openbsd-ports/databases/gnats/patches/patch-gnats_queue-pr.c
brad 9e8ecfb2f4 Fix some security issues with gnats.
Some additional fixes from millert@
sprintf -> snprintf
str{cat,cpy} -> strl{cat,cpy}

http://marc.theaimsgroup.com/?l=bugtraq&m=105638591907836&w=2

ok naddy@
2003-08-25 23:33:56 +00:00

137 lines
4.0 KiB
C

$OpenBSD: patch-gnats_queue-pr.c,v 1.4 2003/08/25 23:33:56 brad Exp $
--- gnats/queue-pr.c.orig Wed Nov 25 07:15:20 1998
+++ gnats/queue-pr.c Wed Jul 2 13:37:12 2003
@@ -78,9 +78,11 @@ fork_gnats (filename)
int pid; /* pid_t */
int status;
+ size_t len;
- safe_env[0] = (char *) xmalloc (5 + strlen (gnats_user) + 1);
- sprintf (safe_env[0], "USER=%s", gnats_user);
+ len = 5 + strlen (gnats_user) + 1;
+ safe_env[0] = (char *) xmalloc (len);
+ snprintf (safe_env[0], len, "USER=%s", gnats_user);
errno = 0;
pid = fork();
@@ -91,10 +93,11 @@ fork_gnats (filename)
{
char *gnats_bin;
int fd;
+ size_t len = strlen (bindir) + 9;
- gnats_bin = (char *) xmalloc (strlen (bindir) + 9);
- strcpy (gnats_bin, bindir);
- strcat (gnats_bin, "/file-pr");
+ gnats_bin = (char *) xmalloc (len);
+ strlcpy (gnats_bin, bindir, len);
+ strlcat (gnats_bin, "/file-pr", len);
if (! flag_debug)
{
@@ -114,14 +117,14 @@ fork_gnats (filename)
if (flag_debug)
{
if (execle (gnats_bin, "file-pr", "-f", filename,
- "-D", "-d", gnats_root, NULL, safe_env) < 0)
+ "-D", "-d", gnats_root, (char *)NULL, safe_env) < 0)
punt (1, "%s: execle of gnats failed: %s\n", program_name,
strerror (errno));
}
else
{
if (execle (gnats_bin, "file-pr", "-f", filename,
- "-d", gnats_root, NULL, safe_env) < 0)
+ "-d", gnats_root, (char *)NULL, safe_env) < 0)
punt (1, "%s: execle of gnats failed: %s\n", program_name,
strerror (errno));
}
@@ -204,9 +207,10 @@ run_gnats ()
}
else if (child_status == 2)
{
- char *name2 = xmalloc (strlen (files[i].name) + 2);
- strcpy (name2, ".");
- strcat (name2, files[i].name);
+ size_t len = strlen (files[i].name) + 2;
+ char *name2 = xmalloc (len);
+ strlcpy (name2, ".", len);
+ strlcat (name2, files[i].name, len);
rename (files[i].name, name2);
punt (0, "renamed `%s' to `%s' pending human intervention.\n",
files[i].name, name2);
@@ -226,13 +230,11 @@ drop_msg ()
{
int fd[2];
char *tmpdir;
- char *bug_file = (char *) xmalloc (PATH_MAX);
+ char bug_file[MAXPATHLEN];
int r; /* XXX ssize_t */
char *buf = (char *) xmalloc (MAXBSIZE);
char *base, *new_name;
-#ifndef HAVE_MKTEMP
- char name[L_tmpnam];
-#endif
+ size_t len;
if (queue_file)
{
@@ -247,18 +249,13 @@ drop_msg ()
tmpdir = getenv ("TMPDIR");
if (tmpdir == NULL)
tmpdir = "/tmp"; /* FIXME */
-#ifdef HAVE_MKTEMP
- sprintf (bug_file, "%s/gnatsXXXXXX", tmpdir);
- mktemp (bug_file);
-#else
- tmpnam (name);
- strcpy (bug_file, name);
-#endif
+
+ snprintf (bug_file, sizeof(bug_file), "%s/gnatsXXXXXX", tmpdir);
- fd[1] = open (bug_file, O_WRONLY|O_CREAT, 0664);
- if (fd[1] < 0)
+ if ((fd[1] = mkstemp (bug_file)) < 0)
punt (1, "%s: can't open queue file %s for writing: %s\n",
program_name, bug_file, strerror (errno));
+ fchmod (fd[1], 0644);
while ((r = read (fd[0], buf, MAXBSIZE)) > 0)
if (write (fd[1], buf, r) < 0)
@@ -283,8 +280,9 @@ drop_msg ()
errno = 0;
base = basename (bug_file);
- new_name = (char *) xmalloc (strlen (queue_dir) + 1 + strlen (bug_file) + 1);
- sprintf (new_name, "%s/%s", queue_dir, base);
+ len = strlen (queue_dir) + 1 + strlen (bug_file) + 1;
+ new_name = (char *) xmalloc (len);
+ snprintf (new_name, len, "%s/%s", queue_dir, base);
if (rename (bug_file, new_name) < 0)
{
if (errno != EXDEV)
@@ -308,6 +306,7 @@ main (argc, argv)
char **argv;
{
int optc;
+ size_t len;
program_name = basename (argv[0]);
@@ -372,10 +371,9 @@ main (argc, argv)
program_name);
exit (1);
}
- queue_dir = (char *) xmalloc (strlen (gnats_root)
- + strlen ("/gnats-queue")
- + 1 /* null char */);
- sprintf (queue_dir, "%s/gnats-queue", gnats_root);
+ len = strlen (gnats_root) + strlen ("/gnats-queue") + 1 /* null char */;
+ queue_dir = (char *) xmalloc (len);
+ snprintf (queue_dir, len, "%s/gnats-queue", gnats_root);
if (queue_msg)
drop_msg ();