Fix several Coverity warnings in tftp

Some of the changes are in the libexec/tftpd directory, but to functions that
are only used by tftp(1) (they share some code).

* strcpy => strlcpy (1006793, 1006794, 1006796, 1006741)
* Unchecked return value and TOCTTOU (1009314)
* NULL pointer dereference (1018035, 1018036)

Reported by:	Coverity
CID:		1006793, 1006794, 1006796, 1006741, 1009314, 1018035
CID:		1018036
MFC after:	2 weeks
This commit is contained in:
Alan Somers
2018-07-22 17:10:12 +00:00
parent 9898e6dff2
commit ca2d3691c3
4 changed files with 23 additions and 12 deletions
+7 -6
View File
@@ -40,6 +40,7 @@ __FBSDID("$FreeBSD$");
#include <errno.h>
#include <setjmp.h>
#include <signal.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -193,16 +194,16 @@ send_wrq(int peer, char *filename, char *mode)
tp = (struct tftphdr *)buf;
tp->th_opcode = htons((u_short)WRQ);
size = 2;
size = offsetof(struct tftphdr, th_stuff);
bp = tp->th_stuff;
strcpy(bp, filename);
strlcpy(bp, filename, sizeof(buf) - size);
bp += strlen(filename);
*bp = 0;
bp++;
size += strlen(filename) + 1;
strcpy(bp, mode);
strlcpy(bp, mode, sizeof(buf) - size);
bp += strlen(mode);
*bp = 0;
bp++;
@@ -241,16 +242,16 @@ send_rrq(int peer, char *filename, char *mode)
tp = (struct tftphdr *)buf;
tp->th_opcode = htons((u_short)RRQ);
size = 2;
size = offsetof(struct tftphdr, th_stuff);
bp = tp->th_stuff;
strcpy(bp, filename);
strlcpy(bp, filename, sizeof(buf) - size);
bp += strlen(filename);
*bp = 0;
bp++;
size += strlen(filename) + 1;
strcpy(bp, mode);
strlcpy(bp, mode, sizeof(buf) - size);
bp += strlen(mode);
*bp = 0;
bp++;
+4 -3
View File
@@ -237,14 +237,15 @@ const char *
debug_show(int d)
{
static char s[100];
size_t space = sizeof(s);
int i = 0;
s[0] = '\0';
while (debugs[i].name != NULL) {
if (d&debugs[i].value) {
if (s[0] != '\0')
strcat(s, " ");
strcat(s, debugs[i].name);
if (s[0] != '\0')
strlcat(s, " ", space);
strlcat(s, debugs[i].name, space);
}
i++;
}