1 diff -ur sysvinit-2.78.orig/src/bootlogd.c sysvinit-2.78/src/bootlogd.c
2 --- sysvinit-2.78.orig/src/bootlogd.c Mon Oct 4 13:19:19 1999
3 +++ sysvinit-2.78/src/bootlogd.c Tue Aug 8 06:36:47 2000
5 * Scan /dev and find the device name.
6 * Side-effect: directory is changed to /dev
8 -int findtty(char *res, dev_t dev)
9 +int findtty(char **res, dev_t dev)
15 fprintf(stderr, "bootlogd: cannot find console device\n");
18 - strcpy(res, ent->d_name);
20 + *res = strdup(ent->d_name);
27 * Find out the _real_ console. Assume that stdin is connected to
28 * the console device (/dev/console).
30 -int consolename(char *res)
31 +int consolename(char **res)
34 #if TIOCTTYGSTRUCT_HACK
49 * Open console device directly.
51 - if (consolename(buf) < 0)
52 + if (consolename(&console) < 0)
54 - if ((realfd = open(buf, O_WRONLY|O_NONBLOCK)) < 0) {
55 - fprintf(stderr, "bootlogd: %s: %s\n", buf, strerror(errno));
56 + if ((realfd = open(console, O_WRONLY|O_NONBLOCK)) < 0) {
57 + fprintf(stderr, "bootlogd: %s: %s\n", console, strerror(errno));
60 n = fcntl(realfd, F_GETFL);
63 * Grab a pty, and redirect console messages to it.
65 - if (openpty(&ptm, &pts, buf, NULL, NULL) < 0) {
66 + if (openpty(&ptm, &pts, console, NULL, NULL) < 0) {
67 fprintf(stderr, "bootlogd: cannot allocate pseudo tty\n");
72 if (ioctl(pts, TIOCCONS, NULL) < 0) {
73 fprintf(stderr, "bootlogd: ioctl(%s, TIOCCONS): %s\n",
74 - buf, strerror(errno));
75 + console, strerror(errno));
80 * Perhaps we need to open the logfile.
82 if (fp == NULL && rotate && access(logfile, F_OK) == 0) {
83 - sprintf(buf, "%s~", logfile);
84 - rename(logfile, buf);
85 + backfile = malloc(strlen(logfile) + 2);
86 + if (!backfile) break;
87 + sprintf(backfile, "%s~", logfile);
88 + rename(logfile, backfile);
91 fp = fopen(logfile, "a");
92 diff -ur sysvinit-2.78.orig/src/dowall.c sysvinit-2.78/src/dowall.c
93 --- sysvinit-2.78.orig/src/dowall.c Tue Apr 20 01:10:10 1999
94 +++ sysvinit-2.78/src/dowall.c Tue Aug 8 06:50:06 2000
96 if ((tty = ttyname(0)) != (char *)0) {
97 if (strncmp(tty, "/dev/", 5) == 0)
99 - sprintf(ttynm, "(%s) ", tty);
100 + snprintf(ttynm, sizeof(ttynm), "(%s) ", tty);
109 + snprintf(line, sizeof(line),
110 "\007\r\nRemote broadcast message %s...\r\n\r\n",
113 @@ -124,10 +124,14 @@
114 while ((utmp = getutent()) != NULL) {
115 if(utmp->ut_type != USER_PROCESS ||
116 utmp->ut_user[0] == 0) continue;
117 - if (strncmp(utmp->ut_line, "/dev/", 5) == 0)
118 - strcpy(term, utmp->ut_line);
120 - sprintf(term, "/dev/%s", utmp->ut_line);
121 +/* AUDIT: is ut_line always NUL-terminated? This code will at least not
122 + * overflow the buffer if not. */
123 + if (strlen(utmp->ut_line) >= sizeof(term) - 5) continue;
124 + if (strncmp(utmp->ut_line, "/dev/", 5) == 0) {
126 + strncat(term, utmp->ut_line, sizeof(term) - 1);
128 + snprintf(term, sizeof(term), "/dev/%s", utmp->ut_line);
131 * Sometimes the open/write hangs in spite of the O_NDELAY
132 diff -ur sysvinit-2.78.orig/src/init.c sysvinit-2.78/src/init.c
133 --- sysvinit-2.78.orig/src/init.c Fri Feb 11 14:17:02 2000
134 +++ sysvinit-2.78/src/init.c Tue Aug 8 08:07:37 2000
136 # define SIGPWR SIGUSR2
140 +__attribute__ ((format (printf, 2, 3)))
142 +void log(int loglevel, char *s, ...);
144 /* Set a signal handler. */
145 #define SETSIG(sa, sig, fun, flags) \
147 @@ -416,10 +421,11 @@
151 - * Set the process title. We do not check for overflow of
152 - * the stack space since we know there is plenty for
153 - * our needs and we'll never use more than 10 bytes anyway.
154 + * Set the process title.
157 +__attribute__ ((format (printf, 1, 2)))
159 int setproctitle(char *fmt, ...)
166 - len = vsprintf(buf, fmt, ap);
167 + len = vsnprintf(buf, sizeof(buf), fmt, ap);
170 memset(argv0, 0, maxproclen + 1);
173 * Log something to a logfile and the console.
176 +__attribute__ ((format (printf, 2, 3)))
178 void log(int loglevel, char *s, ...)
182 * Re-etablish connection with syslogd every time.
184 openlog("init", 0, LOG_DAEMON);
185 - syslog(LOG_INFO, buf);
186 + syslog(LOG_INFO, "%s", buf);
187 /* closelog(); NOT needed with recent libc's. */
192 /* Split up command line arguments */
193 strncpy(buf, proc, sizeof(buf) - 1);
194 + buf[sizeof(buf) - 1] = '\0';
196 for(f = 1; f < 15; f++) {
197 /* Skip white space */
198 @@ -1003,7 +1013,7 @@
202 - log(L_VB, "cannot fork, retry..", NULL, NULL);
203 + log(L_VB, "cannot fork, retry..");
207 diff -ur sysvinit-2.78.orig/src/killall5.c sysvinit-2.78/src/killall5.c
208 --- sysvinit-2.78.orig/src/killall5.c Wed Oct 7 00:34:46 1998
209 +++ sysvinit-2.78/src/killall5.c Tue Aug 8 07:21:08 2000
213 char *progname; /* the name of the running program */
215 +__attribute__ ((format (printf, 2, 3)))
217 void nsyslog(int pri, char *fmt, ...);
219 /* Malloc space, barf if out of memory. */
221 memset(p, 0, sizeof(PROC));
223 /* Open the statistics file. */
224 - sprintf(path, "/proc/%s/stat", d->d_name);
225 + snprintf(path, sizeof(path), "/proc/%s/stat", d->d_name);
227 /* Read SID & statname from it. */
228 if ((fp = fopen(path, "r")) != NULL) {
232 /* Now read argv[0] */
233 - sprintf(path, "/proc/%s/cmdline", d->d_name);
234 + snprintf(path, sizeof(path), "/proc/%s/cmdline", d->d_name);
235 if ((fp = fopen(path, "r")) != NULL) {
237 while(f < 127 && (c = fgetc(fp)) != EOF && c) buf[f++] = c;
241 /* Try to stat the executable. */
242 - sprintf(path, "/proc/%s/exe", d->d_name);
243 + snprintf(path, sizeof(path), "/proc/%s/exe", d->d_name);
244 if (stat(path, &st) == 0) {
250 /* write to syslog file if not open terminal */
252 +__attribute__ ((format (printf, 2, 3)))
254 void nsyslog(int pri, char *fmt, ...)
257 diff -ur sysvinit-2.78.orig/src/last.c sysvinit-2.78/src/last.c
258 --- sysvinit-2.78.orig/src/last.c Wed Nov 24 15:24:53 1999
259 +++ sysvinit-2.78/src/last.c Tue Aug 8 07:39:02 2000
265 #include <netinet/in.h>
267 #include <arpa/inet.h>
270 * Lookup a host with DNS.
272 -int dns_lookup(char *result, char *org, unsigned int ip)
273 +int dns_lookup(char *result, int size, char *org, unsigned int ip)
278 strcpy(result, inet_ntoa(*(struct in_addr *)&ip));
281 - strncpy(result, h->h_name, 256);
284 + strncat(result, h->h_name, size - 1);
288 @@ -396,11 +397,13 @@
292 + assert(UT_HOSTSIZE <= sizeof(domain));
295 * Look up host with DNS if needed.
298 - dns_lookup(domain, p->ut_host, p->ut_addr);
299 + dns_lookup(domain, sizeof(domain), p->ut_host, p->ut_addr);
301 in.s_addr = p->ut_addr;
302 strcpy(domain, inet_ntoa(in));
303 @@ -418,17 +421,20 @@
304 strcmp(s + 1, domainname) == 0) *s = 0;
307 - sprintf(final, "%-8.8s %-12.12s %-16.16s %-16.16s %-7.7s %-12.12s\n",
308 + snprintf(final, sizeof(final),
309 + "%-8.8s %-12.12s %-16.16s "
310 + "%-16.16s %-7.7s %-12.12s\n",
312 domain, logintime, logouttime, length);
315 + snprintf(final, sizeof(final),
316 "%-8.8s %-12.12s %-16.16s %-7.7s %-12.12s %s\n",
318 logintime, logouttime, length, domain);
321 - sprintf(final, "%-8.8s %-12.12s %-16.16s %-7.7s %-12.12s\n",
322 + snprintf(final, sizeof(final),
323 + "%-8.8s %-12.12s %-16.16s %-7.7s %-12.12s\n",
325 logintime, logouttime, length);
328 * Print out "final" string safely.
330 for (s = final; *s; s++) {
331 - if (*s == '\n' || (*s >= 32 && (unsigned char)*s <= 128))
332 + if (*s == '\n' || (*s >= 32 && (unsigned char)*s <= 126))
336 @@ -547,10 +553,11 @@
339 /* Find out domainname. */
340 - (void) gethostname(hostname, 256);
341 + (void) gethostname(hostname, sizeof(hostname));
342 if ((domainname = strchr(hostname, '.')) != NULL) domainname++;
343 if (domainname == NULL || domainname[0] == 0) {
344 - (void) getdomainname(hostname, 256);
345 + (void) getdomainname(hostname, sizeof(hostname));
346 + hostname[sizeof(hostname) - 1] = '\0';
347 domainname = hostname;
348 if (strcmp(domainname, "(none)") == 0 || domainname[0] == 0)
350 diff -ur sysvinit-2.78.orig/src/shutdown.c sysvinit-2.78/src/shutdown.c
351 --- sysvinit-2.78.orig/src/shutdown.c Sat Nov 13 19:39:01 1999
352 +++ sysvinit-2.78/src/shutdown.c Tue Aug 8 07:47:47 2000
353 @@ -110,17 +110,19 @@
357 - char buf[MESSAGELEN + 64];
358 + char buf[MESSAGELEN + sizeof(newstate)];
361 - strcpy(buf, message);
363 + strncat(buf, message, sizeof(buf) - 1);
367 - sprintf(buf + len, "\rThe system is going down %s NOW !!\r\n",
368 + snprintf(buf + len, sizeof(buf) - len,
369 + "\rThe system is going down %s NOW !!\r\n",
373 + snprintf(buf + len, sizeof(buf) - len,
374 "\rThe system is going DOWN %s in %d minute%s !!\r\n",
375 newstate, mins, mins == 1 ? "" : "s");
379 /* See if this is a user process on a VC. */
380 if (ut->ut_type != USER_PROCESS) continue;
381 - sprintf(buf, "/dev/%s", ut->ut_line);
382 + if (strlen(ut->ut_line) >= sizeof(buf) - 5) continue;
383 + snprintf(buf, sizeof(buf), "/dev/%s", ut->ut_line);
384 if (stat(buf, &st) < 0) continue;
385 if ((st.st_rdev & 0xFFC0) != 0x0400) continue;
387 diff -ur sysvinit-2.78.orig/src/wall.c sysvinit-2.78/src/wall.c
388 --- sysvinit-2.78.orig/src/wall.c Tue Jul 28 15:22:56 1998
389 +++ sysvinit-2.78/src/wall.c Tue Aug 8 07:41:34 2000
391 if ((argc - optind) > 0) {
392 for(f = optind; f < argc; f++) {
393 len += strlen(argv[f]) + 1;
394 - if (len >= MAXLEN) break;
395 + if (len >= MAXLEN - 2) break;
396 strcat(buf, argv[f]);