--- cattach.c.orig Fri Dec 19 01:32:57 1997 +++ cattach.c Sun Mar 13 14:05:19 2005 @@ -100,6 +100,7 @@ char *dirarg=NULL; char *namearg=NULL; int keycheck=1; + int l; ap.highsec=1; while (--argc) if (**++argv == '-') { @@ -164,17 +165,35 @@ fprintf(stderr,"Can't stat current directory\n"); exit(1); } - sprintf(dir,"%s/%s",buf,dirarg); - } else - strcpy(dir,dirarg); - sprintf(lname,"%s/..data",dir,1024); - sprintf(kname,"%s/..k",dir,1024); + l = snprintf(dir, sizeof(dir), "%s/%s", buf, dirarg); + if (l < 0 || l >= sizeof(dir)) { + fprintf(stderr, "File name too long\n"); + exit(1); + } + } else { + if (strlcpy(dir, dirarg, sizeof(dir)) >= sizeof(dir)) { + fprintf(stderr, "File name too long\n"); + exit(1); + } + } + l = snprintf(lname, sizeof(lname), "%s/..data", dir); + if (l < 0 || l >= sizeof(lname)) { + fprintf(stderr, "File name too long\n"); + exit(1); + } + (void)snprintf(kname, sizeof(kname), "%s/..k", dir); if (chdir(lname) >= 0) strcpy(dir,lname); else if (chdir(dir)<0) { perror(dirarg); exit(1); } + l = snprintf(cname, sizeof(cname), "%s/..c", dir); + if (l < 0 || l >= sizeof(cname)) { + fprintf(stderr, "File name too long\n"); + exit(1); + } + (void)snprintf(sname, sizeof(sname), "%s/..s", dir); #ifdef irix /* or (I hope) more or less any system with the 4 parameter statfs */ if ((statfs(".",&sfb,sizeof sfb,0)<0) || (sfb.f_blocks==0)) { @@ -188,7 +207,10 @@ } #endif ap.dirname=dir; - strcpy(ins,namearg); + if (strlcpy(ins, namearg, sizeof(ins)) >= sizeof(ins)) { + fprintf(stderr, "Name too long\n"); + exit(1); + } *namearg='\0'; /* weak attempt to hide .instance in ps output */ ap.name=ins; if (keycheck) { @@ -207,8 +229,6 @@ if ((n>0) && (pw[n-1] == '\n')) pw[n-1] = '\0'; } - sprintf(cname,"%s/..c",dir); - sprintf(sname,"%s/..s",dir); if ((fp=fopen(cname,"r")) == NULL) { ciph=CFS_STD_DES; } else { @@ -237,7 +257,7 @@ ap.expire = timeout; ap.key.cipher=ciph; if (smsize != LARGESMSIZE) - sprintf(pw,"%s%d",pw,smsize); + (void)snprintf(pw, 256, "%s%d", pw, smsize); if (cfmt) { if (new_pwcrunch(pw,&ap.key)!=0) {