From nobody Wed Aug 03 17:24:56 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Lydyx2FRZz4YCrH; Wed, 3 Aug 2022 17:24:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Lydyw6mspz40Zb; Wed, 3 Aug 2022 17:24:56 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1659547497; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9W6rM0fO0LM50xj6XNFgQG3OErqf6uPUOc7eP2KPIbI=; b=bdb382mNqxc/Dhu1ocyiGCZ0PDlLUp1Ijawj9qTl1FBh1f6SyR/9zkI/qzl3tySZHMxaIb luoQGmgMepGdbY+5y7agu17tRHY1UbX2sf8pWk82CW9SxDmQWiWH5E6r7OCATMpJAvXw4m WQYQFn42nqb5Az3wnmZ8QqyK2fitdZcxbPxSdoqMXblNGjczLrxy/ieHaWI3XFAgTJcCc2 HeGOnvUxQwhliyDE2T+oL91dZ50htJ1sMwSUIIuVYA6fAEN6IYVvkawtw3OkcGI9UovLwR fE7l0JoiVv+4F8q04huCYDDd4yN31Mg2wd7ScDcNTfUKH843yHWH7eZe2dPlNQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Lydyw5kYgz102Y; Wed, 3 Aug 2022 17:24:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 273HOuif085253; Wed, 3 Aug 2022 17:24:56 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 273HOuKf085252; Wed, 3 Aug 2022 17:24:56 GMT (envelope-from git) Date: Wed, 3 Aug 2022 17:24:56 GMT Message-Id: <202208031724.273HOuKf085252@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Warner Losh Subject: git: a23c26b2fe38 - main - stand: use snprintf here List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: imp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: a23c26b2fe38f7ad63e71e1f32795b4800213585 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1659547496; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9W6rM0fO0LM50xj6XNFgQG3OErqf6uPUOc7eP2KPIbI=; b=Zzxr6aK1wUAkk0qQei+6N1mscEJ4WMipfstgdCNX12RaOf8bxslBzLu3IcZD1mBjUeA3rP rWkQcZTSFUqCTK5cqxBOQk8W1wmVwzfpJBCoNvsuM33DKO647zL8rNq8vvR6As1rhW9ORT u0ff/gF96m2Z4sOI2us8B2FGltS8K6F3cVdpvpF1u8awmaBbTTaVxrRbhIApASg1ijS7b9 54WBs+WB/7txbQwGJREOOYM5sYnaZG462k/bySLAsTOio0yy1QXb8LQG3ZzYzP0/bNTF3f uYK5psE/0OfI66Ycl8AlRgmYh2mJ99iMHhoCX9hYZMIRw5MxJBkaIVRVkTiZNg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1659547496; a=rsa-sha256; cv=none; b=OS89TSdUVkkVGlQXl4jDpBgG6+RjvfvxLLuLo8T3A40p+77FnslEyiRvA9lrDl1RdpU3hq WG094q1XnCVJBxaxSpuhEgJoRR3o7gTxkn4jvNpN0JpnfHvaW4h3UaKYCH0URjCrF2ofzB odj2YKFYbB+Ik2wm3k0VnEDJgg/FaizWmopNF5sQX29W68EvOhFCFLFrfC66S8O1LFR9iy F12Z2BPB5xd+ud47biNgWIQlMWwJ5nR+3xZCIrxwD5a9AOHvnriH+uGjkaplSFyiVJZ2S/ MbOr2oH4ek10aeHKAcvOXCviswq2L/mk8SASLv7dot2ft+e6p51tn0ekJn3yjA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by imp: URL: https://cgit.FreeBSD.org/src/commit/?id=a23c26b2fe38f7ad63e71e1f32795b4800213585 commit a23c26b2fe38f7ad63e71e1f32795b4800213585 Author: Warner Losh AuthorDate: 2022-08-03 16:50:14 +0000 Commit: Warner Losh CommitDate: 2022-08-03 17:24:38 +0000 stand: use snprintf here This code was written prior to snprintf being in the then libstand (now libsa). Since we have it, use it for extra safety. The code already tries to be safe, but since we have snprintf as well, the added layer of protection will suffice. The current code reserves 16 bytes (plus a NUL) at the end for worst case of inet_ntoa, which is still a little pessimal, but safe from overflow. Sponsored by: Netflix Reviewed by: tsoome Differential Revision: https://reviews.freebsd.org/D35102 --- stand/libsa/bootp.c | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/stand/libsa/bootp.c b/stand/libsa/bootp.c index f092db3de968..b00c713d1c30 100644 --- a/stand/libsa/bootp.c +++ b/stand/libsa/bootp.c @@ -670,12 +670,14 @@ setenv_(u_char *cp, u_char *ep, struct dhcp_opt *opts) /* if not found we end up on the default entry */ /* - * Copy data into the buffer. libstand does not have snprintf so we - * need to be careful with sprintf(). With strings, the source is - * always <256 char so shorter than the buffer so we are safe; with - * other arguments, the longest string is inet_ntoa which is 16 bytes - * so we make sure to have always enough room in the string before - * trying an sprint. + * Copy data into the buffer. While the code uses snprintf, it's also + * careful never to insert strings that would be truncated. inet_ntoa is + * tricky to know the size, so it assumes we can always insert it + * because we reserve 16 bytes at the end of the string for its worst + * case. Other cases are covered because they will write fewer than + * these reserved bytes at the end. Source strings can't overflow (as + * noted below) because buf is 256 bytes and all strings are limited by + * the protocol to be 256 bytes or smaller. */ vp = buf; *vp = '\0'; @@ -695,14 +697,14 @@ setenv_(u_char *cp, u_char *ep, struct dhcp_opt *opts) if (vp != buf) *vp++ = FLD_SEP; bcopy(cp, &in_ip.s_addr, sizeof(in_ip.s_addr)); - sprintf(vp, "%s", inet_ntoa(in_ip)); + snprintf(vp, endv - vp, "%s", inet_ntoa(in_ip)); vp += strlen(vp); } break; case __BYTES: /* opaque byte string */ for (; size > 0 && vp < endv; size -= 1, cp += 1) { - sprintf(vp, "%02x", *cp); + snprintf(vp, endv - vp, "%02x", *cp); vp += strlen(vp); } break; @@ -725,7 +727,7 @@ setenv_(u_char *cp, u_char *ep, struct dhcp_opt *opts) v = cp[0]; if (vp != buf) *vp++ = FLD_SEP; - sprintf(vp, "%u", v); + snprintf(vp, endv - vp, "%u", v); vp += strlen(vp); } break; @@ -750,21 +752,22 @@ setenv_(u_char *cp, u_char *ep, struct dhcp_opt *opts) vp = s; /* prepare for next round */ } buf[0] = '\0'; /* option already done */ + break; } if (tp - tags < sizeof(tags) - 5) { /* add tag to the list */ if (tp != tags) *tp++ = FLD_SEP; - sprintf(tp, "%d", tag); + snprintf(tp, sizeof(tags) - (tp - tags), "%d", tag); tp += strlen(tp); } if (buf[0]) { char env[128]; /* the string name */ if (op->tag == 0) - sprintf(env, op->desc, opts[0].desc, tag); + snprintf(env, sizeof(env), op->desc, opts[0].desc, tag); else - sprintf(env, "%s%s", opts[0].desc, op->desc); + snprintf(env, sizeof(env), "%s%s", opts[0].desc, op->desc); /* * Do not replace existing values in the environment, so that * locally-obtained values can override server-provided values. @@ -774,7 +777,7 @@ setenv_(u_char *cp, u_char *ep, struct dhcp_opt *opts) } if (tp != tags) { char env[128]; /* the string name */ - sprintf(env, "%stags", opts[0].desc); + snprintf(env, sizeof(env), "%stags", opts[0].desc); setenv(env, tags, 1); } }