smb_apasswd, local_challenge, local_lm_response);
- SMBNTencrypt( smb_ntpasswd, local_challenge, local_nt_reponse);
+ SMBencrypt( (uchar *)smb_apasswd, local_challenge, local_lm_response);
+ SMBNTencrypt((uchar *)smb_ntpasswd, local_challenge, local_nt_reponse);
smb_apasslen = 24;
smb_ntpasslen = 24;
smb_apasswd = (char *)local_lm_response;
@@ -2127,7 +2127,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
/* We really don't care what LUID we give the user. */
generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False);
- if(cli_nt_login_network(&cli, domain, user, smb_uid_low, local_challenge,
+ if(cli_nt_login_network(&cli, domain, user, smb_uid_low, (char *)local_challenge,
smb_apasswd, smb_ntpasswd, &ctr, &info3) == False) {
DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \
%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli)));
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 1567e52777..b8270495fd 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -1149,7 +1149,7 @@ int reply_search(char *inbuf,char *outbuf, int dum_size, int dum_buffsize)
smb_setlen(outbuf,outsize - 4);
if ((! *directory) && dptr_path(dptr_num))
- sprintf(directory,"(%s)",dptr_path(dptr_num));
+ slprintf(directory, sizeof(directory)-1, "(%s)",dptr_path(dptr_num));
DEBUG(4,("%s %s mask=%s path=%s cnum=%d dtype=%d nument=%d of %d\n",
timestring(),
@@ -1716,7 +1716,7 @@ int reply_unlink(char *inbuf,char *outbuf, int dum_size, int dum_buffsize)
if(!mask_match(fname, mask, case_sensitive, False)) continue;
error = ERRnoaccess;
- sprintf(fname,"%s/%s",directory,dname);
+ slprintf(fname,sizeof(fname)-1, "%s/%s",directory,dname);
if (!can_delete(fname,cnum,dirtype)) continue;
if (!sys_unlink(fname)) count++;
DEBUG(3,("reply_unlink : doing unlink on %s\n",fname));
@@ -2622,7 +2622,7 @@ int reply_printopen(char *inbuf,char *outbuf, int dum_size, int dum_buffsize)
if (strlen(s) > 10) s[10] = 0;
- sprintf(fname,"%s.XXXXXX",s);
+ slprintf(fname,sizeof(fname)-1, "%s.XXXXXX",s);
}
fnum = find_free_file();
@@ -3238,7 +3238,7 @@ int reply_mv(char *inbuf,char *outbuf, int dum_size, int dum_buffsize)
if(!mask_match(fname, mask, case_sensitive, False)) continue;
error = ERRnoaccess;
- sprintf(fname,"%s/%s",directory,dname);
+ slprintf(fname,sizeof(fname)-1,"%s/%s",directory,dname);
if (!can_rename(fname,cnum)) {
DEBUG(6,("rename %s refused\n", fname));
continue;
@@ -3451,7 +3451,7 @@ int reply_copy(char *inbuf,char *outbuf, int dum_size, int dum_buffsize)
if(!mask_match(fname, mask, case_sensitive, False)) continue;
error = ERRnoaccess;
- sprintf(fname,"%s/%s",directory,dname);
+ slprintf(fname,sizeof(fname)-1, "%s/%s",directory,dname);
strcpy(destname,newname);
if (resolve_wildcards(fname,destname) &&
copy_file(directory,newname,cnum,ofun,
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index e4c00c141f..7788b142e0 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -563,7 +563,7 @@ BOOL unix_convert(char *name,int cnum,pstring saved_last_component, BOOL *bad_pa
{
char *s;
fstring name2;
- sprintf(name2,"%.6s.XXXXXX",remote_machine);
+ slprintf(name2,sizeof(name2)-1,"%.6s.XXXXXX",remote_machine);
/* sanitise the name */
for (s=name2 ; *s ; s++)
if (!issafe(*s)) *s = '_';
@@ -754,8 +754,8 @@ int disk_free(char *path,int *bsize,int *dfree,int *dsize)
pstring syscmd;
pstring outfile;
- sprintf(outfile,"%s/dfree.smb.%d",tmpdir(),(int)getpid());
- sprintf(syscmd,"%s %s",df_command,path);
+ slprintf(outfile,sizeof(outfile)-1, "%s/dfree.smb.%d",tmpdir(),(int)getpid());
+ slprintf(syscmd,sizeof(syscmd)-1,"%s %s",df_command,path);
standard_sub_basic(syscmd);
ret = smbrun(syscmd,outfile,False);
@@ -1439,7 +1439,7 @@ static void check_magic(int fnum,int cnum)
if (*lp_magicoutput(SNUM(cnum)))
pstrcpy(magic_output,lp_magicoutput(SNUM(cnum)));
else
- sprintf(magic_output,"%s.out",fname);
+ slprintf(magic_output,sizeof(fname)-1, "%s.out",fname);
chmod(fname,0755);
ret = smbrun(fname,magic_output,False);
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index af70064ef4..fb45efcc0b 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -772,7 +772,7 @@ static int call_trans2findfirst(char *inbuf, char *outbuf, int bufsize, int cnum
send_trans2_replies( outbuf, bufsize, params, 10, pdata, PTR_DIFF(p,pdata));
if ((! *directory) && dptr_path(dptr_num))
- sprintf(directory,"(%s)",dptr_path(dptr_num));
+ slprintf(directory,sizeof(directory)-1, "(%s)",dptr_path(dptr_num));
DEBUG(4,("%s %s mask=%s directory=%s cnum=%d dirtype=%d numentries=%d\n",
timestring(),
@@ -985,7 +985,7 @@ resume_key = %d resume name = %s continue=%d level = %d\n",
send_trans2_replies( outbuf, bufsize, params, 8, pdata, PTR_DIFF(p,pdata));
if ((! *directory) && dptr_path(dptr_num))
- sprintf(directory,"(%s)",dptr_path(dptr_num));
+ slprintf(directory,sizeof(directory)-1, "(%s)",dptr_path(dptr_num));
DEBUG(3,("%s %s mask=%s directory=%s cnum=%d dirtype=%d numentries=%d\n",
timestring(),
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index a8e340e46f..749248ac86 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -420,7 +420,7 @@ int smbrun(char *cmd,char *outfile,BOOL shared)
return(1);
}
- sprintf(syscmd,"%s %d %d \"(%s 2>&1) > %s\"",
+ slprintf(syscmd,sizeof(syscmd)-1,"%s %d %d \"(%s 2>&1) > %s\"",
path,uid,gid,cmd,
outfile?outfile:"/dev/null");