From nobody Tue Jan 24 22:11:44 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P1h5Y0x2Bz3bfbQ; Tue, 24 Jan 2023 22:11:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P1h5Y0Ffjz4PLb; Tue, 24 Jan 2023 22:11:45 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674598305; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=o4AHQGhk7NJa+ncmCYOIYRpEHHXF/Caq65IMu4AkUWA=; b=gVYsx4+aTuj44cmcAOvEtvqYCghryUCIHVM5pqSeoyeoadu21fcdM08IhUNcjlfM5VpX/r H58likXxa27x+JqCR71aC8ryTWgPCgyRbOYRplliqks8xp/C6hJRuRwhDD9fRqN7Uds9F5 S0qEP4w5DyfgAwj8mUSBO18dBg89JU/mPNlJYoyFOUfkCCyhEvQIr0v9PV9+vKbR7l34EA YPdgnB2OM6p3KIf/oTenDp/jl9kOfBKFOWaJsbrOJaLoRafoQEdiSUp0wGMQdL/Jeuumps IF+w3HkhelgXSghgESeWziGwe2rd7riKxJebkkIxoEE9913vu2EK7pGhChUZMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674598305; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=o4AHQGhk7NJa+ncmCYOIYRpEHHXF/Caq65IMu4AkUWA=; b=W+q21mtG0MGwAHM9BYtfMaceg8FobuZ9L9LXSevpnkxw4yY5uIJ5Q7cI1+RWoOzh/NshiN 8b+hTS/tgfgOlu21SnjFqcAI4f/VmcvQvNZvkORZdG2CV5c+IZk/E+4VuVDjoQoERVNyf2 vABRgOTzjXCXTScJNl7gXqPfoAFe4dUuYHuHLJEx5ATCu9PLVK1Hd/Sn0zKP2MINviAqop 7gIodapW6fl0igE0Ogn9Wc9kUOuUUKRTies9Vn//ezMEpRcQKE7Hk7cX/56+S9FB4rFcL4 oXQJE6BXg36bhLyRJWvEeYSyrT1wMamcytjuGFrWFqesXF/WWeMl5ikGFfHIWg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1674598305; a=rsa-sha256; cv=none; b=Q9CHFx23etXXZgBjdmpShb1wVQ43paVibxYDWf2Rt/6wAnHIgJvazsJNJ8L9gi3GAhpjqE Dv+uPztGPJEEYcad58z3v/RN4qIGToAM+IOIIkyeBr7PqPsOyFmYoolyxjS6GO0xEL7VJM keTdRWroa78InQUljEDZMkL2ES6UORdOXKzBANr7ilPLPosVCrtJ3sFevWkozs0CF0UaTH miB/ki85Lh0azX0c8mnOkMNo0AT/y+ScBtSJbRRejCzZ8AmmpldIXcjyX6DlEizIfeZNBg lIjhDyIeY8/Z1UVzzLSb6hHBQ37JHKW1XeEDYgRS75oB9JhSo3dmMyK5LED6HQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P1h5X6TYHzQXQ; Tue, 24 Jan 2023 22:11:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 30OMBix9085144; Tue, 24 Jan 2023 22:11:44 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 30OMBics085143; Tue, 24 Jan 2023 22:11:44 GMT (envelope-from git) Date: Tue, 24 Jan 2023 22:11:44 GMT Message-Id: <202301242211.30OMBics085143@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Warner Losh Subject: git: f493cbaba968 - stable/13 - stand: use snprintf here List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: imp X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: f493cbaba9683cf60169e1bb8941efb6ae8fa4f6 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by imp: URL: https://cgit.FreeBSD.org/src/commit/?id=f493cbaba9683cf60169e1bb8941efb6ae8fa4f6 commit f493cbaba9683cf60169e1bb8941efb6ae8fa4f6 Author: Warner Losh AuthorDate: 2022-08-03 16:50:14 +0000 Commit: Warner Losh CommitDate: 2023-01-24 21:49:29 +0000 stand: use snprintf here This code was written prior to snprintf being in the then libstand (now libsa). Since we have it, use it for extra safety. The code already tries to be safe, but since we have snprintf as well, the added layer of protection will suffice. The current code reserves 16 bytes (plus a NUL) at the end for worst case of inet_ntoa, which is still a little pessimal, but safe from overflow. Sponsored by: Netflix Reviewed by: tsoome Differential Revision: https://reviews.freebsd.org/D35102 (cherry picked from commit a23c26b2fe38f7ad63e71e1f32795b4800213585) --- stand/libsa/bootp.c | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/stand/libsa/bootp.c b/stand/libsa/bootp.c index f092db3de968..b00c713d1c30 100644 --- a/stand/libsa/bootp.c +++ b/stand/libsa/bootp.c @@ -670,12 +670,14 @@ setenv_(u_char *cp, u_char *ep, struct dhcp_opt *opts) /* if not found we end up on the default entry */ /* - * Copy data into the buffer. libstand does not have snprintf so we - * need to be careful with sprintf(). With strings, the source is - * always <256 char so shorter than the buffer so we are safe; with - * other arguments, the longest string is inet_ntoa which is 16 bytes - * so we make sure to have always enough room in the string before - * trying an sprint. + * Copy data into the buffer. While the code uses snprintf, it's also + * careful never to insert strings that would be truncated. inet_ntoa is + * tricky to know the size, so it assumes we can always insert it + * because we reserve 16 bytes at the end of the string for its worst + * case. Other cases are covered because they will write fewer than + * these reserved bytes at the end. Source strings can't overflow (as + * noted below) because buf is 256 bytes and all strings are limited by + * the protocol to be 256 bytes or smaller. */ vp = buf; *vp = '\0'; @@ -695,14 +697,14 @@ setenv_(u_char *cp, u_char *ep, struct dhcp_opt *opts) if (vp != buf) *vp++ = FLD_SEP; bcopy(cp, &in_ip.s_addr, sizeof(in_ip.s_addr)); - sprintf(vp, "%s", inet_ntoa(in_ip)); + snprintf(vp, endv - vp, "%s", inet_ntoa(in_ip)); vp += strlen(vp); } break; case __BYTES: /* opaque byte string */ for (; size > 0 && vp < endv; size -= 1, cp += 1) { - sprintf(vp, "%02x", *cp); + snprintf(vp, endv - vp, "%02x", *cp); vp += strlen(vp); } break; @@ -725,7 +727,7 @@ setenv_(u_char *cp, u_char *ep, struct dhcp_opt *opts) v = cp[0]; if (vp != buf) *vp++ = FLD_SEP; - sprintf(vp, "%u", v); + snprintf(vp, endv - vp, "%u", v); vp += strlen(vp); } break; @@ -750,21 +752,22 @@ setenv_(u_char *cp, u_char *ep, struct dhcp_opt *opts) vp = s; /* prepare for next round */ } buf[0] = '\0'; /* option already done */ + break; } if (tp - tags < sizeof(tags) - 5) { /* add tag to the list */ if (tp != tags) *tp++ = FLD_SEP; - sprintf(tp, "%d", tag); + snprintf(tp, sizeof(tags) - (tp - tags), "%d", tag); tp += strlen(tp); } if (buf[0]) { char env[128]; /* the string name */ if (op->tag == 0) - sprintf(env, op->desc, opts[0].desc, tag); + snprintf(env, sizeof(env), op->desc, opts[0].desc, tag); else - sprintf(env, "%s%s", opts[0].desc, op->desc); + snprintf(env, sizeof(env), "%s%s", opts[0].desc, op->desc); /* * Do not replace existing values in the environment, so that * locally-obtained values can override server-provided values. @@ -774,7 +777,7 @@ setenv_(u_char *cp, u_char *ep, struct dhcp_opt *opts) } if (tp != tags) { char env[128]; /* the string name */ - sprintf(env, "%stags", opts[0].desc); + snprintf(env, sizeof(env), "%stags", opts[0].desc); setenv(env, tags, 1); } }