Convert many uses of strcpy/strcat (and sometimes sprintf) to accepted

string-handling functions.

ticket: 6200
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21001 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/appl/bsd/krsh.c b/src/appl/bsd/krsh.c
index b12e2532571fe8f676187b263b4314923d9b0b52..6441891ee0f1e8ad89c13dbd3c7d49db6c7a181f 100644 (file)
--- a/src/appl/bsd/krsh.c
+++ b/src/appl/bsd/krsh.c
@@ -128,7 +128,7 @@ main(argc, argv0)
      char **argv0;
 {
     int rem, pid = 0;
-    char *host=0, *cp, **ap, buf[RCMD_BUFSIZ], *args, **argv = argv0, *user = 0;
+    char *host=0, **ap, buf[RCMD_BUFSIZ], *args, **argv = argv0, *user = 0;
     register int cc;
     struct passwd *pwd;
     fd_set readfrom, ready;
@@ -320,17 +320,13 @@ main(argc, argv0)
       cc += strlen(*ap) + 1;
     if (encrypt_flag)
       cc += 3;
-    cp = args = (char *) malloc((unsigned) cc);
-    if (encrypt_flag) {
-      strcpy(args, "-x ");
-      cp += 3;
-    }
+    args = (char *) malloc((unsigned) cc);
+    if (encrypt_flag)
+      strlcpy(args, "-x ", cc);
     for (ap = argv; *ap; ap++) {
-       (void) strcpy(cp, *ap);
-       while (*cp)
-         cp++;
+      (void) strlcat(args, *ap, cc);
        if (ap[1])
-         *cp++ = ' ';
+         strlcat(args, " ", cc);
     }
 
     if(debug_port == 0) {

diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c
index 0c2c82eab42214f22fde1c366f451b736f84b253..2b4c383bf1151857be62442c26e64a927df0e977 100644 (file)
--- a/src/appl/bsd/krshd.c
+++ b/src/appl/bsd/krshd.c
@@ -1522,19 +1522,18 @@ void doit(f, fromp)
                offst = 3;
        }
 
-        strcpy((char *) cmdbuf + offst, kprogdir);
+        strlcpy(cmdbuf + offst, kprogdir, sizeof(cmdbuf) - offst);
        cp = copy + 3 + offst;
 
-       cmdbuf[sizeof(cmdbuf) - 1] = '\0';
-       if (auth_sys == KRB5_RECVAUTH_V4) {
-         strncat(cmdbuf, "/v4rcp", sizeof(cmdbuf) - 1 - strlen(cmdbuf));
-       } else {
-         strncat(cmdbuf, "/rcp", sizeof(cmdbuf) - 1 - strlen(cmdbuf));
-       }
+       if (auth_sys == KRB5_RECVAUTH_V4)
+         strlcat(cmdbuf, "/v4rcp", sizeof(cmdbuf));
+       else
+         strlcat(cmdbuf, "/rcp", sizeof(cmdbuf));
+
        if (stat((char *)cmdbuf + offst, &s2) >= 0)
-         strncat(cmdbuf, cp, sizeof(cmdbuf) - 1 - strlen(cmdbuf));
+         strlcat(cmdbuf, cp, sizeof(cmdbuf));
        else
-         strncpy(cmdbuf, copy, sizeof(cmdbuf) - 1 - strlen(cmdbuf));
+         strlcpy(cmdbuf, copy, sizeof(cmdbuf));
        free(copy);
     }
 #endif
@@ -1948,27 +1947,17 @@ recvauth(netfd, peersin, valid_checksum)
        struct sockaddr_storage adr;
        unsigned int adr_length = sizeof(adr);
        int e;
-       unsigned int buflen = strlen(cmdbuf)+strlen(locuser)+32;
-       char * chksumbuf = (char *) malloc(buflen);
+       char namebuf[32], *chksumbuf = NULL;
 
-       if (chksumbuf == 0)
-           goto error_cleanup;
        if (getsockname(netfd, (struct sockaddr *) &adr, &adr_length) != 0)
            goto error_cleanup;
 
        e = getnameinfo((struct sockaddr *)&adr, adr_length, 0, 0,
-                       chksumbuf, buflen, NI_NUMERICSERV);
-       if (e) {
-           free(chksumbuf);
+                       namebuf, sizeof(namebuf), NI_NUMERICSERV);
+       if (e)
            fatal(netfd, "local error: can't examine port number");
-       }
-       if (strlen(chksumbuf) > 30) {
-           free(chksumbuf);
-           fatal(netfd, "wacky local port number?!");
-       }
-       strcat(chksumbuf, ":");
-       strcat(chksumbuf,cmdbuf);
-       strcat(chksumbuf,locuser);
+       if (asprintf(&chksumbuf, "%s:%s%s", namebuf, cmdbuf, locuser) < 0)
+           goto error_cleanup;
 
        status = krb5_verify_checksum(bsd_context,
                                      authenticator->checksum->checksum_type,

diff --git a/src/appl/gssftp/ftp/ftp.c b/src/appl/gssftp/ftp/ftp.c
index 1e4a0dcb4af6a9a37737a6cd39cedee0cabee3a8..af5732c58404c7bcd9517f127364c52e2bb14132 100644 (file)
--- a/src/appl/gssftp/ftp/ftp.c
+++ b/src/appl/gssftp/ftp/ftp.c
@@ -719,7 +719,8 @@ int getreply(int expecteof)
                                if(msg_data.app_length < sizeof(ibuf) - 2) {
                                    memmove(ibuf, msg_data.app_data,
                                            msg_data.app_length);
-                                   strcpy(&ibuf[msg_data.app_length], "\r\n");
+                                   memcpy(&ibuf[msg_data.app_length], "\r\n",
+                                          3);
                                } else {
                                    printf("Message too long!");
                                }
@@ -747,7 +748,7 @@ int getreply(int expecteof)
                                  if(msg_buf.length < sizeof(ibuf) - 2 - 1) {
                                    memcpy(ibuf, msg_buf.value, 
                                           msg_buf.length);
-                                   strcpy(&ibuf[msg_buf.length], "\r\n");
+                                   memcpy(&ibuf[msg_buf.length], "\r\n", 3);
                                  } else {
                                    user_gss_error(maj_stat, min_stat, 
                                                   "reply was too long");

diff --git a/src/appl/gssftp/ftp/glob.c b/src/appl/gssftp/ftp/glob.c
index 2b7839205ba60b5c38debcddbb9b00583cb905af..bbbcb4457c678ebd6a6ce1a91629b7aff7c029b2 100644 (file)
--- a/src/appl/gssftp/ftp/glob.c
+++ b/src/appl/gssftp/ftp/glob.c
@@ -213,7 +213,8 @@ expand(as)
                                *gpathp = 0;
                                if (gethdir(gpath + 1))
                                        globerr = "Unknown user name after ~";
-                               (void) strcpy(gpath, gpath + 1);
+                               (void) memmove(gpath, gpath + 1,
+                                              strlen(gpath));
                        } else
                                (void) strncpy(gpath, home, FTP_BUFSIZ - 1);
                        gpath[FTP_BUFSIZ - 1] = '\0';

diff --git a/src/appl/gssftp/ftpd/ftpcmd.y b/src/appl/gssftp/ftpd/ftpcmd.y
index f304541a946c9b6e1c55e063f4761fa91f165041..73655a4aaf016cb7bbdd857e03ad23cd673abd5b 100644 (file)
--- a/src/appl/gssftp/ftpd/ftpcmd.y
+++ b/src/appl/gssftp/ftpd/ftpcmd.y
@@ -1108,7 +1108,7 @@ ftpd_getline(s, n, iop)
                    return(s);
                }
                (void) memcpy(s, msg_data.app_data, msg_data.app_length);
-               (void) strcpy(s+msg_data.app_length, "\r\n");
+               (void) memcpy(s+msg_data.app_length, "\r\n", 3);
            }
 #endif /* KRB5_KRB4_COMPAT */
 #ifdef GSSAPI
@@ -1140,7 +1140,7 @@ ftpd_getline(s, n, iop)
                }
 
                memcpy(s, msg_buf.value, msg_buf.length);
-               strcpy(s+msg_buf.length-(s[msg_buf.length-1]?0:1), "\r\n");
+               memcpy(s+msg_buf.length-(s[msg_buf.length-1]?0:1), "\r\n", 3);
                gss_release_buffer(&min_stat, &msg_buf);
            }
 #endif /* GSSAPI */

diff --git a/src/appl/telnet/libtelnet/gettytab.c b/src/appl/telnet/libtelnet/gettytab.c
index aaad43aad7b8a7634493e1cddedda9338c3b3770..d50f8797ebaa24b2b362e9282568cdff9dc846da 100644 (file)
--- a/src/appl/telnet/libtelnet/gettytab.c
+++ b/src/appl/telnet/libtelnet/gettytab.c
@@ -117,7 +117,7 @@ nchktc()
                write(2, "Gettytab entry too long\n", 24);
                q[TABBUFSIZ - (p-tbuf)] = 0;
        }
-       strcpy(p, q+1);
+       strlcpy(p, q+1, TABBUFSIZ - (p-tbuf));
        tbuf = holdtbuf;
        return(1);
 }

diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index e5a336aa054d0703bb014b35c54ed5594e382c4d..ea64826d323ea2e338e02fd7e4158bf2522db0f9 100644 (file)
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -161,23 +161,22 @@ kadmin_parse_name(name, principal)
 {
     char *cp, *fullname;
     krb5_error_code retval;
+    int result;
 
     /* assumes def_realm is initialized! */
-    fullname = (char *)malloc(strlen(name) + 1 + strlen(def_realm) + 1);
-    if (fullname == NULL)
-       return ENOMEM;
-    strcpy(fullname, name);
-    cp = strchr(fullname, '@');
+    cp = strchr(name, '@');
     while (cp) {
-       if (cp - fullname && *(cp - 1) != '\\')
+       if (cp - name && *(cp - 1) != '\\')
            break;
        else
            cp = strchr(cp + 1, '@');
     }
-    if (cp == NULL) {
-       strcat(fullname, "@");
-       strcat(fullname, def_realm);
-    }
+    if (cp == NULL)
+       result = asprintf(&fullname, "%s@%s", name, def_realm);
+    else
+       fullname = strdup(name);
+    if (result < 0)
+       return ENOMEM;
     retval = krb5_parse_name(context, fullname, principal);
     free(fullname);
     return retval;

diff --git a/src/kadmin/server/ipropd_svc.c b/src/kadmin/server/ipropd_svc.c
index b834425b388ff49cf440e4976b3de49e4b3c671c..a76057cbe858f0da8c2f471e97064439870812d4 100644 (file)
--- a/src/kadmin/server/ipropd_svc.c
+++ b/src/kadmin/server/ipropd_svc.c
@@ -33,14 +33,15 @@ extern gss_name_t rqst2name(struct svc_req *rqstp);
 
 extern int setup_gss_names(struct svc_req *, gss_buffer_desc *,
                           gss_buffer_desc *);
-extern char *client_addr(struct svc_req *, char *);
 extern void *global_server_handle;
 extern int nofork;
 extern short l_port;
 static char abuf[33];
 
-char *client_addr(struct svc_req *svc, char *buf) {
-    return strcpy(buf, inet_ntoa(svc->rq_xprt->xp_raddr.sin_addr));
+/* Result is stored in a static buffer and is invalidated by the next call. */
+static const char *client_addr(struct svc_req *svc) {
+    strlcpy(abuf, inet_ntoa(svc->rq_xprt->xp_raddr.sin_addr), sizeof(abuf));
+    return abuf;
 }
 
 static char *reply_ok_str      = "UPDATE_OK";
@@ -183,7 +184,7 @@ iprop_get_updates_1_svc(kdb_last_t *arg, struct svc_req *rqstp)
 
        krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, whoami,
                         "<null>", client_name, service_name,
-                        client_addr(rqstp, abuf));
+                        client_addr(rqstp));
        goto out;
     }
 
@@ -206,7 +207,7 @@ iprop_get_updates_1_svc(kdb_last_t *arg, struct svc_req *rqstp)
                     obuf,
                     ((kret == 0) ? "success" : error_message(kret)),
                     client_name, service_name,
-                    client_addr(rqstp, abuf));
+                    client_addr(rqstp));
 
 out:
     if (nofork)
@@ -222,7 +223,7 @@ out:
  * Return arg cl str ptr on success, else NULL.
  */
 static char *
-getclhoststr(char *clprinc, char *cl, int len)
+getclhoststr(char *clprinc, char *cl, size_t len)
 {
     char *s;
     if ((s = strchr(clprinc, '/')) != NULL) {
@@ -301,7 +302,7 @@ iprop_full_resync_1_svc(/* LINTED */ void *argp, struct svc_req *rqstp)
 
        krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, whoami,
                         "<null>", client_name, service_name,
-                        client_addr(rqstp, abuf));
+                        client_addr(rqstp));
        goto out;
     }
 
@@ -406,7 +407,7 @@ iprop_full_resync_1_svc(/* LINTED */ void *argp, struct svc_req *rqstp)
                         "<null>",
                         "success",
                         client_name, service_name,
-                        client_addr(rqstp, abuf));
+                        client_addr(rqstp));
 
        goto out;
     }

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 4b2ce474e440fa3e3215dcbd2b8573de479fbfa3..d66832bbe4186c489b05ca1acc70a5f5a523459a 100644 (file)
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -567,6 +567,7 @@ add_to_transited(krb5_data *tgt_trans, krb5_data *new_trans,
   char        *realm;
   char        *trans;
   char        *otrans, *otrans_ptr;
+  size_t       bufsize;
 
   /* The following are for stepping through the transited field     */
 
@@ -595,7 +596,10 @@ add_to_transited(krb5_data *tgt_trans, krb5_data *new_trans,
   /* +1 for null, 
      +1 for extra comma which may be added between
      +1 for potential space when leading slash in realm */
-  if (!(trans = (char *) malloc(strlen(realm) + strlen(otrans) + 3))) {
+  bufsize = strlen(realm) + strlen(otrans) + 3;
+  if (bufsize > MAX_REALM_LN)
+    bufsize = MAX_REALM_LN;
+  if (!(trans = (char *) malloc(bufsize))) {
     retval = ENOMEM;
     goto fail;
   }
@@ -783,17 +787,15 @@ add_to_transited(krb5_data *tgt_trans, krb5_data *new_trans,
     }
 
     if (new_trans->length != 0) {
-      if (strlen(trans) + 2 >= MAX_REALM_LN) {
+      if (strlcat(trans, ",", bufsize) >= bufsize) {
        retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
        goto fail;
       }
-      strcat(trans, ",");
     }
-    if (strlen(trans) + strlen(current) + 1 >= MAX_REALM_LN) {
+    if (strlcat(trans, current, bufsize) >= bufsize) {
       retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
       goto fail;
     }
-    strcat(trans, current);
     new_trans->length = strlen(trans);
 
     strncpy(prev, exp, sizeof(prev) - 1);
@@ -804,24 +806,21 @@ add_to_transited(krb5_data *tgt_trans, krb5_data *new_trans,
 
   if (!added) {
     if (new_trans->length != 0) {
-      if (strlen(trans) + 2 >= MAX_REALM_LN) {
+      if (strlcat(trans, ",", bufsize) >= bufsize) {
        retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
        goto fail;
       }
-      strcat(trans, ",");
     }
     if((realm[0] == '/') && trans[0]) {
-      if (strlen(trans) + 2 >= MAX_REALM_LN) {
+      if (strlcat(trans, " ", bufsize) >= bufsize) {
        retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
        goto fail;
       }
-      strcat(trans, " ");
     }
-    if (strlen(trans) + strlen(realm) + 1 >= MAX_REALM_LN) {
+    if (strlcat(trans, realm, bufsize) >= bufsize) {
       retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
       goto fail;
     }
-    strcat(trans, realm);
     new_trans->length = strlen(trans);
   }
 
@@ -1532,7 +1531,7 @@ ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype)
        snprintf(stmp, sizeof(stmp), "%s%ld", i ? " " : "", (long)ktype[i]);
        if (strlen(s) + strlen(stmp) + sizeof("}") > len)
            break;
-       strcat(s, stmp);
+       strlcat(s, stmp, len);
     }
     if (i < nktypes) {
        /*
@@ -1547,9 +1546,9 @@ ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype)
                continue;
            }
        }
-       strcat(s, "...");
+       strlcat(s, "...", len);
     }
-    strcat(s, "}");
+    strlcat(s, "}", len);
     return;
 }
 
@@ -1569,7 +1568,7 @@ rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep)
     if (rep->ticket != NULL) {
        snprintf(stmp, sizeof(stmp),
                 " tkt=%ld", (long)rep->ticket->enc_part.enctype);
-       strcat(s, stmp);
+       strlcat(s, stmp, len);
     }
 
     if (rep->ticket != NULL
@@ -1577,9 +1576,9 @@ rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep)
        && rep->ticket->enc_part2->session != NULL) {
        snprintf(stmp, sizeof(stmp), " ses=%ld",
                 (long)rep->ticket->enc_part2->session->enctype);
-       strcat(s, stmp);
+       strlcat(s, stmp, len);
     }
-    strcat(s, "}");
+    strlcat(s, "}", len);
     return;
 }
 

diff --git a/src/kdc/kerberos_v4.c b/src/kdc/kerberos_v4.c
index 8ac015b7f323dcf5fc5f9e029a716270261a6f93..a0c74a18b23aaf51876c6dafd60c70c67251e324 100644 (file)
--- a/src/kdc/kerberos_v4.c
+++ b/src/kdc/kerberos_v4.c
@@ -1012,8 +1012,7 @@ kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string
     KTEXT   e_pkt = &e_pkt_st;
     static char e_msg[128];
 
-    strcpy(e_msg, "\nKerberos error -- ");
-    strncat(e_msg, string, sizeof(e_msg) - 1 - 19);
+    snprintf(e_msg, sizeof(e_msg), "\nKerberos error -- %s", string);
     cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr,
                 req_time_ws, err, e_msg);
     return make_response((char *) e_pkt->dat, e_pkt->length);

diff --git a/src/lib/krb5/krb/parse.c b/src/lib/krb5/krb/parse.c
index fbcc49db0d6eea4eef51f716a6e4fb1dbc1262e0..c6b1f6ebe65b73fe27e80a6ebd91e72cf3d629ff 100644 (file)
--- a/src/lib/krb5/krb/parse.c
+++ b/src/lib/krb5/krb/parse.c
@@ -270,7 +270,7 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincip
        }
        *q++ = '\0';
        if (!parsed_realm)
-               strcpy(krb5_princ_realm(context, principal)->data, default_realm);
+               strlcpy(krb5_princ_realm(context, principal)->data, default_realm, realmsize + 1);
        /*
         * Alright, we're done.  Now stuff a pointer to this monstrosity
         * into the return variable, and let's get out of here.

diff --git a/src/lib/krb5/os/dnssrv.c b/src/lib/krb5/os/dnssrv.c
index d726fb7e54de4dbdee9b3fd77ccd8a577f7ad523..e10d01d04b2e6066ef0e621a01bb635bfeeebf99 100644 (file)
--- a/src/lib/krb5/os/dnssrv.c
+++ b/src/lib/krb5/os/dnssrv.c
@@ -60,10 +60,11 @@ krb5int_make_srv_query_realm(const krb5_data *realm,
                             struct srv_dns_entry **answers)
 {
     const unsigned char *p = NULL, *base = NULL;
-    char host[MAXDNAME], *h;
-    int size, ret, rdlen, nlen;
+    char host[MAXDNAME];
+    int size, ret, rdlen, nlen, len;
     unsigned short priority, weight, port;
     struct krb5int_dns_state *ds = NULL;
+    struct k5buf buf;
 
     struct srv_dns_entry *head = NULL;
     struct srv_dns_entry *srv = NULL, *entry = NULL;
@@ -81,13 +82,9 @@ krb5int_make_srv_query_realm(const krb5_data *realm,
 
     if (memchr(realm->data, 0, realm->length))
        return 0;
-    if ( strlen(service) + strlen(protocol) + realm->length + 6 
-         > MAXDNAME )
-       return 0;
-    if (snprintf(host, sizeof(host), "%s.%s.%.*s",
-                service, protocol, (int) realm->length,
-                realm->data) >= sizeof(host))
-       return 0;
+    krb5int_buf_init_fixed(&buf, host, sizeof(host));
+    krb5int_buf_add_fmt(&buf, "%s.%s.", service, protocol);
+    krb5int_buf_add_len(&buf, realm->data, realm->length);
 
     /* Realm names don't (normally) end with ".", but if the query
        doesn't end with "." and doesn't get an answer as is, the
@@ -98,9 +95,12 @@ krb5int_make_srv_query_realm(const krb5_data *realm,
        a search on the prefix alone then the intention is to allow
        the local domain or domain search lists to be expanded.  */
 
-    h = host + strlen (host);
-    if ((h[-1] != '.') && ((h - host + 1) < sizeof(host)))
-        strcpy (h, ".");
+    len = krb5int_buf_len(&buf);
+    if (len > 0 && host[len - 1] != '.')
+       krb5int_buf_add(&buf, ".");
+
+    if (krb5int_buf_cstr(&buf) == NULL)
+       return 0;
 
 #ifdef TEST
     fprintf (stderr, "sending DNS SRV query for %s\n", host);
@@ -144,10 +144,7 @@ krb5int_make_srv_query_realm(const krb5_data *realm,
        srv->port = port;
        /* The returned names are fully qualified.  Don't let the
           local resolver code do domain search path stuff.  */
-       if (strlen(host) + 2 < sizeof(host))
-           strcat(host, ".");
-       srv->host = strdup(host);
-       if (srv->host == NULL) {
+       if (asprintf(&srv->host, "%s.", host) < 0) {
            free(srv);
            goto out;
        }

diff --git a/src/lib/krb5/os/hst_realm.c b/src/lib/krb5/os/hst_realm.c
index 27641f73ad6f219112c03b195fa2b342ae3f1bb3..038348eaefcf58fdff34b023433b69c0c7eb1b0d 100644 (file)
--- a/src/lib/krb5/os/hst_realm.c
+++ b/src/lib/krb5/os/hst_realm.c
@@ -90,22 +90,20 @@ krb5_try_realm_txt_rr(const char *prefix, const char *name, char **realm)
 {
     krb5_error_code retval = KRB5_ERR_HOST_REALM_UNKNOWN;
     const unsigned char *p, *base;
-    char host[MAXDNAME], *h;
+    char host[MAXDNAME];
     int ret, rdlen, len;
     struct krb5int_dns_state *ds = NULL;
+    struct k5buf buf;
 
     /*
      * Form our query, and send it via DNS
      */
 
+    krb5int_buf_init_fixed(&buf, host, sizeof(host));
     if (name == NULL || name[0] == '\0') {
-        if (strlcpy(host, prefix, sizeof(host)) >= sizeof(host))
-           return KRB5_ERR_HOST_REALM_UNKNOWN;
+       krb5int_buf_add(&buf, prefix);
     } else {
-        if ( strlen(prefix) + strlen(name) + 3 > MAXDNAME )
-            return KRB5_ERR_HOST_REALM_UNKNOWN;
-        if (snprintf(host, sizeof(host), "%s.%s", prefix, name) >= sizeof(host))
-           return KRB5_ERR_HOST_REALM_UNKNOWN;
+       krb5int_buf_add_fmt(&buf, "%s.%s", prefix, name);
 
         /* Realm names don't (normally) end with ".", but if the query
            doesn't end with "." and doesn't get an answer as is, the
@@ -117,10 +115,12 @@ krb5_try_realm_txt_rr(const char *prefix, const char *name, char **realm)
            the local domain or domain search lists to be expanded.
         */
 
-        h = host + strlen (host);
-        if ((h > host) && (h[-1] != '.') && ((h - host + 1) < sizeof(host)))
-            strcpy (h, ".");
+       len = krb5int_buf_len(&buf);
+       if (len > 0 && host[len - 1] != '.')
+           krb5int_buf_add(&buf, ".");
     }
+    if (krb5int_buf_cstr(&buf) == NULL)
+       return KRB5_ERR_HOST_REALM_UNKNOWN;
     ret = krb5int_dns_init(&ds, host, C_IN, T_TXT);
     if (ret < 0)
        goto errout;

diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c
index f95105678a49fb18da7c61fad761ba33a4432c58..f3cf219cadf109e9700d33d1f784504841f70262 100644 (file)
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c
@@ -125,16 +125,16 @@ krb5_ldap_readpassword(context, ldap_context, password)
        /* Check if the entry has the path of a certificate */
        if (!strncmp(start, "{FILE}", strlen("{FILE}"))) {
            /* Set *password = {FILE}<path to cert>\0<cert password> */
-           /*ptr = strchr(start, ':');
-             if (ptr == NULL) { */
-           *password = (unsigned char *)malloc(strlen(start) + 2);
+           size_t len = strlen(start);
+
+           *password = (unsigned char *)malloc(len + 2);
            if (*password == NULL) {
                st = ENOMEM;
                goto rp_exit;
            }
-           (*password)[strlen(start) + 1] = '\0';
-           (*password)[strlen(start)] = '\0';
-           strcpy((char *)(*password), start);
+           memcpy((char *)(*password), start, len);
+           (*password)[len] = '\0';
+           (*password)[len + 1] = '\0';
            goto got_password;
        } else {
            CT.value = (unsigned char *)start;

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 2ab23b03a43d57616d63a373db2efa1c0682c90b..2c1ec38a7fae5e0f81b0e366beaa1c8656fe9837 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -3200,6 +3200,7 @@ pkinit_login(krb5_context context,
 {
     krb5_data rdat;
     char *prompt;
+    const char *warning;
     krb5_prompt kprompt;
     krb5_prompt_type prompt_type;
     int r = 0;
@@ -3208,15 +3209,17 @@ pkinit_login(krb5_context context,
        rdat.data = NULL;
        rdat.length = 0;
     } else {
-       if ((prompt = (char *) malloc(sizeof (tip->label) + 32)) == NULL)
-           return ENOMEM;
-       sprintf(prompt, "%.*s PIN", sizeof (tip->label), tip->label);
        if (tip->flags & CKF_USER_PIN_LOCKED)
-           strcat(prompt, " (Warning: PIN locked)");
+           warning = " (Warning: PIN locked)";
        else if (tip->flags & CKF_USER_PIN_FINAL_TRY)
-           strcat(prompt, " (Warning: PIN final try)");
+           warning = " (Warning: PIN final try)";
        else if (tip->flags & CKF_USER_PIN_COUNT_LOW)
-           strcat(prompt, " (Warning: PIN count low)");
+           warning = " (Warning: PIN count low)";
+       else
+           warning = "";
+       if (asprintf(&prompt, "%.*s PIN%s", (int) sizeof (tip->label),
+                    tip->label, warning) < 0)
+           return ENOMEM;
        rdat.data = (char *)malloc(tip->ulMaxPinLen + 2);
        rdat.length = tip->ulMaxPinLen + 1;
 

diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c
index 76120744ad49422e54359b4de7f539a2f6326359..3418f2c49e1b2e5c349f7b72942efa3e8b37596b 100644 (file)
--- a/src/tests/asn.1/ktest.c
+++ b/src/tests/asn.1/ktest.c
@@ -637,8 +637,8 @@ krb5_error_code ktest_make_sample_etype_info(p)
     krb5_etype_info_entry *** p;
 {
     krb5_etype_info_entry **info;
-    int        i;
-    char buf[80];
+    int        i, len;
+    char *str;
 
     info = malloc(sizeof(krb5_etype_info_entry *) * 4);
     if (!info)
@@ -650,11 +650,11 @@ krb5_error_code ktest_make_sample_etype_info(p)
        if (info[i] == 0)
            goto memfail;
        info[i]->etype = i;
-       sprintf(buf, "Morton's #%d", i);
-       info[i]->length = strlen(buf);
-       info[i]->salt = (unsigned char *) strdup(buf);
-       if (info[i]->salt == 0)
+       len = asprintf(&str, "Morton's #%d", i);
+       if (len < 0)
            goto memfail;
+       info[i]->salt = (krb5_octet *) str;
+       info[i]->length = len;
        info[i]->s2kparams.data = NULL;
        info[i]->s2kparams.length = 0;
        info[i]->magic = KV5M_ETYPE_INFO_ENTRY;
@@ -674,8 +674,8 @@ krb5_error_code ktest_make_sample_etype_info2(p)
     krb5_etype_info_entry *** p;
 {
     krb5_etype_info_entry **info;
-    int        i;
-    char buf[80];
+    int        i, len;
+    char *str;
 
     info = malloc(sizeof(krb5_etype_info_entry *) * 4);
     if (!info)
@@ -687,17 +687,15 @@ krb5_error_code ktest_make_sample_etype_info2(p)
        if (info[i] == 0)
            goto memfail;
        info[i]->etype = i;
-       sprintf(buf, "Morton's #%d", i);
-       info[i]->length = strlen(buf);
-       info[i]->salt = (unsigned char *) strdup(buf);
-       if (info[i]->salt == 0)
+       len = asprintf(&str, "Morton's #%d", i);
+       if (len < 0)
            goto memfail;
-       sprintf(buf, "s2k: %d", i);
-       info[i]->s2kparams.data = malloc(strlen(buf)+1);
-       if (info[i]->s2kparams.data == NULL)
+       info[i]->salt = (krb5_octet *) str;
+       info[i]->length = (unsigned int) len;
+       len = asprintf(&info[i]->s2kparams.data, "s2k: %d", i);
+       if (len < 0)
            goto memfail;
-       strcpy( info[i]->s2kparams.data, buf);
-       info[i]->s2kparams.length = strlen(buf);
+       info[i]->s2kparams.length = (unsigned int) len;
        info[i]->magic = KV5M_ETYPE_INFO_ENTRY;
     }
     free(info[1]->salt);
@@ -830,17 +828,18 @@ krb5_error_code ktest_make_sample_enc_sam_response_enc_2(p)
 #ifdef ENABLE_LDAP
 static krb5_error_code ktest_make_sample_key_data(krb5_key_data *p, int i)
 {
-    char buf[10];
+    char *str;
+    int len;
     p->key_data_ver = 2;
     p->key_data_kvno = 42;
-    sprintf(buf, "key%d", i);
+    len = asprintf(&str, "key%d", i);
     p->key_data_type[0] = 2;
-    p->key_data_length[0] = strlen(buf);
-    p->key_data_contents[0] = strdup(buf);
-    sprintf(buf, "salt%d", i);
+    p->key_data_length[0] = (unsigned int) len;
+    p->key_data_contents[0] = (krb5_octet *) str;
+    len = asprintf(&str, "salt%d", i);
     p->key_data_type[1] = i;
-    p->key_data_length[1] = strlen(buf);
-    p->key_data_contents[1] = strdup(buf);
+    p->key_data_length[1] = (unsigned int) len;
+    p->key_data_contents[1] = (krb5_octet *) str;
     if (p->key_data_contents[0] == NULL || p->key_data_contents[1] == NULL)
        return ENOMEM;
     return 0;

diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
index 4851788e66f043cd5f3a13833edd26d5b5fb5826..fad1b28710c4a34f50a33277ce40a17c0eedd063 100644 (file)
--- a/src/util/profile/prof_file.c
+++ b/src/util/profile/prof_file.c
@@ -182,7 +182,7 @@ profile_make_prf_data(const char *filename)
     memset(d, 0, len);
     fcopy = (char *) d + slen;
     assert(fcopy == d->filespec);
-    strcpy(fcopy, filename);
+    strlcpy(fcopy, filename, flen + 1);
     d->refcount = 1;
     d->comment = NULL;
     d->magic = PROF_MAGIC_FILE_DATA;