From 3dfc0c847240ac7e12c39f4ed9c31a888949ade1 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 11 May 1998 06:38:36 +0000 Subject: changed to use slprintf() instead of sprintf() just about everywhere. I've implemented slprintf() as a bounds checked sprintf() using mprotect() and a non-writeable page. This should prevent any sprintf based security holes. (This used to be commit ee09e9dadb69aaba5a751dd20ccc6d587d841bd6) --- source3/client/client.c | 34 ++++++++++----- source3/client/clitar.c | 2 +- source3/client/smbmount.c | 4 +- source3/include/includes.h | 1 + source3/include/proto.h | 5 +++ source3/lib/charset.c | 4 +- source3/lib/pidfile.c | 4 +- source3/lib/slprintf.c | 88 +++++++++++++++++++++++++++++++++++++++ source3/lib/system.c | 2 +- source3/lib/util.c | 6 +-- source3/lib/util_hnd.c | 6 +-- source3/libsmb/clientgen.c | 7 ++-- source3/libsmb/nmblib.c | 4 +- source3/locking/shmem_sysv.c | 2 +- source3/nmbd/nmbd.c | 2 +- source3/nmbd/nmbd_serverlistdb.c | 16 +++---- source3/param/loadparm.c | 6 ++- source3/passdb/smbpass.c | 20 +++++---- source3/printing/printing.c | 2 +- source3/rpc_client/cli_login.c | 8 ++-- source3/rpc_client/cli_netlogon.c | 2 +- source3/rpc_client/cli_pipe.c | 8 ++-- source3/rpc_parse/parse_net.c | 4 +- source3/rpc_parse/parse_prs.c | 4 +- source3/rpc_server/srv_lsa_hnd.c | 6 +-- source3/rpc_server/srv_netlog.c | 12 +++--- source3/smbd/message.c | 2 +- source3/smbd/password.c | 14 +++---- source3/smbd/reply.c | 10 ++--- source3/smbd/server.c | 8 ++-- source3/smbd/trans2.c | 4 +- source3/smbd/uid.c | 2 +- source3/utils/smbpasswd.c | 2 +- 33 files changed, 207 insertions(+), 94 deletions(-) create mode 100644 source3/lib/slprintf.c diff --git a/source3/client/client.c b/source3/client/client.c index b7635c1ea3..9596a3997a 100644 --- a/source3/client/client.c +++ b/source3/client/client.c @@ -1496,9 +1496,11 @@ static void do_mget(file_info *finfo) } if (finfo->mode & aDIR) - sprintf(quest,"Get directory %s? ",CNV_LANG(finfo->name)); + slprintf(quest,sizeof(pstring)-1, + "Get directory %s? ",CNV_LANG(finfo->name)); else - sprintf(quest,"Get file %s? ",CNV_LANG(finfo->name)); + slprintf(quest,sizeof(pstring)-1, + "Get file %s? ",CNV_LANG(finfo->name)); if (prompt && !yesno(quest)) return; @@ -1572,7 +1574,9 @@ static void cmd_more(char *dum_in, char *dum_out) strcpy(rname,cur_dir); strcat(rname,"\\"); - sprintf(tmpname,"%s/smbmore.%d",tmpdir(),(int)getpid()); + slprintf(tmpname, + sizeof(fstring)-1, + "%s/smbmore.%d",tmpdir(),(int)getpid()); strcpy(lname,tmpname); if (!next_token(NULL,rname+strlen(rname),NULL)) { @@ -1584,7 +1588,9 @@ static void cmd_more(char *dum_in, char *dum_out) do_get(rname,lname,NULL); pager=getenv("PAGER"); - sprintf(pager_cmd,"%s %s",(pager? pager:PAGER), tmpname); + + slprintf(pager_cmd,sizeof(pager_cmd)-1, + "%s %s",(pager? pager:PAGER), tmpname); system(pager_cmd); unlink(tmpname); } @@ -2046,11 +2052,14 @@ static void cmd_mput(char *dum_in, char *dum_out) pstring tmpname; FILE *f; - sprintf(tmpname,"%s/ls.smb.%d",tmpdir(),(int)getpid()); + slprintf(tmpname,sizeof(pstring)-1, + "%s/ls.smb.%d",tmpdir(),(int)getpid()); if (recurse) - sprintf(cmd,"find . -name \"%s\" -print > %s",p,tmpname); + slprintf(cmd,sizeof(pstring)-1, + "find . -name \"%s\" -print > %s",p,tmpname); else - sprintf(cmd,"/bin/ls %s > %s",p,tmpname); + slprintf(cmd,sizeof(pstring)-1, + "/bin/ls %s > %s",p,tmpname); system(cmd); f = fopen(tmpname,"r"); @@ -2069,7 +2078,8 @@ static void cmd_mput(char *dum_in, char *dum_out) if (directory_exist(lname,&st)) { if (!recurse) continue; - sprintf(quest,"Put directory %s? ",lname); + slprintf(quest,sizeof(pstring)-1, + "Put directory %s? ",lname); if (prompt && !yesno(quest)) { strcat(lname,"/"); @@ -2091,7 +2101,8 @@ static void cmd_mput(char *dum_in, char *dum_out) } else { - sprintf(quest,"Put file %s? ",lname); + slprintf(quest,sizeof(quest)-1, + "Put file %s? ",lname); if (prompt && !yesno(quest)) continue; strcpy(rname,cur_dir); @@ -3721,7 +3732,7 @@ static void usage(char *pname) save_debuglevel = DEBUGLEVEL = atoi(optarg); break; case 'l': - sprintf(debugf,"%s.client",optarg); + slprintf(debugf,sizeof(debugf)-1, "%s.client",optarg); break; case 'p': port = atoi(optarg); @@ -3814,7 +3825,8 @@ static void usage(char *pname) if (*query_host && !nt_domain_logon) { int ret = 0; - sprintf(service,"\\\\%s\\IPC$",query_host); + slprintf(service,sizeof(service)-1, + "\\\\%s\\IPC$",query_host); strupper(service); connect_as_ipc = True; if (cli_open_sockets(port)) diff --git a/source3/client/clitar.c b/source3/client/clitar.c index 98364b77ed..69a8c9823b 100644 --- a/source3/client/clitar.c +++ b/source3/client/clitar.c @@ -2129,7 +2129,7 @@ int process_tar(char *inbuf, char *outbuf) switch(tar_type) { case 'x': -#ifdef 0 +#if 0 do_tarput2(); #else do_tarput(); diff --git a/source3/client/smbmount.c b/source3/client/smbmount.c index cdfeb68064..51c1ee6310 100644 --- a/source3/client/smbmount.c +++ b/source3/client/smbmount.c @@ -350,7 +350,7 @@ static void cmd_mount(char *inbuf,char *outbuf) string_replace(share_name, '\\', '/'); string_replace(share_name, ' ', '_'); - sprintf(mount_command, "smbmnt %s -s %s", mount_point, share_name); + slprintf(mount_command, sizeof(mount_command)-1,"smbmnt %s -s %s", mount_point, share_name); while(next_token(NULL, buf, NULL)) { @@ -830,7 +830,7 @@ static void usage(char *pname) DEBUGLEVEL = atoi(optarg); break; case 'l': - sprintf(debugf,"%s.client",optarg); + slprintf(debugf,sizeof(debugf)-1,"%s.client",optarg); break; case 'p': port = atoi(optarg); diff --git a/source3/include/includes.h b/source3/include/includes.h index e5076c6f39..44ed317ae9 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -237,6 +237,7 @@ Here come some platform specific sections #define USE_SETSID #define HAVE_BZERO #define HAVE_MEMMOVE +#define HAVE_VSNPRINTF #define USE_SIGPROCMASK #define USE_WAITPID #define USE_SYSV_IPC diff --git a/source3/include/proto.h b/source3/include/proto.h index c9ca7a5ea6..833794a4fb 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1806,6 +1806,11 @@ BOOL machine_password_delete( char *domain, char *name ); BOOL get_machine_account_password( unsigned char *ret_pwd, time_t *pass_last_set_time); BOOL set_machine_account_password( unsigned char *md4_new_pwd); +/*The following definitions come from snprintf.c */ + +int vslprintf(char *str, int n, char *format, va_list ap); +int slprintf(char *str, int n, char *format, ...); + /*The following definitions come from status.c */ void Ucrit_addUsername(pstring username); diff --git a/source3/lib/charset.c b/source3/lib/charset.c index fe170bdcf5..d8ce38f396 100644 --- a/source3/lib/charset.c +++ b/source3/lib/charset.c @@ -203,7 +203,9 @@ static codepage_p load_client_codepage( int client_codepage ) strcpy(codepage_file_name, CODEPAGEDIR); strcat(codepage_file_name, "/"); strcat(codepage_file_name, "codepage."); - sprintf( &codepage_file_name[strlen(codepage_file_name)], "%03d", + slprintf(&codepage_file_name[strlen(codepage_file_name)], + sizeof(pstring)-(strlen(codepage_file_name)+1), + "%03d", client_codepage); if(!file_exist(codepage_file_name,&st)) diff --git a/source3/lib/pidfile.c b/source3/lib/pidfile.c index 6cad1436eb..46d6a9d5b8 100644 --- a/source3/lib/pidfile.c +++ b/source3/lib/pidfile.c @@ -37,7 +37,7 @@ void pidfile_create(char *name) pstring pidFile; int pid; - sprintf(pidFile, "%s/%s.pid", lp_lockdir(), name); + slprintf(pidFile, sizeof(pidFile)-1, "%s/%s.pid", lp_lockdir(), name); pid = pidfile_pid(name); if (pid > 0 && process_exists(pid)) { @@ -76,7 +76,7 @@ int pidfile_pid(char *name) pstring pidFile; unsigned ret; - sprintf(pidFile, "%s/%s.pid", lp_lockdir(), name); + slprintf(pidFile, sizeof(pidFile)-1, "%s/%s.pid", lp_lockdir(), name); f = fopen(pidFile, "r"); if (!f) { diff --git a/source3/lib/slprintf.c b/source3/lib/slprintf.c new file mode 100644 index 0000000000..e2dc0e1235 --- /dev/null +++ b/source3/lib/slprintf.c @@ -0,0 +1,88 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + snprintf replacement + Copyright (C) Andrew Tridgell 1998 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; + +int vslprintf(char *str, int n, char *format, va_list ap) +{ +#ifdef HAVE_VSNPRINTF + int ret = vsnprintf(str, n, format, ap); + if (ret >= 0) str[ret] = 0; + return ret; +#else + static char *buf; + static int len; + static int pagesize; + int ret; + + if (!len || !buf || (len-pagesize) < n) { + pagesize = getpagesize(); + len = (2+(n/pagesize))*pagesize; + /* note: we don't free the old memory (if any) as we don't + want a malloc lib to reuse the memory as it will + have the wrong permissions */ + buf = memalign(pagesize, len); + if (buf) { + if (mprotect(buf+(len-pagesize), pagesize, PROT_READ) != 0) { + exit(1); + return -1; + } + } + } + + if (!buf) { + exit(1); + } + + ret = vsprintf(str, format, ap); + /* we will have got a seg fault here if we overflowed the buffer */ + return ret; +#endif +} + +#ifdef __STDC__ +int slprintf(char *str, int n, char *format, ...) +{ +#else + int slprintf(va_alist) +va_dcl +{ + char *str, *format; + int n; +#endif + va_list ap; + int ret; + +#ifdef __STDC__ + va_start(ap, format); +#else + va_start(ap); + str = va_arg(ap,char *); + n = va_arg(ap,int); + format = va_arg(ap,char *); +#endif + + ret = vslprintf(str,n,format,ap); + va_end(ap); + return ret; +} diff --git a/source3/lib/system.c b/source3/lib/system.c index 3eef8e5034..f453741fdd 100644 --- a/source3/lib/system.c +++ b/source3/lib/system.c @@ -411,7 +411,7 @@ struct hostent *sys_gethostbyname(char *name) if((strlen(name) + strlen(domain)) >= sizeof(query)) return(gethostbyname(name)); - sprintf(query, "%s%s", name, domain); + slprintf(query, sizeof(query)-1, "%s%s", name, domain); return(gethostbyname(query)); #else /* REDUCE_ROOT_DNS_LOOKUPS */ return(gethostbyname(name)); diff --git a/source3/lib/util.c b/source3/lib/util.c index 2f637e1495..ee87d48388 100644 --- a/source3/lib/util.c +++ b/source3/lib/util.c @@ -226,7 +226,7 @@ static void check_log_size(void) if (dbf && file_size(debugf) > maxlog) { pstring name; fclose(dbf); dbf = NULL; - sprintf(name,"%s.old",debugf); + slprintf(name,sizeof(name)-1,"%s.old",debugf); sys_rename(debugf,name); reopen_logs(); } @@ -313,7 +313,7 @@ va_dcl va_start(ap); format_str = va_arg(ap,char *); #endif - vsprintf(msgbuf, format_str, ap); + vslprintf(msgbuf, sizeof(msgbuf)-1,format_str, ap); va_end(ap); msgbuf[255] = '\0'; @@ -3839,7 +3839,7 @@ static char *automount_lookup(char *user_name) if (strcmp(user_name, last_key)) { - sprintf(buffer, "[%s=%s]%s.%s", "key", user_name, nis_map, nis_domain); + slprintf(buffer, sizeof(buffer)-1, "[%s=%s]%s.%s", "key", user_name, nis_map, nis_domain); DEBUG(5, ("NIS+ querystring: %s\n", buffer)); if (result = nis_list(buffer, RETURN_RESULT, NULL, NULL)) diff --git a/source3/lib/util_hnd.c b/source3/lib/util_hnd.c index c8eabf35b4..1d1341d16e 100644 --- a/source3/lib/util_hnd.c +++ b/source3/lib/util_hnd.c @@ -115,7 +115,7 @@ BOOL open_lsa_policy_hnd(POLICY_HND *hnd) memcpy(&(Policy[i].pol_hnd), hnd, sizeof(*hnd)); DEBUG(4,("Opened policy hnd[%x] ", i)); - dump_data(4, hnd->data, sizeof(hnd->data)); + dump_data(4, (char *)hnd->data, sizeof(hnd->data)); return True; } @@ -143,14 +143,14 @@ int find_lsa_policy_by_hnd(POLICY_HND *hnd) if (memcmp(&(Policy[i].pol_hnd), hnd, sizeof(*hnd)) == 0) { DEBUG(4,("Found policy hnd[%x] ", i)); - dump_data(4, hnd->data, sizeof(hnd->data)); + dump_data(4, (char *)hnd->data, sizeof(hnd->data)); return i; } } DEBUG(4,("Policy not found: ")); - dump_data(4, hnd->data, sizeof(hnd->data)); + dump_data(4, (char *)hnd->data, sizeof(hnd->data)); return -1; } diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c index d72040505f..8b4001827c 100644 --- a/source3/libsmb/clientgen.c +++ b/source3/libsmb/clientgen.c @@ -343,8 +343,8 @@ BOOL cli_api_pipe(struct cli_state *cli, char *pipe_name, int pipe_name_len, data, data_count, max_data_count); return (cli_receive_trans(cli, SMBtrans, - rparam, rparam_count, - rdata, rdata_count)); + rparam, (int *)rparam_count, + rdata, (int *)rdata_count)); } /**************************************************************************** @@ -714,7 +714,8 @@ BOOL cli_send_tconX(struct cli_state *cli, memcpy(pword, pass, passlen); } - sprintf(fullshare, "\\\\%s\\%s", cli->desthost, share); + slprintf(fullshare, sizeof(fullshare)-1, + "\\\\%s\\%s", cli->desthost, share); set_message(cli->outbuf,4, 2 + strlen(fullshare) + passlen + strlen(dev),True); diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c index 9c7b260c59..5a8a037ce5 100644 --- a/source3/libsmb/nmblib.c +++ b/source3/libsmb/nmblib.c @@ -294,9 +294,9 @@ char *namestr(struct nmb_name *n) char *p = ret[i]; if (!n->scope[0]) - sprintf(p,"%s<%02x>",n->name,n->name_type); + slprintf(p,sizeof(fstring)-1, "%s<%02x>",n->name,n->name_type); else - sprintf(p,"%s<%02x>.%s",n->name,n->name_type,n->scope); + slprintf(p,sizeof(fstring)-1, "%s<%02x>.%s",n->name,n->name_type,n->scope); i = (i+1)%4; return(p); diff --git a/source3/locking/shmem_sysv.c b/source3/locking/shmem_sysv.c index b9d4594947..20aea9283d 100644 --- a/source3/locking/shmem_sysv.c +++ b/source3/locking/shmem_sysv.c @@ -666,7 +666,7 @@ struct shmem_ops *sysv_shm_open(int ronly) shm_header_p = (struct ShmHeader *)shmat(shm_id, 0, read_only?SHM_RDONLY:0); - if ((int)shm_header_p == -1) { + if ((long)shm_header_p == -1) { DEBUG(0,("Can't attach to IPC area\n")); global_unlock(); return NULL; diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c index 512504b02d..f9519bea18 100644 --- a/source3/nmbd/nmbd.c +++ b/source3/nmbd/nmbd.c @@ -619,7 +619,7 @@ int main(int argc,char *argv[]) strupper(global_myname); break; case 'l': - sprintf(debugf,"%s.nmb",optarg); + slprintf(debugf,sizeof(debugf)-1, "%s.nmb",optarg); break; case 'i': pstrcpy(scope,optarg); diff --git a/source3/nmbd/nmbd_serverlistdb.c b/source3/nmbd/nmbd_serverlistdb.c index ea1948cece..64ca49cdbc 100644 --- a/source3/nmbd/nmbd_serverlistdb.c +++ b/source3/nmbd/nmbd_serverlistdb.c @@ -365,10 +365,10 @@ void write_browse_list(time_t t, BOOL force_write) return; } - sprintf(tmp, "\"%s\"", work->work_group); + slprintf(tmp,sizeof(tmp)-1, "\"%s\"", work->work_group); fprintf(fp, "%-25s ", tmp); fprintf(fp, "%08x ", SV_TYPE_DOMAIN_ENUM|SV_TYPE_NT|SV_TYPE_LOCAL_LIST_ONLY); - sprintf(tmp, "\"%s\" ", work->local_master_browser_name); + slprintf(tmp, sizeof(tmp)-1, "\"%s\" ", work->local_master_browser_name); fprintf(fp, "%-30s", tmp); fprintf(fp, "\"%s\"\n", work->work_group); @@ -394,10 +394,10 @@ void write_browse_list(time_t t, BOOL force_write) } /* Output server details, plus what workgroup they're in. */ - sprintf(tmp, "\"%s\"", my_netbios_names[i]); + slprintf(tmp, sizeof(tmp)-1, "\"%s\"", my_netbios_names[i]); fprintf(fp, "%-25s ", tmp); fprintf(fp, "%08x ", stype); - sprintf(tmp, "\"%s\" ", lp_serverstring()); + slprintf(tmp, sizeof(tmp)-1, "\"%s\" ", lp_serverstring()); fprintf(fp, "%-30s", tmp); fprintf(fp, "\"%s\"\n", global_myworkgroup); } @@ -413,11 +413,11 @@ void write_browse_list(time_t t, BOOL force_write) if(wg_type) { - sprintf(tmp, "\"%s\"", work->work_group); + slprintf(tmp, sizeof(tmp)-1, "\"%s\"", work->work_group); fprintf(fp, "%-25s ", tmp); fprintf(fp, "%08x ", wg_type); - sprintf(tmp, "\"%s\" ", work->local_master_browser_name); + slprintf(tmp, sizeof(tmp)-1, "\"%s\" ", work->local_master_browser_name); fprintf(fp, "%-30s", tmp); fprintf(fp, "\"%s\"\n", work->work_group); } @@ -437,10 +437,10 @@ void write_browse_list(time_t t, BOOL force_write) if(serv_type) { /* Output server details, plus what workgroup they're in. */ - sprintf(tmp, "\"%s\"", servrec->serv.name); + slprintf(tmp, sizeof(tmp)-1, "\"%s\"", servrec->serv.name); fprintf(fp, "%-25s ", tmp); fprintf(fp, "%08x ", serv_type); - sprintf(tmp, "\"%s\" ", servrec->serv.comment); + slprintf(tmp, sizeof(tmp)-1, "\"%s\" ", servrec->serv.comment); fprintf(fp, "%-30s", tmp); fprintf(fp, "\"%s\"\n", work->work_group); } diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 1958986f0b..1b95005c6c 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -1252,7 +1252,8 @@ BOOL lp_add_home(char *pszHomename, int iDefaultService, char *pszHomedir) if (!(*(iSERVICE(i).comment))) { pstring comment; - sprintf(comment,"Home directory of %s",pszHomename); + slprintf(comment,sizeof(comment), + "Home directory of %s",pszHomename); string_set(&iSERVICE(i).comment,comment); } iSERVICE(i).bAvailable = sDefault.bAvailable; @@ -1283,7 +1284,8 @@ static BOOL lp_add_ipc(void) if (i < 0) return(False); - sprintf(comment,"IPC Service (%s)", Globals.szServerString ); + slprintf(comment,sizeof(comment), + "IPC Service (%s)", Globals.szServerString ); string_set(&iSERVICE(i).szPath,tmpdir()); string_set(&iSERVICE(i).szUsername,""); diff --git a/source3/passdb/smbpass.c b/source3/passdb/smbpass.c index b35e7013f2..cb75d62e42 100644 --- a/source3/passdb/smbpass.c +++ b/source3/passdb/smbpass.c @@ -418,7 +418,7 @@ struct smb_passwd *getsmbpwent(void *vp) p++; if(*p == ':') { p++; - if(*p && StrnCaseCmp( p, "LCT-", 4)) { + if(*p && StrnCaseCmp((char *)p, "LCT-", 4)) { int i; p += 4; for(i = 0; i < 8; i++) { @@ -431,7 +431,7 @@ struct smb_passwd *getsmbpwent(void *vp) * read into a time_t as the seconds since * 1970 that the password was last changed. */ - pw_buf.pass_last_set_time = (time_t)strtol(p, NULL, 16); + pw_buf.pass_last_set_time = (time_t)strtol((char *)p, NULL, 16); } } } @@ -650,9 +650,9 @@ Error was %s\n", newpwd->smb_name, pfile, strerror(errno))); } else { i=0; if(newpwd->acct_ctrl & ACB_PWNOTREQ) - sprintf(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX"); + sprintf((char *)p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX"); else - sprintf(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"); + sprintf((char *)p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"); } p += 32; @@ -665,9 +665,9 @@ Error was %s\n", newpwd->smb_name, pfile, strerror(errno))); } } else { if(newpwd->acct_ctrl & ACB_PWNOTREQ) - sprintf(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX"); + sprintf((char *)p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX"); else - sprintf(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"); + sprintf((char *)p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"); } p += 32; @@ -946,7 +946,7 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd, BOOL override) p++; /* We should be pointing at the TLC entry. */ - if((linebuf_len > (PTR_DIFF(p, linebuf) + 13)) && StrnCaseCmp( p, "LCT-", 4)) { + if((linebuf_len > (PTR_DIFF(p, linebuf) + 13)) && StrnCaseCmp((char *)p, "LCT-", 4)) { p += 4; for(i = 0; i < 8; i++) { @@ -1032,7 +1032,9 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd, BOOL override) pwd->pass_last_set_time = time(NULL); if(got_pass_last_set_time) { - sprintf(&ascii_p16[strlen(ascii_p16)], ":[%s]:TLC-%08X:", + slprintf(&ascii_p16[strlen(ascii_p16)], + sizeof(ascii_p16)-(strlen(ascii_p16)+1), + ":[%s]:TLC-%08X:", encode_bits, (uint32)pwd->pass_last_set_time ); wr_len = strlen(ascii_p16); } @@ -1073,7 +1075,7 @@ static void get_machine_account_file_name( char *domain, char *name, char *mac_f mac_file_len = strlen(mac_file); - if (sizeof(pstring) - mac_file_len - strlen(domain) - strlen(name) - 6 < 0) + if ((int)(sizeof(pstring) - mac_file_len - strlen(domain) - strlen(name) - 6) < 0) { DEBUG(0,("machine_password_lock: path %s too long to add machine details.\n", mac_file)); diff --git a/source3/printing/printing.c b/source3/printing/printing.c index c7db5744e2..278c54933d 100644 --- a/source3/printing/printing.c +++ b/source3/printing/printing.c @@ -1058,7 +1058,7 @@ int get_printqueue(int snum,int cnum,print_queue_struct **queue, standard_sub(cnum,syscmd); - sprintf(outfile,"%s/lpq.%08x",tmpdir(),str_checksum(syscmd)); + slprintf(outfile,sizeof(outfile)-1, "%s/lpq.%08x",tmpdir(),str_checksum(syscmd)); if (!lpq_cache_reset[snum] && cachetime && !stat(outfile,&sbuf)) { diff --git a/source3/rpc_client/cli_login.c b/source3/rpc_client/cli_login.c index b4cdf3ae50..42363e4ca5 100644 --- a/source3/rpc_client/cli_login.c +++ b/source3/rpc_client/cli_login.c @@ -52,7 +52,7 @@ BOOL cli_nt_setup_creds(struct cli_state *cli, unsigned char mach_pwd[16]) /**************** Long-term Session key **************/ /* calculate the session key */ - cred_session_key(&clnt_chal, &srv_chal, mach_pwd, cli->sess_key); + cred_session_key(&clnt_chal, &srv_chal, (char *)mach_pwd, cli->sess_key); bzero(cli->sess_key+8, 8); /******************* Authenticate 2 ********************/ @@ -113,7 +113,7 @@ BOOL cli_nt_login_interactive(struct cli_state *cli, char *domain, char *usernam DEBUG(5,("cli_nt_login_interactive: %d\n", __LINE__)); - nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd); + nt_lm_owf_gen(password, (char *)nt_owf_user_pwd, (char *)lm_owf_user_pwd); #ifdef DEBUG_PASSWORD @@ -134,7 +134,7 @@ BOOL cli_nt_login_interactive(struct cli_state *cli, char *domain, char *usernam make_id_info1(&ctr->auth.id1, domain, 0, smb_userid_low, 0, username, cli->clnt_name_slash, - cli->sess_key, lm_owf_user_pwd, nt_owf_user_pwd); + (char *)cli->sess_key, lm_owf_user_pwd, nt_owf_user_pwd); /* Ensure we overwrite all the plaintext password equivalents. */ @@ -170,7 +170,7 @@ BOOL cli_nt_login_network(struct cli_state *cli, char *domain, char *username, make_id_info2(&ctr->auth.id2, domain, 0, smb_userid_low, 0, username, cli->clnt_name_slash, - lm_chal, lm_chal_resp, nt_chal_resp); + (uchar *)lm_chal, (uchar *)lm_chal_resp, (uchar *)nt_chal_resp); /* Send client sam-logon request - update credentials on success. */ return cli_net_sam_logon(cli, ctr, user_info3); diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index da74bc6bc6..6f96f392fb 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -270,7 +270,7 @@ BOOL cli_net_srv_pwset(struct cli_state *cli, uint8 hashed_mach_pwd[16]) /* store the parameters */ make_q_srv_pwset(&q_s, cli->srv_name_slash, cli->mach_acct, sec_chan_type, - global_myname, &new_clnt_cred, hashed_mach_pwd); + global_myname, &new_clnt_cred, (char *)hashed_mach_pwd); /* turn parameters into data stream */ net_io_q_srv_pwset("", &q_s, &buf, 0); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 3076df3bb7..c458aa102a 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -95,7 +95,7 @@ static BOOL rpc_read(struct cli_state *cli, file_offset += num_read; data += num_read; - cli_error(cli, &errclass, &err); + cli_error(cli, (int *)&errclass, (int *)&err); if (errclass != 0) return False; @@ -264,7 +264,7 @@ BOOL rpc_api_pipe(struct cli_state *cli, uint16 cmd, prs_mem_free(&hps); - cli_error(cli, &errclass, &err); + cli_error(cli, (int *)&errclass, (int *)&err); if (errclass != 0) return False; @@ -492,10 +492,10 @@ static BOOL valid_pipe_name(char *pipe_name, RPC_IFACE *abstract, RPC_IFACE *tra if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe )) { DEBUG(5,("Bind Abstract Syntax: ")); - dump_data(5, (uchar*)&(pipe_names[pipe_idx].abstr_syntax), + dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax), sizeof(pipe_names[pipe_idx].abstr_syntax)); DEBUG(5,("Bind Transfer Syntax: ")); - dump_data(5, (uchar*)&(pipe_names[pipe_idx].trans_syntax), + dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax), sizeof(pipe_names[pipe_idx].trans_syntax)); /* copy the required syntaxes out so we can do the right bind */ diff --git a/source3/rpc_parse/parse_net.c b/source3/rpc_parse/parse_net.c index 84a88e4b92..c74ace8d63 100644 --- a/source3/rpc_parse/parse_net.c +++ b/source3/rpc_parse/parse_net.c @@ -742,8 +742,8 @@ void make_id_info2(NET_ID_INFO_2 *id, char *domain_name, make_unistr2(&(id->uni_user_name ), user_name , len_user_name ); make_unistr2(&(id->uni_wksta_name ), wksta_name , len_wksta_name ); - make_string2(&(id->nt_chal_resp ), nt_chal_resp , nt_chal_resp != NULL ? 24 : 0); - make_string2(&(id->lm_chal_resp ), lm_chal_resp , lm_chal_resp != NULL ? 24 : 0); + make_string2(&(id->nt_chal_resp ), (char *)nt_chal_resp , nt_chal_resp != NULL ? 24 : 0); + make_string2(&(id->lm_chal_resp ), (char *)lm_chal_resp , lm_chal_resp != NULL ? 24 : 0); } /******************************************************************* diff --git a/source3/rpc_parse/parse_prs.c b/source3/rpc_parse/parse_prs.c index 0baf05597c..ad05831229 100644 --- a/source3/rpc_parse/parse_prs.c +++ b/source3/rpc_parse/parse_prs.c @@ -242,7 +242,7 @@ BOOL prs_unistr(char *name, prs_struct *ps, int depth, UNISTR *str) ps->offset += i*2; - dump_data(5+depth, start, ps->offset); + dump_data(5+depth, (char *)start, ps->offset); return True; } @@ -283,7 +283,7 @@ BOOL prs_string(char *name, prs_struct *ps, int depth, char *str, uint16 len) ps->offset += i+1; - dump_data(5+depth, start, ps->offset); + dump_data(5+depth, (char *)start, ps->offset); return True; } diff --git a/source3/rpc_server/srv_lsa_hnd.c b/source3/rpc_server/srv_lsa_hnd.c index c8eabf35b4..1d1341d16e 100644 --- a/source3/rpc_server/srv_lsa_hnd.c +++ b/source3/rpc_server/srv_lsa_hnd.c @@ -115,7 +115,7 @@ BOOL open_lsa_policy_hnd(POLICY_HND *hnd) memcpy(&(Policy[i].pol_hnd), hnd, sizeof(*hnd)); DEBUG(4,("Opened policy hnd[%x] ", i)); - dump_data(4, hnd->data, sizeof(hnd->data)); + dump_data(4, (char *)hnd->data, sizeof(hnd->data)); return True; } @@ -143,14 +143,14 @@ int find_lsa_policy_by_hnd(POLICY_HND *hnd) if (memcmp(&(Policy[i].pol_hnd), hnd, sizeof(*hnd)) == 0) { DEBUG(4,("Found policy hnd[%x] ", i)); - dump_data(4, hnd->data, sizeof(hnd->data)); + dump_data(4, (char *)hnd->data, sizeof(hnd->data)); return i; } } DEBUG(4,("Policy not found: ")); - dump_data(4, hnd->data, sizeof(hnd->data)); + dump_data(4, (char *)hnd->data, sizeof(hnd->data)); return -1; } diff --git a/source3/rpc_server/srv_netlog.c b/source3/rpc_server/srv_netlog.c index 76dd5dd74d..28c44a57b7 100644 --- a/source3/rpc_server/srv_netlog.c +++ b/source3/rpc_server/srv_netlog.c @@ -281,7 +281,7 @@ static void api_net_req_chal( int uid, strcat(mach_acct, "$"); - if (get_md4pw(vuser->dc.md4pw, mach_name, mach_acct)) + if (get_md4pw((char *)vuser->dc.md4pw, mach_name, mach_acct)) { /* copy the client credentials */ memcpy(vuser->dc.clnt_chal.data , q_r.clnt_chal.data, sizeof(q_r.clnt_chal.data)); @@ -297,7 +297,7 @@ static void api_net_req_chal( int uid, /* from client / server challenges and md4 password, generate sess key */ cred_session_key(&(vuser->dc.clnt_chal), &(vuser->dc.srv_chal), - vuser->dc.md4pw, vuser->dc.sess_key); + (char *)vuser->dc.md4pw, vuser->dc.sess_key); } else { @@ -489,8 +489,8 @@ static uint32 net_login_interactive(NET_ID_INFO_1 *id1, memcpy(lm_pwd, id1->lm_owf.data, 16); memcpy(nt_pwd, id1->nt_owf.data, 16); - SamOEMhash(lm_pwd, key, False); - SamOEMhash(nt_pwd, key, False); + SamOEMhash((uchar *)lm_pwd, key, False); + SamOEMhash((uchar *)nt_pwd, key, False); #ifdef DEBUG_PASSWORD DEBUG(100,("decrypt of lm owf password:")); @@ -526,7 +526,7 @@ static uint32 net_login_network(NET_ID_INFO_2 *id2, if (id2->hdr_nt_chal_resp.str_str_len == 24 && smb_pass->smb_nt_passwd != NULL) { - if(smb_password_check(id2->nt_chal_resp.buffer, + if(smb_password_check((char *)id2->nt_chal_resp.buffer, smb_pass->smb_nt_passwd, id2->lm_chal)) return 0x0; @@ -543,7 +543,7 @@ static uint32 net_login_network(NET_ID_INFO_2 *id2, */ if (id2->hdr_lm_chal_resp.str_str_len == 24 && - smb_password_check(id2->lm_chal_resp.buffer, + smb_password_check((char *)id2->lm_chal_resp.buffer, smb_pass->smb_passwd, id2->lm_chal)) { diff --git a/source3/smbd/message.c b/source3/smbd/message.c index 24477f31ff..b368c4d031 100644 --- a/source3/smbd/message.c +++ b/source3/smbd/message.c @@ -53,7 +53,7 @@ static void msg_deliver(void) } /* put it in a temporary file */ - sprintf(s,"%s/msg.XXXXXX",tmpdir()); + slprintf(s,sizeof(s)-1, "%s/msg.XXXXXX",tmpdir()); fstrcpy(name,(char *)mktemp(s)); fd = open(name,O_WRONLY|O_CREAT|O_TRUNC|O_EXCL,0600); diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 8dfae21ad1..67de0523e8 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -1044,7 +1044,7 @@ BOOL smb_password_ok(struct smb_passwd *smb_pass, use it (ie. does it exist in the smbpasswd file). */ DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); - if (smb_password_check(nt_pass, (uchar *)smb_pass->smb_nt_passwd, challenge)) + if (smb_password_check((char *)nt_pass, (uchar *)smb_pass->smb_nt_passwd, challenge)) { DEBUG(4,("smb_password_ok: NT MD4 password check succeeded\n")); return(True); @@ -1063,7 +1063,7 @@ BOOL smb_password_ok(struct smb_passwd *smb_pass, return True; } - if((smb_pass->smb_passwd != NULL) && smb_password_check(lm_pass, (uchar *)smb_pass->smb_passwd, challenge)) + if((smb_pass->smb_passwd != NULL) && smb_password_check((char *)lm_pass, (uchar *)smb_pass->smb_passwd, challenge)) { DEBUG(4,("smb_password_ok: LM MD4 password check succeeded\n")); return(True); @@ -1153,7 +1153,7 @@ BOOL password_ok(char *user,char *password, int pwlen, struct passwd *pwd) return(False); } - if(smb_password_ok( smb_pass, password, password)) + if(smb_password_ok( smb_pass, (unsigned char *)password,(uchar *)password)) { update_protected_database(user,True); return(True); @@ -1704,7 +1704,7 @@ BOOL check_hosts_equiv(char *user) char *home = get_home_dir(user); if (home) { extern int Client; - sprintf(rhostsfile, "%s/.rhosts", home); + slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home); if (check_user_equiv(user,client_name(Client),rhostsfile)) return(True); } @@ -1953,8 +1953,8 @@ BOOL domain_client_validate( char *user, char *domain, DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n")); generate_random_buffer( local_challenge, 8, False); - SMBencrypt( smb_apasswd, local_challenge, local_lm_response); - SMBNTencrypt( smb_ntpasswd, local_challenge, local_nt_reponse); + SMBencrypt( (uchar *)smb_apasswd, local_challenge, local_lm_response); + SMBNTencrypt((uchar *)smb_ntpasswd, local_challenge, local_nt_reponse); smb_apasslen = 24; smb_ntpasslen = 24; smb_apasswd = (char *)local_lm_response; @@ -2127,7 +2127,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); /* We really don't care what LUID we give the user. */ generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); - if(cli_nt_login_network(&cli, domain, user, smb_uid_low, local_challenge, + if(cli_nt_login_network(&cli, domain, user, smb_uid_low, (char *)local_challenge, smb_apasswd, smb_ntpasswd, &ctr, &info3) == False) { DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \ %s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 1567e52777..b8270495fd 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -1149,7 +1149,7 @@ int reply_search(char *inbuf,char *outbuf, int dum_size, int dum_buffsize) smb_setlen(outbuf,outsize - 4); if ((! *directory) && dptr_path(dptr_num)) - sprintf(directory,"(%s)",dptr_path(dptr_num)); + slprintf(directory, sizeof(directory)-1, "(%s)",dptr_path(dptr_num)); DEBUG(4,("%s %s mask=%s path=%s cnum=%d dtype=%d nument=%d of %d\n", timestring(), @@ -1716,7 +1716,7 @@ int reply_unlink(char *inbuf,char *outbuf, int dum_size, int dum_buffsize) if(!mask_match(fname, mask, case_sensitive, False)) continue; error = ERRnoaccess; - sprintf(fname,"%s/%s",directory,dname); + slprintf(fname,sizeof(fname)-1, "%s/%s",directory,dname); if (!can_delete(fname,cnum,dirtype)) continue; if (!sys_unlink(fname)) count++; DEBUG(3,("reply_unlink : doing unlink on %s\n",fname)); @@ -2622,7 +2622,7 @@ int reply_printopen(char *inbuf,char *outbuf, int dum_size, int dum_buffsize) if (strlen(s) > 10) s[10] = 0; - sprintf(fname,"%s.XXXXXX",s); + slprintf(fname,sizeof(fname)-1, "%s.XXXXXX",s); } fnum = find_free_file(); @@ -3238,7 +3238,7 @@ int reply_mv(char *inbuf,char *outbuf, int dum_size, int dum_buffsize) if(!mask_match(fname, mask, case_sensitive, False)) continue; error = ERRnoaccess; - sprintf(fname,"%s/%s",directory,dname); + slprintf(fname,sizeof(fname)-1,"%s/%s",directory,dname); if (!can_rename(fname,cnum)) { DEBUG(6,("rename %s refused\n", fname)); continue; @@ -3451,7 +3451,7 @@ int reply_copy(char *inbuf,char *outbuf, int dum_size, int dum_buffsize) if(!mask_match(fname, mask, case_sensitive, False)) continue; error = ERRnoaccess; - sprintf(fname,"%s/%s",directory,dname); + slprintf(fname,sizeof(fname)-1, "%s/%s",directory,dname); strcpy(destname,newname); if (resolve_wildcards(fname,destname) && copy_file(directory,newname,cnum,ofun, diff --git a/source3/smbd/server.c b/source3/smbd/server.c index e4c00c141f..7788b142e0 100644 --- a/source3/smbd/server.c +++ b/source3/smbd/server.c @@ -563,7 +563,7 @@ BOOL unix_convert(char *name,int cnum,pstring saved_last_component, BOOL *bad_pa { char *s; fstring name2; - sprintf(name2,"%.6s.XXXXXX",remote_machine); + slprintf(name2,sizeof(name2)-1,"%.6s.XXXXXX",remote_machine); /* sanitise the name */ for (s=name2 ; *s ; s++) if (!issafe(*s)) *s = '_'; @@ -754,8 +754,8 @@ int disk_free(char *path,int *bsize,int *dfree,int *dsize) pstring syscmd; pstring outfile; - sprintf(outfile,"%s/dfree.smb.%d",tmpdir(),(int)getpid()); - sprintf(syscmd,"%s %s",df_command,path); + slprintf(outfile,sizeof(outfile)-1, "%s/dfree.smb.%d",tmpdir(),(int)getpid()); + slprintf(syscmd,sizeof(syscmd)-1,"%s %s",df_command,path); standard_sub_basic(syscmd); ret = smbrun(syscmd,outfile,False); @@ -1439,7 +1439,7 @@ static void check_magic(int fnum,int cnum) if (*lp_magicoutput(SNUM(cnum))) pstrcpy(magic_output,lp_magicoutput(SNUM(cnum))); else - sprintf(magic_output,"%s.out",fname); + slprintf(magic_output,sizeof(fname)-1, "%s.out",fname); chmod(fname,0755); ret = smbrun(fname,magic_output,False); diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index af70064ef4..fb45efcc0b 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -772,7 +772,7 @@ static int call_trans2findfirst(char *inbuf, char *outbuf, int bufsize, int cnum send_trans2_replies( outbuf, bufsize, params, 10, pdata, PTR_DIFF(p,pdata)); if ((! *directory) && dptr_path(dptr_num)) - sprintf(directory,"(%s)",dptr_path(dptr_num)); + slprintf(directory,sizeof(directory)-1, "(%s)",dptr_path(dptr_num)); DEBUG(4,("%s %s mask=%s directory=%s cnum=%d dirtype=%d numentries=%d\n", timestring(), @@ -985,7 +985,7 @@ resume_key = %d resume name = %s continue=%d level = %d\n", send_trans2_replies( outbuf, bufsize, params, 8, pdata, PTR_DIFF(p,pdata)); if ((! *directory) && dptr_path(dptr_num)) - sprintf(directory,"(%s)",dptr_path(dptr_num)); + slprintf(directory,sizeof(directory)-1, "(%s)",dptr_path(dptr_num)); DEBUG(3,("%s %s mask=%s directory=%s cnum=%d dirtype=%d numentries=%d\n", timestring(), diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index a8e340e46f..749248ac86 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -420,7 +420,7 @@ int smbrun(char *cmd,char *outfile,BOOL shared) return(1); } - sprintf(syscmd,"%s %d %d \"(%s 2>&1) > %s\"", + slprintf(syscmd,sizeof(syscmd)-1,"%s %d %d \"(%s 2>&1) > %s\"", path,uid,gid,cmd, outfile?outfile:"/dev/null"); diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c index 2504727bd6..77dcfb0d43 100644 --- a/source3/utils/smbpasswd.c +++ b/source3/utils/smbpasswd.c @@ -174,7 +174,7 @@ static int join_domain( char *domain, char *remote) fstrcpy(remote_machine, remote ? remote : ""); fstrcpy(machine_passwd, global_myname); strlower(machine_passwd); - E_md4hash( machine_passwd, machine_passwd_hash); + E_md4hash((uchar *)machine_passwd, machine_passwd_hash); generate_random_buffer( new_machine_passwd_hash, 16, True); -- cgit