[src/trunk]: src/usr.sbin/lpr/lpd Make sure that the we have a valid pathname...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/562706df9965
branches:  trunk
changeset: 518731:562706df9965
user:      christos <christos%NetBSD.org@localhost>
date:      Tue Dec 04 22:52:44 2001 +0000

description:
Make sure that the we have a valid pathname. [We did the check too late,
and we had a buffer overflow].  Bug found by Sebastian Krahmer of SuSE,
fix inspired by patch 008 for OpenBSD-3.0.

diffstat:

 usr.sbin/lpr/lpd/recvjob.c |  24 ++++++++++--------------
 1 files changed, 10 insertions(+), 14 deletions(-)

diffs (53 lines):

diff -r e8688a59484c -r 562706df9965 usr.sbin/lpr/lpd/recvjob.c
--- a/usr.sbin/lpr/lpd/recvjob.c        Tue Dec 04 22:13:41 2001 +0000
+++ b/usr.sbin/lpr/lpd/recvjob.c        Tue Dec 04 22:52:44 2001 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: recvjob.c,v 1.13 2001/10/09 02:15:38 mjl Exp $ */
+/*     $NetBSD: recvjob.c,v 1.14 2001/12/04 22:52:44 christos Exp $    */
 
 /*
  * Copyright (c) 1983, 1993
@@ -45,7 +45,7 @@
 #if 0
 static char sccsid[] = "@(#)recvjob.c  8.2 (Berkeley) 4/27/95";
 #else
-__RCSID("$NetBSD: recvjob.c,v 1.13 2001/10/09 02:15:38 mjl Exp $");
+__RCSID("$NetBSD: recvjob.c,v 1.14 2001/12/04 22:52:44 christos Exp $");
 #endif
 #endif /* not lint */
 
@@ -180,14 +180,12 @@
                         * something different than what gethostbyaddr()
                         * returns
                         */
-                       (void)strncpy(cp + 6, from, sizeof(line) - strlen(line) - 1);
-                       line[sizeof(line) - 1 ] = '\0';
-                       (void)strncpy(tfname, cp, sizeof(tfname) - 1);
-                       tfname[sizeof(tfname) - 1 ] = '\0';
+                       (void)strlcpy(cp + 6, from,
+                           sizeof(line) + line - cp - 6);
+                       if (strchr(cp, '/'))
+                               frecverr("readjob: %s: illegal path name", cp);
+                       (void)strlcpy(tfname, cp, sizeof(tfname));
                        tfname[0] = 't';
-                       if (strchr(tfname, '/'))
-                               frecverr("readjob: %s: illegal path name",
-                                   tfname);
                        if (!chksize(size)) {
                                (void)write(STDOUT_FILENO, "\2", 1);
                                continue;
@@ -213,11 +211,9 @@
                                (void)write(STDOUT_FILENO, "\2", 1);
                                continue;
                        }
-                       (void)strncpy(dfname, cp, sizeof(dfname) - 1);
-                       dfname[sizeof(dfname) - 1] = '\0';
-                       if (strchr(dfname, '/'))
-                               frecverr("readjob: %s: illegal path name",
-                                       dfname);
+                       if (strchr(cp, '/'))
+                               frecverr("readjob: %s: illegal path name", cp);
+                       (void)strlcpy(dfname, cp, sizeof(dfname));
                        (void)readfile(dfname, size);
                        continue;
                }