From 3dfc0c847240ac7e12c39f4ed9c31a888949ade1 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Mon, 11 May 1998 06:38:36 +0000
Subject: changed to use slprintf() instead of sprintf() just about everywhere.
 I've implemented slprintf() as a bounds checked sprintf() using mprotect()
 and a non-writeable page.

This should prevent any sprintf based security holes.
(This used to be commit ee09e9dadb69aaba5a751dd20ccc6d587d841bd6)
---
 source3/smbd/reply.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'source3/smbd/reply.c')

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 1567e52777..b8270495fd 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -1149,7 +1149,7 @@ int reply_search(char *inbuf,char *outbuf, int dum_size, int dum_buffsize)
   smb_setlen(outbuf,outsize - 4);
   
   if ((! *directory) && dptr_path(dptr_num))
-    sprintf(directory,"(%s)",dptr_path(dptr_num));
+    slprintf(directory, sizeof(directory)-1, "(%s)",dptr_path(dptr_num));
 
   DEBUG(4,("%s %s mask=%s path=%s cnum=%d dtype=%d nument=%d of %d\n",
 	timestring(),
@@ -1716,7 +1716,7 @@ int reply_unlink(char *inbuf,char *outbuf, int dum_size, int dum_buffsize)
 	    if(!mask_match(fname, mask, case_sensitive, False)) continue;
 
 	    error = ERRnoaccess;
-	    sprintf(fname,"%s/%s",directory,dname);
+	    slprintf(fname,sizeof(fname)-1, "%s/%s",directory,dname);
 	    if (!can_delete(fname,cnum,dirtype)) continue;
 	    if (!sys_unlink(fname)) count++;
 	    DEBUG(3,("reply_unlink : doing unlink on %s\n",fname));
@@ -2622,7 +2622,7 @@ int reply_printopen(char *inbuf,char *outbuf, int dum_size, int dum_buffsize)
 
     if (strlen(s) > 10) s[10] = 0;
 
-    sprintf(fname,"%s.XXXXXX",s);  
+    slprintf(fname,sizeof(fname)-1, "%s.XXXXXX",s);  
   }
 
   fnum = find_free_file();
@@ -3238,7 +3238,7 @@ int reply_mv(char *inbuf,char *outbuf, int dum_size, int dum_buffsize)
 	    if(!mask_match(fname, mask, case_sensitive, False)) continue;
 
 	    error = ERRnoaccess;
-	    sprintf(fname,"%s/%s",directory,dname);
+	    slprintf(fname,sizeof(fname)-1,"%s/%s",directory,dname);
 	    if (!can_rename(fname,cnum)) {
 		    DEBUG(6,("rename %s refused\n", fname));
 		    continue;
@@ -3451,7 +3451,7 @@ int reply_copy(char *inbuf,char *outbuf, int dum_size, int dum_buffsize)
 	    if(!mask_match(fname, mask, case_sensitive, False)) continue;
 
 	    error = ERRnoaccess;
-	    sprintf(fname,"%s/%s",directory,dname);
+	    slprintf(fname,sizeof(fname)-1, "%s/%s",directory,dname);
 	    strcpy(destname,newname);
 	    if (resolve_wildcards(fname,destname) && 
 		copy_file(directory,newname,cnum,ofun,
-- 
cgit