PR: bin/8680

Increase the size of a number of buffers and replace strcpy/strcat/sprintf with snprintf(). There was a minor and possibly not exploitable security hole related to one sprintf().
svn path=/head/; revision=41717
2024-11-15 23:05:49 +01:00 · 1998-12-13 03:42:51 +00:00 · 1998-12-13 03:42:51 +00:00 · 98df703fe0 · 2020-12-20 02:59:44 +00:00
commit 98df703fe0
parent 4bb8e546c1
1 changed files with 8 additions and 6 deletions
--- a/usr.bin/wall/wall.c
+++ b/usr.bin/wall/wall.c
@ -42,7 +42,7 @@ static const char copyright[] =
 static char sccsid[] = "@(#)wall.c	8.2 (Berkeley) 11/16/93";
 #endif
 static const char rcsid[] =
-	"$Id: wall.c,v 1.8 1997/08/25 06:43:22 charnier Exp $";
+	"$Id: wall.c,v 1.9 1997/09/15 01:03:16 ache Exp $";
 #endif /* not lint */

 /*
@ -144,10 +144,10 @@ makemsg(fname)
 	time_t now;
 	FILE *fp;
 	int fd;
-	char *p, *whom, hostname[MAXHOSTNAMELEN], lbuf[100], tmpname[15];
+	char *p, *whom, hostname[MAXHOSTNAMELEN], lbuf[256], tmpname[64];
+
+	snprintf(tmpname, sizeof(tmpname), "%s/wall.XXXXXX", _PATH_TMP);

-	(void)strcpy(tmpname, _PATH_TMP);
-	(void)strcat(tmpname, "/wall.XXXXXX");
 	if (!(fd = mkstemp(tmpname)) || !(fp = fdopen(fd, "r+")))
 		errx(1, "can't open temporary file");
 	(void)unlink(tmpname);
@ -167,10 +167,12 @@ makemsg(fname)
 		 * in column 80, but that can't be helped.
 		 */
 		(void)fprintf(fp, "\r%79s\r\n", " ");
-		(void)sprintf(lbuf, "Broadcast Message from %s@%s",
+		(void)snprintf(lbuf, sizeof(lbuf), 
+		    "Broadcast Message from %s@%s",
 		    whom, hostname);
 		(void)fprintf(fp, "%-79.79s\007\007\r\n", lbuf);
-		(void)sprintf(lbuf, "        (%s) at %d:%02d ...", ttyname(2),
+		(void)snprintf(lbuf, sizeof(lbuf), 
+		    "        (%s) at %d:%02d ...", ttyname(2),
 		    lt->tm_hour, lt->tm_min);
 		(void)fprintf(fp, "%-79.79s\r\n", lbuf);
 	}