4706048 *tip* cmds.c,uucplock.c,tipout.c use unsafe creat,fopen

5 files changed, 20 insertions, 12 deletions

diff --git a/usr/src/cmd/tip/cmds.c b/usr/src/cmd/tip/cmds.c
index d4ae2d66e4..bc3c6c59d3 100644
--- a/usr/src/cmd/tip/cmds.c
+++ b/usr/src/cmd/tip/cmds.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -12,6 +12,7 @@
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 
 #include "tip.h"
+#include <limits.h>
 #ifdef USG
 #include <unistd.h>
 #else
@@ -604,6 +605,11 @@ void
 setscript(void)
 {
 	char c;
+
+	if (strlen(value(RECORD)) >= PATH_MAX-1) {
+		(void) fprintf(stderr, "tip: record file name too long\r\n");
+		return;
+	}
 	/*
 	 * enable TIPOUT side for dialogue
 	 */
diff --git a/usr/src/cmd/tip/cu.c b/usr/src/cmd/tip/cu.c
index 3f4cee8add..fb911d64bd 100644
--- a/usr/src/cmd/tip/cu.c
+++ b/usr/src/cmd/tip/cu.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -23,7 +23,7 @@ void
 cumain(int argc, char *argv[])
 {
 	int i;
-	static char sbuf[12];
+	static char sbuf[14];
 
 	if (argc < 2) {
 usage:
@@ -89,7 +89,7 @@ usage:
 	 * The "cu" host name is used to define the
 	 * attributes of the generic dialer.
 	 */
-	(void) sprintf(sbuf, "cu%d", BR);
+	(void) snprintf(sbuf, sizeof (sbuf), "cu%d", BR);
 	if ((i = hunt(sbuf)) == 0) {
 		(void) printf("all ports busy\n");
 		exit(3);
diff --git a/usr/src/cmd/tip/tip.c b/usr/src/cmd/tip/tip.c
index c7306e3d5b..b912d6e33b 100644
--- a/usr/src/cmd/tip/tip.c
+++ b/usr/src/cmd/tip/tip.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -50,7 +50,7 @@ main(int argc, char *argv[])
 	char *system = NOSTR;
 	int i;
 	char *p;
-	char sbuf[12];
+	char sbuf[15];
 
 	gid = getgid();
 	egid = getegid();
@@ -115,7 +115,7 @@ main(int argc, char *argv[])
 	for (p = system; *p; p++)
 		*p = '\0';
 	PN = PNbuf;
-	(void) sprintf(sbuf, "tip%d", BR);
+	(void) snprintf(sbuf, sizeof (sbuf), "tip%d", BR);
 	system = sbuf;
 
 notnumber:
diff --git a/usr/src/cmd/tip/tipout.c b/usr/src/cmd/tip/tipout.c
index 94b9ff6f9b..befb468ca8 100644
--- a/usr/src/cmd/tip/tipout.c
+++ b/usr/src/cmd/tip/tipout.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -12,6 +12,7 @@
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 
 #include "tip.h"
+#include <limits.h>
 
 /*
  * tip
@@ -42,12 +43,12 @@ intIOT(void)
 void
 intEMT(void)
 {
-	char c, line[256];
+	char c, line[PATH_MAX];
 	char *pline = line;
 	char reply;
 
 	(void) read(fildes[0], &c, 1);
-	while (c != '\n') {
+	while (c != '\n' && line + sizeof (line) - pline > 1) {
 		*pline++ = c;
 		(void) read(fildes[0], &c, 1);
 	}
diff --git a/usr/src/cmd/tip/uucplock.c b/usr/src/cmd/tip/uucplock.c
index 8eaf2d16d0..017b144c38 100644
--- a/usr/src/cmd/tip/uucplock.c
+++ b/usr/src/cmd/tip/uucplock.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -85,7 +85,8 @@ ulockf(char *file, time_t atime)
 	static char tempfile[NAMESIZE];
 
 	if (pid[0] == '\0') {
-		(void) sprintf(pid, "%*d\n", SIZEOFPID, (int)getpid());
+		(void) snprintf(pid, sizeof (pid), "%*d\n", SIZEOFPID,
+		    (int)getpid());
 		(void) snprintf(tempfile, sizeof (tempfile),
 		    "%s/LTMP.%d", LOCKDIR, getpid());
 	}