From d3a4eeb1fe44187895e570f8015f17b63eecfbb8 Mon Sep 17 00:00:00 2001
From: explorer <explorer@NetBSD.org>
Date: Sat, 7 Sep 1996 21:05:37 +0000
Subject: [PATCH] Fix some potential buffer overflow problems. From David
 Holland <dholland@hcs.harvard.edu>

---
 usr.bin/tftp/main.c    | 13 ++++++++-----
 usr.sbin/rwhod/rwhod.c |  9 +++++++--
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/usr.bin/tftp/main.c b/usr.bin/tftp/main.c
index 1595cadef5a9..49dd77d667b0 100644
--- a/usr.bin/tftp/main.c
+++ b/usr.bin/tftp/main.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: main.c,v 1.6 1995/05/21 16:54:10 mycroft Exp $	*/
+/*	$NetBSD: main.c,v 1.7 1996/09/07 21:05:37 explorer Exp $	*/
 
 /*
  * Copyright (c) 1983, 1993
@@ -43,7 +43,7 @@ static char copyright[] =
 #if 0
 static char sccsid[] = "@(#)main.c	8.1 (Berkeley) 6/6/93";
 #endif
-static char rcsid[] = "$NetBSD: main.c,v 1.6 1995/05/21 16:54:10 mycroft Exp $";
+static char rcsid[] = "$NetBSD: main.c,v 1.7 1996/09/07 21:05:37 explorer Exp $";
 #endif /* not lint */
 
 /* Many bug fixes are from Jim Guyton <guyton@rand-unix> */
@@ -222,7 +222,8 @@ setpeer(argc, argv)
 		}
 		peeraddr.sin_family = host->h_addrtype;
 		bcopy(host->h_addr, &peeraddr.sin_addr, host->h_length);
-		(void) strcpy(hostname, host->h_name);
+ 		(void) strncpy(hostname, host->h_name, sizeof(hostname));
+ 		hostname[sizeof(hostname)-1] = 0;
 	}
 	port = sp->s_port;
 	if (argc == 3) {
@@ -359,7 +360,8 @@ put(argc, argv)
 		bcopy(hp->h_addr, (caddr_t)&peeraddr.sin_addr, hp->h_length);
 		peeraddr.sin_family = hp->h_addrtype;
 		connected = 1;
-		strcpy(hostname, hp->h_name);
+		strncpy(hostname, hp->h_name, sizeof(hostname));
+		hostname[sizeof(hostname)-1] = 0;
 	}
 	if (!connected) {
 		printf("No target machine specified.\n");
@@ -456,7 +458,8 @@ get(argc, argv)
 			    hp->h_length);
 			peeraddr.sin_family = hp->h_addrtype;
 			connected = 1;
-			strcpy(hostname, hp->h_name);
+			strncpy(hostname, hp->h_name, sizeof(hostname));
+			hostname[sizeof(hostname)-1] = 0;
 		}
 		if (argc < 4) {
 			cp = argc == 3 ? argv[2] : tail(src);
diff --git a/usr.sbin/rwhod/rwhod.c b/usr.sbin/rwhod/rwhod.c
index e7b8921a1994..bd61b7cc47b1 100644
--- a/usr.sbin/rwhod/rwhod.c
+++ b/usr.sbin/rwhod/rwhod.c
@@ -39,7 +39,7 @@ static char copyright[] =
 
 #ifndef lint
 /*static char sccsid[] = "@(#)rwhod.c	8.1 (Berkeley) 6/6/93";*/
-static char rcsid[] = "$Id: rwhod.c,v 1.8 1994/05/29 02:53:23 jtc Exp $";
+static char rcsid[] = "$Id: rwhod.c,v 1.9 1996/09/07 21:12:57 explorer Exp $";
 #endif /* not lint */
 
 #include <sys/param.h>
@@ -193,12 +193,17 @@ main(argc, argv)
 			continue;
 		if (wd.wd_type != WHODTYPE_STATUS)
 			continue;
+		/* 
+		 * Ensure null termination of the name within the packet.
+		 * Otherwise we might overflow or read past the end.
+		 */
+		wd.wd_hostname[sizeof(wd.wd_hostname)-1] = 0;
 		if (!verify(wd.wd_hostname)) {
 			syslog(LOG_WARNING, "malformed host name from %x",
 				from.sin_addr);
 			continue;
 		}
-		(void) sprintf(path, "whod.%s", wd.wd_hostname);
+		snprintf(path, sizeof(path), "whod.%s", wd.wd_hostname);
 		/*
 		 * Rather than truncating and growing the file each time,
 		 * use ftruncate if size is less than previous size.