restore(8): Prevent some heap overflows

The environment variable TMPDIR was copied unchecked into a fixed-size heap buffer. Use a length-limiting snprintf in place of ordinary sprintf to prevent the overflow. Long TMPDIR variables can still cause odd truncated filenames, which may be undesirable. Reported by: Coverity (CWE-120) CIDs: 1006706, 1006707 Sponsored by: Dell EMC Isilon
svn path=/head/; revision=316799
2024-12-26 13:05:18 +01:00 · 2017-04-14 00:14:40 +00:00 · 2017-04-14 00:14:40 +00:00 · 63298eb19c · 2020-12-20 02:59:44 +00:00
commit 63298eb19c
parent 17fac79462
1 changed files with 6 additions and 5 deletions
--- a/sbin/restore/dirs.c
+++ b/sbin/restore/dirs.c
@ -140,7 +140,8 @@ extractdirs(int genmode)
 	vprintf(stdout, "Extract directories from tape\n");
 	if ((tmpdir = getenv("TMPDIR")) == NULL || tmpdir[0] == '\0')
 		tmpdir = _PATH_TMP;
-	(void) sprintf(dirfile, "%s/rstdir%jd", tmpdir, (intmax_t)dumpdate);
+	(void) snprintf(dirfile, sizeof(dirfile), "%s/rstdir%jd", tmpdir,
+	    (intmax_t)dumpdate);
 	if (command != 'r' && command != 'R') {
 		(void) strcat(dirfile, "-XXXXXX");
 		fd = mkstemp(dirfile);
@ -153,8 +154,8 @@ extractdirs(int genmode)
 		done(1);
 	}
 	if (genmode != 0) {
-		(void) sprintf(modefile, "%s/rstmode%jd", tmpdir,
-		    (intmax_t)dumpdate);
+		(void) snprintf(modefile, sizeof(modefile), "%s/rstmode%jd",
+		    tmpdir, (intmax_t)dumpdate);
 		if (command != 'r' && command != 'R') {
 			(void) strcat(modefile, "-XXXXXX");
 			fd = mkstemp(modefile);
@ -568,8 +569,8 @@ setdirmodes(int flags)
 	if ((tmpdir = getenv("TMPDIR")) == NULL || tmpdir[0] == '\0')
 		tmpdir = _PATH_TMP;
 	if (command == 'r' || command == 'R')
-		(void) sprintf(modefile, "%s/rstmode%jd", tmpdir,
-		    (intmax_t)dumpdate);
+		(void) snprintf(modefile, sizeof(modefile), "%s/rstmode%jd",
+		    tmpdir, (intmax_t)dumpdate);
 	if (modefile[0] == '#') {
 		panic("modefile not defined\n");
 		fprintf(stderr, "directory mode, owner, and times not set\n");