Author: asomers
Date: Sun Jul 22 17:10:12 2018
New Revision: 336609
URL: https://svnweb.freebsd.org/changeset/base/336609
Log:
Fix several Coverity warnings in tftp
Some of the changes are in the libexec/tftpd directory, but to functions that
are only used by tftp(1) (they share some code).
* strcpy => strlcpy (1006793, 1006794, 1006796, 1006741)
* Unchecked return value and TOCTTOU (1009314)
* NULL pointer dereference (1018035, 1018036)
Reported by: Coverity
CID: 1006793, 1006794, 1006796, 1006741, 1009314, 1018035
CID: 1018036
MFC after: 2 weeks
Modified:
head/libexec/tftpd/tftp-io.c
head/libexec/tftpd/tftp-utils.c
head/usr.bin/tftp/main.c
head/usr.bin/tftp/tftp.c
Modified: head/libexec/tftpd/tftp-io.c
==============================================================================
--- head/libexec/tftpd/tftp-io.c Sun Jul 22 16:51:11 2018
(r336608)
+++ head/libexec/tftpd/tftp-io.c Sun Jul 22 17:10:12 2018
(r336609)
@@ -40,6 +40,7 @@ __FBSDID("$FreeBSD$");
#include <errno.h>
#include <setjmp.h>
#include <signal.h>
+#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -193,16 +194,16 @@ send_wrq(int peer, char *filename, char *mode)
tp = (struct tftphdr *)buf;
tp->th_opcode = htons((u_short)WRQ);
- size = 2;
+ size = offsetof(struct tftphdr, th_stuff);
bp = tp->th_stuff;
- strcpy(bp, filename);
+ strlcpy(bp, filename, sizeof(buf) - size);
bp += strlen(filename);
*bp = 0;
bp++;
size += strlen(filename) + 1;
- strcpy(bp, mode);
+ strlcpy(bp, mode, sizeof(buf) - size);
bp += strlen(mode);
*bp = 0;
bp++;
@@ -241,16 +242,16 @@ send_rrq(int peer, char *filename, char *mode)
tp = (struct tftphdr *)buf;
tp->th_opcode = htons((u_short)RRQ);
- size = 2;
+ size = offsetof(struct tftphdr, th_stuff);
bp = tp->th_stuff;
- strcpy(bp, filename);
+ strlcpy(bp, filename, sizeof(buf) - size);
bp += strlen(filename);
*bp = 0;
bp++;
size += strlen(filename) + 1;
- strcpy(bp, mode);
+ strlcpy(bp, mode, sizeof(buf) - size);
bp += strlen(mode);
*bp = 0;
bp++;
Modified: head/libexec/tftpd/tftp-utils.c
==============================================================================
--- head/libexec/tftpd/tftp-utils.c Sun Jul 22 16:51:11 2018
(r336608)
+++ head/libexec/tftpd/tftp-utils.c Sun Jul 22 17:10:12 2018
(r336609)
@@ -237,14 +237,15 @@ const char *
debug_show(int d)
{
static char s[100];
+ size_t space = sizeof(s);
int i = 0;
s[0] = '\0';
while (debugs[i].name != NULL) {
if (d&debugs[i].value) {
- if (s[0] != '\0')
- strcat(s, " ");
- strcat(s, debugs[i].name);
+ if (s[0] != '\0')
+ strlcat(s, " ", space);
+ strlcat(s, debugs[i].name, space);
}
i++;
}
Modified: head/usr.bin/tftp/main.c
==============================================================================
--- head/usr.bin/tftp/main.c Sun Jul 22 16:51:11 2018 (r336608)
+++ head/usr.bin/tftp/main.c Sun Jul 22 17:10:12 2018 (r336609)
@@ -429,7 +429,7 @@ static void
settftpmode(const char *newmode)
{
- strcpy(mode, newmode);
+ strlcpy(mode, newmode, sizeof(mode));
if (verbose)
printf("mode set to %s\n", mode);
}
@@ -489,7 +489,10 @@ put(int argc, char *argv[])
return;
}
- stat(cp, &sb);
+ if (fstat(fd, &sb) < 0) {
+ warn("%s", cp);
+ return;
+ }
asprintf(&options[OPT_TSIZE].o_request, "%ju", sb.st_size);
if (verbose)
@@ -510,7 +513,10 @@ put(int argc, char *argv[])
continue;
}
- stat(cp, &sb);
+ if (fstat(fd, &sb) < 0) {
+ warn("%s", argv[n]);
+ continue;
+ }
asprintf(&options[OPT_TSIZE].o_request, "%ju", sb.st_size);
if (verbose)
Modified: head/usr.bin/tftp/tftp.c
==============================================================================
--- head/usr.bin/tftp/tftp.c Sun Jul 22 16:51:11 2018 (r336608)
+++ head/usr.bin/tftp/tftp.c Sun Jul 22 17:10:12 2018 (r336609)
@@ -50,6 +50,7 @@ __FBSDID("$FreeBSD$");
#include <arpa/tftp.h>
+#include <assert.h>
#include <err.h>
#include <netdb.h>
#include <stdio.h>
@@ -85,6 +86,7 @@ xmitfile(int peer, char *port, int fd, char *name, cha
if (port == NULL) {
struct servent *se;
se = getservbyname("tftp", "udp");
+ assert(se != NULL);
((struct sockaddr_in *)&peer_sock)->sin_port = se->s_port;
} else
((struct sockaddr_in *)&peer_sock)->sin_port =
@@ -184,6 +186,7 @@ recvfile(int peer, char *port, int fd, char *name, cha
if (port == NULL) {
struct servent *se;
se = getservbyname("tftp", "udp");
+ assert(se != NULL);
((struct sockaddr_in *)&peer_sock)->sin_port = se->s_port;
} else
((struct sockaddr_in *)&peer_sock)->sin_port =
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
