Fix several Coverity warnings in tftp
Some of the changes are in the libexec/tftpd directory, but to functions that are only used by tftp(1) (they share some code). * strcpy => strlcpy (1006793, 1006794, 1006796, 1006741) * Unchecked return value and TOCTTOU (1009314) * NULL pointer dereference (1018035, 1018036) Reported by: Coverity CID: 1006793, 1006794, 1006796, 1006741, 1009314, 1018035 CID: 1018036 MFC after: 2 weeks
This commit is contained in:
@@ -40,6 +40,7 @@ __FBSDID("$FreeBSD$");
|
||||
#include <errno.h>
|
||||
#include <setjmp.h>
|
||||
#include <signal.h>
|
||||
#include <stddef.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
@@ -193,16 +194,16 @@ send_wrq(int peer, char *filename, char *mode)
|
||||
|
||||
tp = (struct tftphdr *)buf;
|
||||
tp->th_opcode = htons((u_short)WRQ);
|
||||
size = 2;
|
||||
size = offsetof(struct tftphdr, th_stuff);
|
||||
|
||||
bp = tp->th_stuff;
|
||||
strcpy(bp, filename);
|
||||
strlcpy(bp, filename, sizeof(buf) - size);
|
||||
bp += strlen(filename);
|
||||
*bp = 0;
|
||||
bp++;
|
||||
size += strlen(filename) + 1;
|
||||
|
||||
strcpy(bp, mode);
|
||||
strlcpy(bp, mode, sizeof(buf) - size);
|
||||
bp += strlen(mode);
|
||||
*bp = 0;
|
||||
bp++;
|
||||
@@ -241,16 +242,16 @@ send_rrq(int peer, char *filename, char *mode)
|
||||
|
||||
tp = (struct tftphdr *)buf;
|
||||
tp->th_opcode = htons((u_short)RRQ);
|
||||
size = 2;
|
||||
size = offsetof(struct tftphdr, th_stuff);
|
||||
|
||||
bp = tp->th_stuff;
|
||||
strcpy(bp, filename);
|
||||
strlcpy(bp, filename, sizeof(buf) - size);
|
||||
bp += strlen(filename);
|
||||
*bp = 0;
|
||||
bp++;
|
||||
size += strlen(filename) + 1;
|
||||
|
||||
strcpy(bp, mode);
|
||||
strlcpy(bp, mode, sizeof(buf) - size);
|
||||
bp += strlen(mode);
|
||||
*bp = 0;
|
||||
bp++;
|
||||
|
||||
@@ -237,14 +237,15 @@ const char *
|
||||
debug_show(int d)
|
||||
{
|
||||
static char s[100];
|
||||
size_t space = sizeof(s);
|
||||
int i = 0;
|
||||
|
||||
s[0] = '\0';
|
||||
while (debugs[i].name != NULL) {
|
||||
if (d&debugs[i].value) {
|
||||
if (s[0] != '\0')
|
||||
strcat(s, " ");
|
||||
strcat(s, debugs[i].name);
|
||||
if (s[0] != '\0')
|
||||
strlcat(s, " ", space);
|
||||
strlcat(s, debugs[i].name, space);
|
||||
}
|
||||
i++;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user