Yet another buffer overflow.

2.2 candidate (and -stable too actually, who does that?) Reviewed by: Warner Losh
2025-01-01 00:18:15 +01:00 · 1997-01-01 14:08:47 +00:00 · 1997-01-01 14:08:47 +00:00 · 6412184028
commit 6412184028
parent d20f8f693b
4 changed files with 19 additions and 9 deletions
--- a/sbin/restore/extern.h
+++ b/sbin/restore/extern.h
@ -36,7 +36,7 @@
 struct entry	*addentry __P((char *, ino_t, int));
 long		 addfile __P((char *, ino_t, int));
 void		 badentry __P((struct entry *, char *));
-void	 	 canon __P((char *, char *));
+void	 	 canon __P((char *, char *, int));
 void		 checkrestore __P((void));
 void		 closemt __P((void));
 void		 createfiles __P((void));
--- a/sbin/restore/interactive.c
+++ b/sbin/restore/interactive.c
@ -109,7 +109,7 @@ runcmdshell()
 	arglist.glob.gl_closedir = (void *)rst_closedir;
 	arglist.glob.gl_lstat = glob_stat;
 	arglist.glob.gl_stat = glob_stat;
-	canon("/", curdir);
+	canon("/", curdir, sizeof(curdir));
 loop:
 	if (setjmp(reset) != 0) {
 		if (arglist.freeglob != 0) {
@ -357,7 +357,7 @@ getnext:
 	 * If it is an absolute pathname, canonicalize it and return it.
 	 */
 	if (rawname[0] == '/') {
-		canon(rawname, name);
+		canon(rawname, name, sizeof(name));
 	} else {
 		/*
 		 * For relative pathnames, prepend the current directory to
@ -366,7 +366,7 @@ getnext:
 		(void) strcpy(output, curdir);
 		(void) strcat(output, "/");
 		(void) strcat(output, rawname);
-		canon(output, name);
+		canon(output, name, sizeof(name));
 	}
 	if (glob(name, GLOB_ALTDIRFUNC, NULL, &ap->glob) < 0)
 		fprintf(stderr, "%s: out of memory\n", ap->cmd);
@ -438,8 +438,9 @@ copynext(input, output)
 * remove any imbedded "." and ".." components.
 */
 void
-canon(rawname, canonname)
+canon(rawname, canonname, len)
 	char *rawname, *canonname;
+	int len;
 {
 	register char *cp, *np;

@ -449,6 +450,11 @@ canon(rawname, canonname)
 		(void) strcpy(canonname, ".");
 	else
 		(void) strcpy(canonname, "./");
+	if (strlen(canonname) + strlen(rawname) >= len) {
+		fprintf(stderr, "canonname: not enough bufferspace\n");
+		done(1);
+	}
+		
 	(void) strcat(canonname, rawname);
 	/*
 	 * Eliminate multiple and trailing '/'s
--- a/sbin/restore/main.c
+++ b/sbin/restore/main.c
@ -239,7 +239,7 @@ main(argc, argv)
 		extractdirs(0);
 		initsymtable((char *)0);
 		while (argc--) {
-			canon(*argv++, name);
+			canon(*argv++, name, sizeof(name));
 			ino = dirlookup(name);
 			if (ino == 0)
 				continue;
@ -254,7 +254,7 @@ main(argc, argv)
 		extractdirs(1);
 		initsymtable((char *)0);
 		while (argc--) {
-			canon(*argv++, name);
+			canon(*argv++, name, sizeof(name));
 			ino = dirlookup(name);
 			if (ino == 0)
 				continue;
--- a/sbin/restore/tape.c
+++ b/sbin/restore/tape.c
@ -63,7 +63,7 @@ static char sccsid[] = "@(#)tape.c	8.3 (Berkeley) 4/1/94";
 static long	fssize = MAXBSIZE;
 static int	mt = -1;
 static int	pipein = 0;
-static char	magtape[BUFSIZ];
+static char	*magtape;
 static int	blkcnt;
 static int	numtrec;
 static char	*tapebuf;
@ -146,7 +146,11 @@ setinput(source)
 		pipein++;
 	}
 	setuid(getuid());	/* no longer need or want root privileges */
-	(void) strcpy(magtape, source);
+	magtape = strdup(source);
+	if (magtape == NULL) {
+		fprintf(stderr, "Cannot allocate space for magtape buffer\n");
+		done(1);
+	}
 }

 void