diff options
author | Conrad Meyer <cem@FreeBSD.org> | 2017-04-14 00:14:40 +0000 |
---|---|---|
committer | Conrad Meyer <cem@FreeBSD.org> | 2017-04-14 00:14:40 +0000 |
commit | 63298eb19c831bbede2c0453ce727e1ec681a343 (patch) | |
tree | bdf7dca60d97fa6cc00b407ca2af483e8d352670 /sbin/restore/dirs.c | |
parent | 17fac79462ef5eacfffbfda4f36d0a4e47e22854 (diff) | |
download | src-63298eb19c831bbede2c0453ce727e1ec681a343.tar.gz src-63298eb19c831bbede2c0453ce727e1ec681a343.zip |
restore(8): Prevent some heap overflows
The environment variable TMPDIR was copied unchecked into a fixed-size heap
buffer. Use a length-limiting snprintf in place of ordinary sprintf to
prevent the overflow. Long TMPDIR variables can still cause odd truncated
filenames, which may be undesirable.
Reported by: Coverity (CWE-120)
CIDs: 1006706, 1006707
Sponsored by: Dell EMC Isilon
Notes
Notes:
svn path=/head/; revision=316799
Diffstat (limited to 'sbin/restore/dirs.c')
-rw-r--r-- | sbin/restore/dirs.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/sbin/restore/dirs.c b/sbin/restore/dirs.c index f242c1d40a43..beab1aeb5a1e 100644 --- a/sbin/restore/dirs.c +++ b/sbin/restore/dirs.c @@ -140,7 +140,8 @@ extractdirs(int genmode) vprintf(stdout, "Extract directories from tape\n"); if ((tmpdir = getenv("TMPDIR")) == NULL || tmpdir[0] == '\0') tmpdir = _PATH_TMP; - (void) sprintf(dirfile, "%s/rstdir%jd", tmpdir, (intmax_t)dumpdate); + (void) snprintf(dirfile, sizeof(dirfile), "%s/rstdir%jd", tmpdir, + (intmax_t)dumpdate); if (command != 'r' && command != 'R') { (void) strcat(dirfile, "-XXXXXX"); fd = mkstemp(dirfile); @@ -153,8 +154,8 @@ extractdirs(int genmode) done(1); } if (genmode != 0) { - (void) sprintf(modefile, "%s/rstmode%jd", tmpdir, - (intmax_t)dumpdate); + (void) snprintf(modefile, sizeof(modefile), "%s/rstmode%jd", + tmpdir, (intmax_t)dumpdate); if (command != 'r' && command != 'R') { (void) strcat(modefile, "-XXXXXX"); fd = mkstemp(modefile); @@ -568,8 +569,8 @@ setdirmodes(int flags) if ((tmpdir = getenv("TMPDIR")) == NULL || tmpdir[0] == '\0') tmpdir = _PATH_TMP; if (command == 'r' || command == 'R') - (void) sprintf(modefile, "%s/rstmode%jd", tmpdir, - (intmax_t)dumpdate); + (void) snprintf(modefile, sizeof(modefile), "%s/rstmode%jd", + tmpdir, (intmax_t)dumpdate); if (modefile[0] == '#') { panic("modefile not defined\n"); fprintf(stderr, "directory mode, owner, and times not set\n"); |