From 9730ef297346cfd769ba247aef1904a7deff1d0d Mon Sep 17 00:00:00 2001 From: "Andrey A. Chernov" Date: Thu, 19 Dec 1996 10:45:16 +0000 Subject: [PATCH] Even more buffer overflow fixes Change CATMODE to 0644, because group man not used Add immutable sbit to man binary, so if user even got man uid, he can't replace man binary with fake one Should go to 2.2 Submitted by: Marc Slemko with small editing by me --- gnu/usr.bin/man/man/Makefile | 3 +- gnu/usr.bin/man/man/man.c | 100 +++++++++++++++++------------------ 2 files changed, 52 insertions(+), 51 deletions(-) diff --git a/gnu/usr.bin/man/man/Makefile b/gnu/usr.bin/man/man/Makefile index 9aff7372dc7..f0b5bb3b351 100644 --- a/gnu/usr.bin/man/man/Makefile +++ b/gnu/usr.bin/man/man/Makefile @@ -2,6 +2,7 @@ PROG= man SRCS= man.c manpath.c glob.c BINOWN= man BINMODE=4555 +INSTALLFLAGS+= -fschg .if exists(${.OBJDIR}/../lib) LIBDESTDIR= ${.OBJDIR}/../lib @@ -19,7 +20,7 @@ MAN1= ${.CURDIR}/man.1 .endif CFLAGS+= -I${.CURDIR}/../lib -DSTDC_HEADERS -DPOSIX -DHAS_TROFF -CFLAGS+= -DDO_COMPRESS -DALT_SYSTEMS -DSETREUID -DCATMODE=0664 +CFLAGS+= -DDO_COMPRESS -DALT_SYSTEMS -DSETREUID -DCATMODE=0644 CLEANFILES+= ${MAN1} MANDEPEND+= ${MAN1} diff --git a/gnu/usr.bin/man/man/man.c b/gnu/usr.bin/man/man/man.c index d9a9c701039..fdfab5ad973 100644 --- a/gnu/usr.bin/man/man/man.c +++ b/gnu/usr.bin/man/man/man.c @@ -435,9 +435,7 @@ man_getopt (argc, argv) fprintf (stderr, "Alternate system `%s' specified\n", alt_system_name); - strcpy (buf, p); - strcat (buf, "/"); - strcat (buf, alt_system_name); + snprintf(buf, sizeof(buf), "%s/%s", p, alt_system_name); mp = add_dir_to_mpath_list (mp, buf); } @@ -537,15 +535,17 @@ convert_name (name, to_cat) #ifdef DO_COMPRESS if (to_cat) { - int len = strlen (name) + 3; + int olen = strlen(name); int cextlen = strlen(COMPRESS_EXT); + int len = olen + cextlen; - to_name = (char *) malloc (len); + to_name = malloc (len+1); if (to_name == NULL) - gripe_alloc (len, "to_name"); + gripe_alloc (len+1, "to_name"); strcpy (to_name, name); + olen -= cextlen; /* Avoid tacking it on twice */ - if (strcmp(name + (len - (3 + cextlen)), COMPRESS_EXT)) + if (olen >= 1 && strcmp(name + olen, COMPRESS_EXT) != 0) strcat (to_name, COMPRESS_EXT); } else @@ -749,8 +749,10 @@ ultimate_source (name, path) char *beg; char *end; - strcpy (ult, name); - strcpy (buf, name); + strncpy (ult, name, sizeof(ult)-1); + ult[sizeof(ult)-1] = '\0'; + strncpy (buf, name, sizeof(buf)-1); + ult[sizeof(buf)-1] = '\0'; next: @@ -775,11 +777,8 @@ ultimate_source (name, path) *end = '\0'; - strcpy (ult, path); - strcat (ult, "/"); - strcat (ult, beg); - - strcpy (buf, ult); + snprintf(ult, sizeof(ult), "%s/%s", path, beg); + snprintf(buf, sizeof(buf), "%s", ult); goto next; } @@ -791,34 +790,34 @@ ultimate_source (name, path) } void -add_directive (first, d, file, buf) +add_directive (first, d, file, buf, bufsize) int *first; char *d; char *file; char *buf; + int bufsize; { if (strcmp (d, "") != 0) { if (*first) { *first = 0; - strcpy (buf, d); - strcat (buf, " "); - strcat (buf, file); + snprintf(buf, bufsize, "%s %s", d, file); } else { - strcat (buf, " | "); - strcat (buf, d); + strncat (buf, " | ", bufsize-strlen(buf)-1); + strncat (buf, d, bufsize-strlen(buf)-1); } } } int -parse_roff_directive (cp, file, buf) +parse_roff_directive (cp, file, buf, bufsize) char *cp; char *file; char *buf; + int bufsize; { char c; int first = 1; @@ -834,9 +833,9 @@ parse_roff_directive (cp, file, buf) fprintf (stderr, "found eqn(1) directive\n"); if (troff) - add_directive (&first, EQN, file, buf); + add_directive (&first, EQN, file, buf, bufsize); else - add_directive (&first, NEQN, file, buf); + add_directive (&first, NEQN, file, buf, bufsize); break; @@ -845,7 +844,7 @@ parse_roff_directive (cp, file, buf) if (debug) fprintf (stderr, "found grap(1) directive\n"); - add_directive (&first, GRAP, file, buf); + add_directive (&first, GRAP, file, buf, bufsize); break; @@ -854,7 +853,7 @@ parse_roff_directive (cp, file, buf) if (debug) fprintf (stderr, "found pic(1) directive\n"); - add_directive (&first, PIC, file, buf); + add_directive (&first, PIC, file, buf, bufsize); break; @@ -864,7 +863,7 @@ parse_roff_directive (cp, file, buf) fprintf (stderr, "found tbl(1) directive\n"); tbl_found++; - add_directive (&first, TBL, file, buf); + add_directive (&first, TBL, file, buf, bufsize); break; case 'v': @@ -872,7 +871,7 @@ parse_roff_directive (cp, file, buf) if (debug) fprintf (stderr, "found vgrind(1) directive\n"); - add_directive (&first, VGRIND, file, buf); + add_directive (&first, VGRIND, file, buf, bufsize); break; case 'r': @@ -880,7 +879,7 @@ parse_roff_directive (cp, file, buf) if (debug) fprintf (stderr, "found refer(1) directive\n"); - add_directive (&first, REFER, file, buf); + add_directive (&first, REFER, file, buf, bufsize); break; case ' ': @@ -903,19 +902,19 @@ parse_roff_directive (cp, file, buf) #ifdef HAS_TROFF if (troff) { - strcat (buf, " | "); - strcat (buf, TROFF); + strncat (buf, " | ", bufsize-strlen(buf)-1); + strncat (buf, TROFF, bufsize-strlen(buf)-1); } else #endif { - strcat (buf, " | "); - strcat (buf, NROFF); + strncat (buf, " | ", bufsize-strlen(buf)-1); + strncat (buf, NROFF, bufsize-strlen(buf)-1); } if (tbl_found && !troff && strcmp (COL, "") != 0) { - strcat (buf, " | "); - strcat (buf, COL); + strncat (buf, " | ", bufsize-strlen(buf)-1); + strncat (buf, COL, bufsize-strlen(buf)-1); } return 0; @@ -936,7 +935,7 @@ make_roff_command (file) if (debug) fprintf (stderr, "parsing directive from command line\n"); - status = parse_roff_directive (roff_directive, file, buf); + status = parse_roff_directive (roff_directive, file, buf, sizeof(buf)); if (status == 0) return buf; @@ -948,13 +947,13 @@ make_roff_command (file) if ((fp = fopen (file, "r")) != NULL) { cp = line; - fgets (line, 100, fp); + fgets (line, BUFSIZ, fp); if (*cp++ == '\'' && *cp++ == '\\' && *cp++ == '"' && *cp++ == ' ') { if (debug) fprintf (stderr, "parsing directive from file\n"); - status = parse_roff_directive (cp, file, buf); + status = parse_roff_directive (cp, file, buf, sizeof(buf)); fclose (fp); @@ -980,7 +979,7 @@ make_roff_command (file) if (debug) fprintf (stderr, "parsing directive from environment\n"); - status = parse_roff_directive (cp, file, buf); + status = parse_roff_directive (cp, file, buf, sizeof(buf)); if (status == 0) return buf; @@ -1000,13 +999,13 @@ make_roff_command (file) { if (strcmp (TBL, "") != 0) { - strcat (buf, TBL); - strcat (buf, " | "); - strcat (buf, TROFF); + strncat(buf, TBL, sizeof(buf)-strlen(buf)-1); + strncat(buf, " | ", sizeof(buf)-strlen(buf)-1); + strncat(buf, TROFF, sizeof(buf)-strlen(buf)-1); } else { - strcat (buf, TROFF); + strncat(buf, TROFF, sizeof(buf)-strlen(buf)-1); } } else @@ -1014,19 +1013,19 @@ make_roff_command (file) { if (strcmp (TBL, "") != 0) { - strcat (buf, TBL); - strcat (buf, " | "); - strcat (buf, NROFF); + strncat(buf, TBL, sizeof(buf)-strlen(buf)-1); + strncat(buf, " | ", sizeof(buf)-strlen(buf)-1); + strncat(buf, NROFF, sizeof(buf)-strlen(buf)-1); } else { - strcpy (buf, NROFF); + strncpy (buf, NROFF, sizeof(buf)); } if (strcmp (COL, "") != 0) { - strcat (buf, " | "); - strcat (buf, COL); + strncat (buf, " | ", sizeof(buf)-strlen(buf)-1); + strncat (buf, COL, sizeof(buf)-strlen(buf)-1); } } return buf; @@ -1514,7 +1513,8 @@ get_section_list () int i; char *p; char *end; - static char *tmp_section_list[100]; +#define TMP_SECTION_LIST_SIZE 100 + static char *tmp_section_list[TMP_SECTION_LIST_SIZE]; if (colon_sep_section_list == NULL) { @@ -1529,7 +1529,7 @@ get_section_list () } i = 0; - for (p = colon_sep_section_list; ; p = end+1) + for (p = colon_sep_section_list; i < TMP_SECTION_LIST_SIZE ; p = end+1) { if ((end = strchr (p, ':')) != NULL) *end = '\0';