svn commit: r316799 - head/sbin/restore

Conrad Meyer cem at FreeBSD.org
Fri Apr 14 00:14:42 UTC 2017 

Author: cem
Date: Fri Apr 14 00:14:40 2017
New Revision: 316799
URL: https://svnweb.freebsd.org/changeset/base/316799

Log:
  restore(8): Prevent some heap overflows
  
  The environment variable TMPDIR was copied unchecked into a fixed-size heap
  buffer.  Use a length-limiting snprintf in place of ordinary sprintf to
  prevent the overflow.  Long TMPDIR variables can still cause odd truncated
  filenames, which may be undesirable.
  
  Reported by:	Coverity (CWE-120)
  CIDs:		1006706, 1006707
  Sponsored by:	Dell EMC Isilon

Modified:
  head/sbin/restore/dirs.c

Modified: head/sbin/restore/dirs.c
==============================================================================
--- head/sbin/restore/dirs.c	Fri Apr 14 00:13:33 2017	(r316798)
+++ head/sbin/restore/dirs.c	Fri Apr 14 00:14:40 2017	(r316799)
@@ -140,7 +140,8 @@ extractdirs(int genmode)
 	vprintf(stdout, "Extract directories from tape\n");
 	if ((tmpdir = getenv("TMPDIR")) == NULL || tmpdir[0] == '\0')
 		tmpdir = _PATH_TMP;
-	(void) sprintf(dirfile, "%s/rstdir%jd", tmpdir, (intmax_t)dumpdate);
+	(void) snprintf(dirfile, sizeof(dirfile), "%s/rstdir%jd", tmpdir,
+	    (intmax_t)dumpdate);
 	if (command != 'r' && command != 'R') {
 		(void) strcat(dirfile, "-XXXXXX");
 		fd = mkstemp(dirfile);
@@ -153,8 +154,8 @@ extractdirs(int genmode)
 		done(1);
 	}
 	if (genmode != 0) {
-		(void) sprintf(modefile, "%s/rstmode%jd", tmpdir,
-		    (intmax_t)dumpdate);
+		(void) snprintf(modefile, sizeof(modefile), "%s/rstmode%jd",
+		    tmpdir, (intmax_t)dumpdate);
 		if (command != 'r' && command != 'R') {
 			(void) strcat(modefile, "-XXXXXX");
 			fd = mkstemp(modefile);
@@ -568,8 +569,8 @@ setdirmodes(int flags)
 	if ((tmpdir = getenv("TMPDIR")) == NULL || tmpdir[0] == '\0')
 		tmpdir = _PATH_TMP;
 	if (command == 'r' || command == 'R')
-		(void) sprintf(modefile, "%s/rstmode%jd", tmpdir,
-		    (intmax_t)dumpdate);
+		(void) snprintf(modefile, sizeof(modefile), "%s/rstmode%jd",
+		    tmpdir, (intmax_t)dumpdate);
 	if (modefile[0] == '#') {
 		panic("modefile not defined\n");
 		fprintf(stderr, "directory mode, owner, and times not set\n");

More information about the svn-src-head mailing list