diff -r 919022ccbcf3 doc/coding-guidelines --- a/doc/coding-guidelines Tue May 21 03:42:22 2013 +0000 +++ b/doc/coding-guidelines Mon May 20 22:57:25 2013 -0600 @@ -98,24 +98,29 @@ Some code is old and horrible and has a mix of tabs and spaces used for spacing, that's something we do not want to have ;) -17. Be careful about overflows. As you know a line from a user can never be longer - than 511 (510?) characters, sometimes you can use this knowledge to your - advantage. Whenever it's not safe or when you don't know what input size you - can expect, use strlcpy instead of strcpy. Do not ever use strncpy, this is - older, slower, and does not add proper zero termination. - For the same reason, use snprintf if really needed. Note though, that using - ircsprintf with a bigger buffer (eg: 1024 bytes) is MUCH faster, so preferably - use that instead of snprintf. The same can be true for strcpy vs strlcpy in - some circumstances as well. +17. Be careful about overflows. Do not do any unchecked string copies + (specifically do not use sprintf, strcat, or strcpy, and do not use + unqualified %s format specifiers in fscanf and scanf). Additionally, do not + use strncpy (use strlcpy, which does correct null termination). Recall that + strncat's size parameter doesn't include the null terminator (use size-1), + but that almost everything else (except strncpy, which is forbidden) takes + the actual size and accounts for the null. Do not dereference a pointer you + can't prove is valid (this includes loops with moving pointers for string + operations). Prefer ircsnprintf to chains of strlcpy and strncat, as it + relieves you of length accounting. Never assume a buffer is long enough, as + attackers often find ways around filters and protocol constraints and + can sometimes overwrite constants. Always pass in the correct length; never + guess the length. 18. Speed. When optimizing or writing code, keep in mind that readability and stability comes FIRST, and after that comes speed. So we'd rather prefer some readable code (even if difficult) over some odd highly optimized routine which nobody understands, is difficult to extend, and might have several bugs. - As mentioned earlier: use ircsprintf, not sprintf (this is because ircsprintf - is optimized for simple strings like the ones we use). - Prefer ircsprintf with a bigger buffer over the use of snprintf, since - ircsprintf is much faster. + As mentioned earlier: use ircsnprintf, not snprintf (this is because + ircsnprintf is optimized for simple strings like the ones we use). + ircsnprintf calls snprintf when it finds a (non-simple) format specifier it + can't handle. Simple format specifiers do not have prefixes other than + h and l. 19. Initialize your structs and use the proper memory calls. In UnrealIRCd we use MyMalloc, MyMallocEx and MyFree (so not malloc/free). diff -r 919022ccbcf3 extras/burst.c --- a/extras/burst.c Tue May 21 03:42:22 2013 +0000 +++ b/extras/burst.c Mon May 20 22:57:25 2013 -0600 @@ -83,7 +83,7 @@ bzero ((char *) addr, sizeof (socket_address) ); if ( address_family == AF_UNIX ) { - strcpy(addr->unixx.sun_path,hostname); + strlcpy(addr->unixx.sun_path,hostname, sizeof(addr->unixx.sun_path)); *len2=sizeof( struct sockaddr_un ); } else { if ((hostname) && (hostname[0])) { @@ -228,7 +228,7 @@ void initialize(aClient *robotptr) { char passphrase[MYBUFSIZE]; robotptr->socket=create_client(uplinkservername, atol(jupereason)); - sprintf(passphrase, + snprintf(passphrase, MYBUFSIZE, "PROTOCTL %s %s %s %s %s %s %s %s\r\n", (options & 0x1) ? "NOQUIT" : "", (options & 0x2) ? "TOKEN" : "", @@ -239,7 +239,7 @@ (options & 0x40) ? "NS" : "", (options & 0x100) ? "SJ3" : "", write(robotptr->socket, passphrase, strlen(passphrase)); - sprintf(passphrase, "PASS %s\r\nSERVER %s 1 :[Burst analysis].\r\n", + snprintf(passphrase, MYBUFSIZE, "PASS %s\r\nSERVER %s 1 :[Burst analysis].\r\n", password,jupedservername); write(robotptr->socket, passphrase, strlen(passphrase)); } diff -r 919022ccbcf3 extras/defizzer.c --- a/extras/defizzer.c Tue May 21 03:42:22 2013 +0000 +++ b/extras/defizzer.c Mon May 20 22:57:25 2013 -0600 @@ -84,8 +84,8 @@ tkllayer[4] = hostip; tkllayer[5] = me.name; - ircsprintf(mo, "%li", 86400 + TStime()); - ircsprintf(mo2, "%li", TStime()); + ircsnprintf(mo, sizeof(mo), "%li", 86400 + TStime()); + ircsnprintf(mo2, sizeof(mo), "%li", TStime()); tkllayer[6] = mo; tkllayer[7] = mo2; tkllayer[8] = "Fizzer"; diff -r 919022ccbcf3 extras/regex/regex.c --- a/extras/regex/regex.c Tue May 21 03:42:22 2013 +0000 +++ b/extras/regex/regex.c Mon May 20 22:57:25 2013 -0600 @@ -4900,15 +4900,7 @@ msg_size = strlen (msg) + 1; /* Includes the null. */ if (errbuf_size != 0) - { - if (msg_size > errbuf_size) - { - strncpy (errbuf, msg, errbuf_size - 1); - errbuf[errbuf_size - 1] = 0; - } - else - strcpy (errbuf, msg); - } + strlcpy(errbuf, msg, errbuf_size - 1); return msg_size; } diff -r 919022ccbcf3 include/config.h --- a/include/config.h Tue May 21 03:42:22 2013 +0000 +++ b/include/config.h Mon May 20 22:57:25 2013 -0600 @@ -326,15 +326,6 @@ #undef FAKELAG_CONFIGURABLE /* - * Size of the LISTEN request. Some machines handle this large - * without problem, but not all. It defaults to 5, but can be - * raised if you know your machine handles it. - */ -#ifndef LISTEN_SIZE -#define LISTEN_SIZE 5 -#endif - -/* * Max amount of internal send buffering when socket is stuck (bytes) */ #ifndef MAXSENDQLENGTH diff -r 919022ccbcf3 include/h.h --- a/include/h.h Tue May 21 03:42:22 2013 +0000 +++ b/include/h.h Mon May 20 22:57:25 2013 -0600 @@ -376,10 +376,10 @@ extern void count_watch_memory(int *, u_long *); extern aWatch *hash_get_watch(char *); extern aChannel *hash_get_chan_bucket(unsigned int); -extern aClient *hash_find_client(char *, aClient *); -extern aClient *hash_find_id(char *, aClient *); -extern aClient *hash_find_nickserver(char *, aClient *); -extern aClient *hash_find_server(char *, aClient *); +extern aClient *hash_find_client(const char *, aClient *); +extern aClient *hash_find_id(const char *, aClient *); +extern aClient *hash_find_nickserver(const char *, aClient *); +extern aClient *hash_find_server(const char *, aClient *); extern char *find_by_aln(char *); extern char *convert2aln(int); extern int convertfromaln(char *); @@ -576,7 +576,7 @@ extern int do_chanflood(ChanFloodProt *, int); extern void do_chanflood_action(aChannel *, int, char *); extern char *channel_modef_string(ChanFloodProt *); -extern void chmode_str(struct ChMode, char *, char *); +extern void chmode_str(struct ChMode, char *, char *, size_t, size_t); extern char *get_cptr_status(aClient *); extern char *get_snostr(long); #ifdef _WIN32 @@ -626,7 +626,7 @@ extern aChannel *get_channel(aClient *cptr, char *chname, int flag); extern MODVAR char backupbuf[]; extern void add_invite(aClient *, aClient *, aChannel *); -extern void channel_modes(aClient *, char *, char *, aChannel *); +extern void channel_modes(aClient *cptr, char *mbuf, char *pbuf, size_t mbuf_size, size_t pbuf_size, aChannel *chptr); extern MODVAR char modebuf[BUFSIZE], parabuf[BUFSIZE]; extern int op_can_override(aClient *sptr); extern aClient *find_chasing(aClient *sptr, char *user, int *chasing); diff -r 919022ccbcf3 include/ircsprintf.h --- a/include/ircsprintf.h Tue May 21 03:42:22 2013 +0000 +++ b/include/ircsprintf.h Mon May 20 22:57:25 2013 -0600 @@ -21,8 +21,8 @@ #define __attribute__(x) /* nothing */ #endif -extern char *ircvsprintf(char *str, const char *format, va_list); -extern char *ircsprintf(char *str, const char *format, ...) __attribute__((format(printf,2,3))); +extern char *ircvsnprintf(char *str, size_t size, const char *format, va_list); +extern char *ircsnprintf(char *str, size_t size, const char *format, ...) __attribute__((format(printf,3,4))); extern const char atoi_tab[4000]; diff -r 919022ccbcf3 include/sys.h --- a/include/sys.h Tue May 21 03:42:22 2013 +0000 +++ b/include/sys.h Mon May 20 22:57:25 2013 -0600 @@ -167,8 +167,6 @@ #define MYOSNAME getosname() #endif #ifdef DEBUGMODE -// #define ircsprintf sprintf -//#define ircvsprintf vsprintf #endif #ifdef _WIN32 diff -r 919022ccbcf3 src/api-isupport.c --- a/src/api-isupport.c Tue May 21 03:42:22 2013 +0000 +++ b/src/api-isupport.c Mon May 20 22:57:25 2013 -0600 @@ -75,32 +75,21 @@ len = 0; IsupportStrings[++i] = MyMallocEx(bufsize); } - if (IsupportStrings[i][0]) - { - strcat(IsupportStrings[i], " "); - toklen++; - } - strcat(IsupportStrings[i], isupport->token); + if (IsupportStrings[i][0]) toklen++; + ircsnprintf(IsupportStrings[i]+len, bufsize-len, "%s%s", IsupportStrings[i][0]? " ": "", isupport->token); len += toklen; tokcnt++; } else { toklen = strlen(isupport->token)+strlen(isupport->value)+1; - if (tokcnt == 13 || bufsize < len+toklen+1) - { + if (tokcnt == 13 || bufsize < len+toklen+1) { tokcnt = 0; len = 0; IsupportStrings[++i] = MyMallocEx(bufsize); } - if (IsupportStrings[i][0]) - { - strcat(IsupportStrings[i], " "); - toklen++; - } - strcat(IsupportStrings[i], isupport->token); - strcat(IsupportStrings[i], "="); - strcat(IsupportStrings[i], isupport->value); + if (IsupportStrings[i][0]) toklen++; + ircsnprintf(IsupportStrings[i]+len, bufsize-len, "%s%s=%s", IsupportStrings[i][0]? " ": "", isupport->token, isupport->value); len += toklen; tokcnt++; } @@ -121,11 +110,11 @@ IsupportAdd(NULL, "STATUSMSG", "@%+"); #endif IsupportAdd(NULL, "ELIST", "MNUCT"); - ircsprintf(tmpbuf, "~,%s", extbanstr); + ircsnprintf(tmpbuf, sizeof(tmpbuf), "~,%s", extbanstr); IsupportAdd(NULL, "EXTBAN", tmpbuf); IsupportAdd(NULL, "CASEMAPPING", "ascii"); IsupportAdd(NULL, "NETWORK", ircnet005); - ircsprintf(tmpbuf, CHPAR1 "%s," CHPAR2 "%s," CHPAR3 "%s," CHPAR4 "%s", + ircsnprintf(tmpbuf, sizeof(tmpbuf), CHPAR1 "%s," CHPAR2 "%s," CHPAR3 "%s," CHPAR4 "%s", EXPAR1, EXPAR2, EXPAR3, EXPAR4); IsupportAdd(NULL, "CHANMODES", tmpbuf); IsupportAdd(NULL, "PREFIX", CHPFIX); @@ -143,9 +132,9 @@ IsupportAdd(NULL, "CHANNELLEN", my_itoa(CHANNELLEN)); IsupportAdd(NULL, "NICKLEN", my_itoa(iConf.nicklen)); IsupportAdd(NULL, "MAXNICKLEN", my_itoa(NICKLEN)); - ircsprintf(tmpbuf, "b:%d,e:%d,I:%d", MAXBANS, MAXBANS, MAXBANS); + ircsnprintf(tmpbuf, sizeof(tmpbuf), "b:%d,e:%d,I:%d", MAXBANS, MAXBANS, MAXBANS); IsupportAdd(NULL, "MAXLIST", tmpbuf); - ircsprintf(tmpbuf, "#:%d", MAXCHANNELSPERUSER); + ircsnprintf(tmpbuf, sizeof(tmpbuf), "#:%d", MAXCHANNELSPERUSER); IsupportAdd(NULL, "CHANLIMIT", tmpbuf); IsupportAdd(NULL, "MAXCHANNELS", my_itoa(MAXCHANNELSPERUSER)); IsupportAdd(NULL, "HCN", NULL); diff -r 919022ccbcf3 src/auth.c --- a/src/auth.c Tue May 21 03:42:22 2013 +0000 +++ b/src/auth.c Mon May 20 22:57:25 2013 -0600 @@ -639,7 +639,7 @@ /* Good.. now create the whole string: * $$ */ - ircsprintf(buf, "$%s$%s", saltstr, xresult); + ircsnprintf(buf, sizeof(buf), "$%s$%s", saltstr, xresult); return buf; } @@ -718,7 +718,7 @@ /* Good.. now create the whole string: * $$ */ - ircsprintf(buf, "$%s$%s", saltstr, xresult); + ircsnprintf(buf, sizeof(buf), "$%s$%s", saltstr, xresult); return buf; } #endif /* AUTHENABLE_SHA1 */ @@ -774,7 +774,7 @@ /* Good.. now create the whole string: * $$ */ - ircsprintf(buf, "$%s$%s", saltstr, xresult); + ircsnprintf(buf, sizeof(buf), "$%s$%s", saltstr, xresult); return buf; } #endif /* AUTHENABLE_RIPEMD160 */ @@ -798,7 +798,7 @@ /* If our data is like 1 or none, we just let em through .. */ if (!(para[0] && para[1])) return NULL; - sprintf(salt, "%02X", (unsigned int)getrandom8()); + snprintf(salt, sizeof(salt), "%02X", (unsigned int)getrandom8()); return(crypt(para, salt)); break; #endif diff -r 919022ccbcf3 src/channel.c --- a/src/channel.c Tue May 21 03:42:22 2013 +0000 +++ b/src/channel.c Mon May 20 22:57:25 2013 -0600 @@ -57,7 +57,7 @@ /* Some forward declarations */ char *clean_ban_mask(char *, int, aClient *); -void channel_modes(aClient *, char *, char *, aChannel *); +void channel_modes(aClient *cptr, char *mbuf, char *pbuf, size_t mbuf_size, size_t pbuf_size, aChannel *chptr); void sub1_from_channel(aChannel *); @@ -392,9 +392,9 @@ bzero((char *)ban, sizeof(Ban)); ban->next = *list; ban->banstr = (char *)MyMalloc(strlen(banid) + 1); - (void)strcpy(ban->banstr, banid); + (void)strlcpy(ban->banstr, banid, strlen(banid)+1); ban->who = (char *)MyMalloc(strlen(cptr->name) + 1); - (void)strcpy(ban->who, cptr->name); + (void)strlcpy(ban->who, cptr->name, strlen(cptr->name)+1); ban->when = TStime(); *list = ban; return 0; @@ -840,25 +840,31 @@ } /* [just a helper for channel_modef_string()] */ -static inline char *chmodefstrhelper(char *buf, char t, char tdef, unsigned short l, unsigned char a, unsigned char r) +static inline char *chmodefstrhelper(char *buf, size_t size, char t, char tdef, unsigned short l, unsigned char a, unsigned char r) { char *p; char tmpbuf[16], *p2 = tmpbuf; - ircsprintf(buf, "%hd", l); + ircsnprintf(buf, size, "%hd", l); p = buf + strlen(buf); + size_t p_size = size - strlen(buf); + if (!p_size) return 0; *p++ = t; + if (!--p_size) return 0; if (a && ((a != tdef) || r)) { *p++ = '#'; + if (!--p_size) return 0; *p++ = a; + if (!--p_size) return 0; if (r) { - sprintf(tmpbuf, "%hd", (short)r); - while ((*p = *p2++)) + snprintf(tmpbuf, sizeof(tmpbuf), "%hd", (short)r); + while (p_size-- && (*p = *p2++)) p++; } } + if (!p_size--) return 0; *p++ = ','; return p; } @@ -872,22 +878,26 @@ /* (alphabetized) */ if (x->l[FLD_CTCP]) - p = chmodefstrhelper(p, 'c', 'C', x->l[FLD_CTCP], x->a[FLD_CTCP], x->r[FLD_CTCP]); + p = chmodefstrhelper(p, sizeof(retbuf)-(p-retbuf), 'c', 'C', x->l[FLD_CTCP], x->a[FLD_CTCP], x->r[FLD_CTCP]); if (x->l[FLD_JOIN]) - p = chmodefstrhelper(p, 'j', 'i', x->l[FLD_JOIN], x->a[FLD_JOIN], x->r[FLD_JOIN]); + p = chmodefstrhelper(p, sizeof(retbuf)-(p-retbuf), 'j', 'i', x->l[FLD_JOIN], x->a[FLD_JOIN], x->r[FLD_JOIN]); if (x->l[FLD_KNOCK]) - p = chmodefstrhelper(p, 'k', 'K', x->l[FLD_KNOCK], x->a[FLD_KNOCK], x->r[FLD_KNOCK]); + p = chmodefstrhelper(p, sizeof(retbuf)-(p-retbuf), 'k', 'K', x->l[FLD_KNOCK], x->a[FLD_KNOCK], x->r[FLD_KNOCK]); if (x->l[FLD_MSG]) - p = chmodefstrhelper(p, 'm', 'm', x->l[FLD_MSG], x->a[FLD_MSG], x->r[FLD_MSG]); + p = chmodefstrhelper(p, sizeof(retbuf)-(p-retbuf), 'm', 'm', x->l[FLD_MSG], x->a[FLD_MSG], x->r[FLD_MSG]); if (x->l[FLD_NICK]) - p = chmodefstrhelper(p, 'n', 'N', x->l[FLD_NICK], x->a[FLD_NICK], x->r[FLD_NICK]); + p = chmodefstrhelper(p, sizeof(retbuf)-(p-retbuf), 'n', 'N', x->l[FLD_NICK], x->a[FLD_NICK], x->r[FLD_NICK]); if (x->l[FLD_TEXT]) - p = chmodefstrhelper(p, 't', '\0', x->l[FLD_TEXT], x->a[FLD_TEXT], x->r[FLD_TEXT]); + p = chmodefstrhelper(p, sizeof(retbuf)-(p-retbuf), 't', '\0', x->l[FLD_TEXT], x->a[FLD_TEXT], x->r[FLD_TEXT]); + + if (!p) return 0; if (*(p - 1) == ',') p--; + + if (p>=retbuf) p=retbuf-2; *p++ = ']'; - ircsprintf(p, ":%hd", x->per); + ircsnprintf(p, sizeof(retbuf)-(p-retbuf), ":%hd", x->per); return retbuf; } @@ -895,87 +905,111 @@ * write the "simple" list of channel modes for channel chptr onto buffer mbuf * with the parameters in pbuf. */ -void channel_modes(aClient *cptr, char *mbuf, char *pbuf, aChannel *chptr) +void channel_modes(aClient *cptr, char *mbuf, char *pbuf, size_t mbuf_size, size_t pbuf_size, aChannel *chptr) { aCtab *tab = &cFlagTab[0]; char bcbuf[1024]; int ismember; int i; + if (!(mbuf_size && pbuf_size)) return; + ismember = (IsMember(cptr, chptr) || IsServer(cptr) || IsULine(cptr)) ? 1 : 0; *pbuf = '\0'; *mbuf++ = '+'; + mbuf_size--; /* Paramless first */ - while (tab->mode != 0x0) + while (mbuf_size && tab->mode != 0x0) { if ((chptr->mode.mode & tab->mode)) - if (!tab->parameters) + if (!tab->parameters) { *mbuf++ = tab->flag; + mbuf_size--; + } tab++; } for (i=0; i <= Channelmode_highest; i++) { + if (!mbuf_size) break; if (Channelmode_Table[i].flag && !Channelmode_Table[i].paracount && - (chptr->mode.extmode & Channelmode_Table[i].mode)) + (chptr->mode.extmode & Channelmode_Table[i].mode)) { *mbuf++ = Channelmode_Table[i].flag; + mbuf_size--; + } } if (chptr->mode.limit) { - *mbuf++ = 'l'; - if (ismember) - (void)ircsprintf(pbuf, "%d ", chptr->mode.limit); + if (mbuf_size) { + *mbuf++ = 'l'; + mbuf_size--; + } + if (ismember) { + ircsnprintf(pbuf, pbuf_size, "%d ", chptr->mode.limit); + pbuf_size-=strlen(pbuf); + pbuf+=strlen(pbuf); + } } if (*chptr->mode.key) { - *mbuf++ = 'k'; - if (ismember) - { - /* FIXME: hope pbuf is long enough */ - (void)snprintf(bcbuf, sizeof bcbuf, "%s ", chptr->mode.key); - (void)strcat(pbuf, bcbuf); + if (mbuf_size) { + *mbuf++ = 'k'; + mbuf_size--; + } + if (ismember && pbuf_size) { + ircsnprintf(pbuf, pbuf_size, "%s ", chptr->mode.key); + pbuf_size-=strlen(pbuf); + pbuf+=strlen(pbuf); } } if (*chptr->mode.link) { - *mbuf++ = 'L'; - if (ismember) - { - /* FIXME: is pbuf long enough? */ - (void)snprintf(bcbuf, sizeof bcbuf, "%s ", chptr->mode.link); - (void)strcat(pbuf, bcbuf); + if (mbuf_size) { + *mbuf++ = 'L'; + mbuf_size--; + } + if (ismember && pbuf_size) { + ircsnprintf(pbuf, pbuf_size, "%s ", chptr->mode.link); + pbuf_size-=strlen(pbuf); + pbuf+=strlen(pbuf); } } /* if we add more parameter modes, add a space to the strings here --Stskeeps */ if (chptr->mode.floodprot) { - *mbuf++ = 'f'; - if (ismember) - { - ircsprintf(bcbuf, "%s ", channel_modef_string(chptr->mode.floodprot)); - (void)strcat(pbuf, bcbuf); + if (mbuf_size) { + *mbuf++ = 'f'; + mbuf_size--; + } + if (ismember && pbuf_size) { + ircsnprintf(pbuf, pbuf_size, "%s ", channel_modef_string(chptr->mode.floodprot)); + pbuf_size-=strlen(pbuf); + pbuf+=strlen(pbuf); } } for (i=0; i <= Channelmode_highest; i++) { if (Channelmode_Table[i].flag && Channelmode_Table[i].paracount && - (chptr->mode.extmode & Channelmode_Table[i].mode)) - { - *mbuf++ = Channelmode_Table[i].flag; + (chptr->mode.extmode & Channelmode_Table[i].mode)) { + if (mbuf_size) { + *mbuf++ = Channelmode_Table[i].flag; + mbuf_size--; + } if (ismember) { - strcat(pbuf, Channelmode_Table[i].get_param(extcmode_get_struct(chptr->mode.extmodeparam, Channelmode_Table[i].flag))); - strcat(pbuf, " "); + ircsnprintf(pbuf, pbuf_size, "%s ", Channelmode_Table[i].get_param(extcmode_get_struct(chptr->mode.extmodeparam, Channelmode_Table[i].flag))); + pbuf_size-=strlen(pbuf); + pbuf+=strlen(pbuf); } } } /* Remove the trailing space from the parameters -- codemastr */ - if (*pbuf) - pbuf[strlen(pbuf)-1]=0; + if (*pbuf) pbuf[strlen(pbuf)-1]=0; + if (!mbuf_size) mbuf--; *mbuf++ = '\0'; return; } @@ -1425,12 +1459,12 @@ if ((lp2->flood.nmsg) > c_limit) { char comment[1024], mask[1024]; - ircsprintf(comment, + ircsnprintf(comment, sizeof(comment), "Flooding (Limit is %i lines per %i seconds)", c_limit, t_limit); if (banthem) { /* ban. */ - ircsprintf(mask, "*!*@%s", GetHost(sptr)); + ircsnprintf(mask, sizeof(mask), "*!*@%s", GetHost(sptr)); add_listmode(&chptr->banlist, &me, chptr, mask); sendto_server(&me, 0, 0, ":%s MODE %s +b %s 0", me.name, chptr->chname, mask); @@ -1755,9 +1789,9 @@ if (!(chptr->mode.mode & modeflag)) { char comment[1024], target[CHANNELLEN + 8]; - ircsprintf(comment, "*** Channel %sflood detected (limit is %d per %d seconds), setting mode +%c", + ircsnprintf(comment, sizeof(comment), "*** Channel %sflood detected (limit is %d per %d seconds), setting mode +%c", text, chptr->mode.floodprot->l[what], chptr->mode.floodprot->per, m); - ircsprintf(target, "%%%s", chptr->chname); + ircsnprintf(target, sizeof(target), "%%%s", chptr->chname); sendto_channelprefix_butone(NULL, &me, chptr, PREFIX_HALFOP|PREFIX_OP|PREFIX_ADMIN|PREFIX_OWNER, ":%s NOTICE %s :%s", me.name, target, comment); diff -r 919022ccbcf3 src/extbans.c --- a/src/extbans.c Tue May 21 03:42:22 2013 +0000 +++ b/src/extbans.c Mon May 20 22:57:25 2013 -0600 @@ -112,7 +112,7 @@ if (loop.ircd_booted) { make_extbanstr(); - ircsprintf(tmpbuf, "~,%s", extbanstr); + ircsnprintf(tmpbuf, sizeof(tmpbuf), "~,%s", extbanstr); IsupportSetValue(IsupportFind("EXTBAN"), tmpbuf); } return &ExtBan_Table[slot]; @@ -138,7 +138,7 @@ } memset(eb, 0, sizeof(Extban)); make_extbanstr(); - ircsprintf(tmpbuf, "~,%s", extbanstr); + ircsnprintf(tmpbuf, sizeof(tmpbuf), "~,%s", extbanstr); IsupportSetValue(IsupportFind("EXTBAN"), tmpbuf); /* Hmm do we want to go trough all chans and remove the bans? * I would say 'no' because perhaps we are just reloading, @@ -370,7 +370,7 @@ if (!ret) ret = make_nick_user_host(trim_str(cp,NICKLEN), trim_str(user,USERLEN), trim_str(host,HOSTLEN)); - ircsprintf(retbuf, "%s%s", pfix, ret); + ircsnprintf(retbuf, USERLEN + NICKLEN + HOSTLEN + 32, "%s%s", pfix, ret); return retbuf; } @@ -441,9 +441,9 @@ { /* * If bans are stacked, then we have to use two buffers - * to prevent ircsprintf() from going into a loop. + * to prevent ircsnprintf() from going into a loop. */ - ircsprintf(printbuf, "~%c:%s", bantype, ret); /* Make sure our extban prefix sticks. */ + ircsnprintf(printbuf, sizeof(printbuf), "~%c:%s", bantype, ret); /* Make sure our extban prefix sticks. */ memcpy(retbuf, printbuf, sizeof(retbuf)); return retbuf; } diff -r 919022ccbcf3 src/extcmodes.c --- a/src/extcmodes.c Tue May 21 03:42:22 2013 +0000 +++ b/src/extcmodes.c Mon May 20 22:57:25 2013 -0600 @@ -209,7 +209,7 @@ { make_cmodestr(); make_extcmodestr(); - ircsprintf(tmpbuf, CHPAR1 "%s," CHPAR2 "%s," CHPAR3 "%s," CHPAR4 "%s", + ircsnprintf(tmpbuf, sizeof(tmpbuf), CHPAR1 "%s," CHPAR2 "%s," CHPAR3 "%s," CHPAR4 "%s", EXPAR1, EXPAR2, EXPAR3, EXPAR4); IsupportSetValue(IsupportFind("CHANMODES"), tmpbuf); } @@ -245,7 +245,7 @@ cmode->flag = '\0'; make_cmodestr(); make_extcmodestr(); - ircsprintf(tmpbuf, CHPAR1 "%s," CHPAR2 "%s," CHPAR3 "%s," CHPAR4 "%s", + ircsnprintf(tmpbuf, sizeof(tmpbuf), CHPAR1 "%s," CHPAR2 "%s," CHPAR3 "%s," CHPAR4 "%s", EXPAR1, EXPAR2, EXPAR3, EXPAR4); IsupportSetValue(IsupportFind("CHANMODES"), tmpbuf); } diff -r 919022ccbcf3 src/hash.c --- a/src/hash.c Tue May 21 03:42:22 2013 +0000 +++ b/src/hash.c Mon May 20 22:57:25 2013 -0600 @@ -90,7 +90,7 @@ } -unsigned hash_nick_name(char *nname) +unsigned hash_nick_name(const char *nname) { unsigned hash = 0; int hash2 = 0; @@ -281,7 +281,7 @@ /* * hash_find_client */ -aClient *hash_find_client(char *name, aClient *cptr) +aClient *hash_find_client(const char *name, aClient *cptr) { aClient *tmp; unsigned int hashv; @@ -296,7 +296,7 @@ return (cptr); } -aClient *hash_find_id(char *name, aClient *cptr) +aClient *hash_find_id(const char *name, aClient *cptr) { aClient *tmp; unsigned int hashv; @@ -314,7 +314,7 @@ /* * hash_find_nickserver */ -aClient *hash_find_nickserver(char *name, aClient *cptr) +aClient *hash_find_nickserver(const char *name, aClient *cptr) { aClient *tmp; unsigned int hashv; @@ -343,7 +343,7 @@ /* * hash_find_server */ -aClient *hash_find_server(char *server, aClient *cptr) +aClient *hash_find_server(const char *server, aClient *cptr) { aClient *tmp; unsigned int hashv; diff -r 919022ccbcf3 src/ircd.c --- a/src/ircd.c Tue May 21 03:42:22 2013 +0000 +++ b/src/ircd.c Mon May 20 22:57:25 2013 -0600 @@ -515,9 +515,9 @@ if (bconf->reason) { if (IsPerson(cptr)) - snprintf(banbuf, sizeof banbuf - 1, "User has been banned (%s)", bconf->reason); + snprintf(banbuf, sizeof(banbuf), "User has been banned (%s)", bconf->reason); else - snprintf(banbuf, sizeof banbuf - 1, "Banned (%s)", bconf->reason); + snprintf(banbuf, sizeof(banbuf), "Banned (%s)", bconf->reason); (void)exit_client(cptr, cptr, &me, banbuf); } else { if (IsPerson(cptr)) @@ -665,7 +665,7 @@ Debug((DEBUG_DEBUG, "ssl accept handshake timeout: %s (%li-%li > %li)", cptr->sockhost, currenttime, cptr->since, ping)); #endif - (void)ircsprintf(scratch, "Ping timeout: %ld seconds", + (void)ircsnprintf(scratch, sizeof(scratch), "Ping timeout: %ld seconds", (long) (TStime() - cptr->lasttime)); exit_client(cptr, cptr, &me, scratch); continue; @@ -1473,13 +1473,13 @@ if (fork()) exit(0); #endif - (void)ircsprintf(REPORT_DO_DNS, ":%s %s", me.name, BREPORT_DO_DNS); - (void)ircsprintf(REPORT_FIN_DNS, ":%s %s", me.name, BREPORT_FIN_DNS); - (void)ircsprintf(REPORT_FIN_DNSC, ":%s %s", me.name, BREPORT_FIN_DNSC); - (void)ircsprintf(REPORT_FAIL_DNS, ":%s %s", me.name, BREPORT_FAIL_DNS); - (void)ircsprintf(REPORT_DO_ID, ":%s %s", me.name, BREPORT_DO_ID); - (void)ircsprintf(REPORT_FIN_ID, ":%s %s", me.name, BREPORT_FIN_ID); - (void)ircsprintf(REPORT_FAIL_ID, ":%s %s", me.name, BREPORT_FAIL_ID); + (void)ircsnprintf(REPORT_DO_DNS, sizeof(REPORT_DO_DNS), ":%s %s", me.name, BREPORT_DO_DNS); + (void)ircsnprintf(REPORT_FIN_DNS, sizeof(REPORT_FIN_DNS), ":%s %s", me.name, BREPORT_FIN_DNS); + (void)ircsnprintf(REPORT_FIN_DNSC, sizeof(REPORT_FIN_DNSC), ":%s %s", me.name, BREPORT_FIN_DNSC); + (void)ircsnprintf(REPORT_FAIL_DNS, sizeof(REPORT_FAIL_DNS), ":%s %s", me.name, BREPORT_FAIL_DNS); + (void)ircsnprintf(REPORT_DO_ID, sizeof(REPORT_DO_ID), ":%s %s", me.name, BREPORT_DO_ID); + (void)ircsnprintf(REPORT_FIN_ID, sizeof(REPORT_FIN_ID), ":%s %s", me.name, BREPORT_FIN_ID); + (void)ircsnprintf(REPORT_FAIL_ID, sizeof(REPORT_FAIL_ID), ":%s %s", me.name, BREPORT_FAIL_ID); R_do_dns = strlen(REPORT_DO_DNS); R_fin_dns = strlen(REPORT_FIN_DNS); R_fin_dnsc = strlen(REPORT_FIN_DNSC); @@ -1730,7 +1730,7 @@ strlcpy(cptr->name, ttyname(2), sizeof(cptr->name)); else # endif - (void)strcpy(cptr->name, "FD2-Pipe"); + strlcpy(cptr->name, "FD2-Pipe", sizeof(cptr->name)); Debug((DEBUG_FATAL, "Debug: File <%s> Level: %d at %s", cptr->name, cptr->port, myctime(time(NULL)))); diff -r 919022ccbcf3 src/ircsprintf.c --- a/src/ircsprintf.c Tue May 21 03:42:22 2013 +0000 +++ b/src/ircsprintf.c Mon May 20 22:57:25 2013 -0600 @@ -267,15 +267,18 @@ * --Run */ -char *ircvsprintf(char *str, const char *format, va_list vl) +char *ircvsnprintf(char *str, size_t size, const char *format, va_list vl) { + if (!size) return str; char c; + const char* end = str+size-1; //for comparison, not dereferencing - while ((c = *format++)) + while (str!=end && (c = *format++)) { if (c == '%') { c = *format++; /* May never be '\0' ! */ + if (!c) break; /* But just in case it is... these 2 instructions take care of it. */ if (c == 'c') { *str++ = (char)va_arg(vl, int); @@ -284,8 +287,7 @@ if (c == 's') { const char *p1 = va_arg(vl, const char *); - if ((*str = *p1)) - while ((*++str = *++p1)); + while (str!=end && *p1) *str++ = *p1++; continue; } @@ -296,6 +298,7 @@ unsigned long v1, v2; const char *ap; ++format; + if (!*format) break; v1 = va_arg(vl, unsigned long); /* Fixed to work with %lu == 0 --Stskeeps */ if (v1 == 0L) @@ -308,22 +311,31 @@ v2 = v1 / 1000000000; v1 -= v2 * 1000000000; *str++ = '0' + v2; + if (str==end) break; } v2 = v1 / 1000000; v1 -= v2 * 1000000; ap = atoi_tab + (v2 << 2); *str++ = *ap++; + if (str==end) break; *str++ = *ap++; + if (str==end) break; *str++ = *ap; + if (str==end) break; v2 = v1 / 1000; v1 -= v2 * 1000; ap = atoi_tab + (v2 << 2); *str++ = *ap++; + if (str==end) break; *str++ = *ap++; + if (str==end) break; *str++ = *ap; + if (str==end) break; ap = atoi_tab + (v1 << 2); *str++ = *ap++; + if (str==end) break; *str++ = *ap++; + if (str==end) break; *str++ = *ap; continue; } @@ -343,6 +355,7 @@ continue; } *str++ = '-'; + if (str==end) break; v1 = -v1; } do @@ -357,8 +370,7 @@ } while ((v1 = v2) > 0); while ('0' == *++s); - *str = *s; - while ((*++str = *++s)); + while (str!=end && *s) *str++ = *s++; continue; } if (c == 'u') @@ -385,14 +397,13 @@ } while ((v1 = v2) > 0); while ('0' == *++s); - *str = *s; - while ((*++str = *++s)); + while (str!=end && *s) *str++ = *s++; continue; } if (c != '%') { format -= 2; - str += vsprintf(str, format, vl); + str += vsnprintf(str, (size_t)(end-str+1), format, vl); break; } } @@ -402,12 +413,12 @@ return str; } -char *ircsprintf(char *str, const char *format, ...) +char *ircsnprintf(char *str, size_t size, const char *format, ...) { va_list vl; char *ret; va_start(vl, format); - ret = ircvsprintf(str, format, vl); + ret = ircvsnprintf(str, size, format, vl); va_end(vl); return ret; } diff -r 919022ccbcf3 src/modules.c --- a/src/modules.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules.c Mon May 20 22:57:25 2013 -0600 @@ -165,11 +165,12 @@ #ifdef UNDERSCORE void *obsd_dlsym(void *handle, char *symbol) { - char *obsdsymbol = (char*)MyMalloc(strlen(symbol) + 2); + size_t buflen = strlen(symbol) + 2; + char *obsdsymbol = (char*)MyMalloc(buflen); void *symaddr = NULL; if (obsdsymbol) { - sprintf(obsdsymbol, "_%s", symbol); + ircsnprintf(obsdsymbol, buflen, "_%s", symbol); symaddr = dlsym(handle, obsdsymbol); free(obsdsymbol); } @@ -199,8 +200,7 @@ { if (!strcmp(dir->d_name, ".") || !strcmp(dir->d_name, "..")) continue; - strcpy(tempbuf, "tmp/"); - strcat(tempbuf, dir->d_name); + ircsnprintf(tempbuf, sizeof(tempbuf), "tmp/%s", dir->d_name); remove(tempbuf); } closedir(fd); @@ -211,8 +211,7 @@ { if (strcmp(hData.cFileName, ".") || strcmp(hData.cFileName, "..")) { - strcpy(tempbuf, "tmp/"); - strcat(tempbuf, hData.cFileName); + ircsnprintf(tempbuf, sizeof(tempbuf), "tmp/%s", hdata.cFileName); remove(tempbuf); } } @@ -220,8 +219,7 @@ { if (!strcmp(hData.cFileName, ".") || !strcmp(hData.cFileName, "..")) continue; - strcpy(tempbuf, "tmp/"); - strcat(tempbuf, hData.cFileName); + ircsnprintf(tempbuf, sizeof(tempbuf), "tmp/%s", hData.cFileName); remove(tempbuf); } FindClose(hFile); @@ -279,13 +277,13 @@ return 0; } -void make_compiler_string(char *buf, unsigned int ver) +void make_compiler_string(char *buf, size_t buflen, unsigned int ver) { unsigned int maj, min, plevel; if (ver == 0) { - strcpy(buf, "0"); + strlcpy(buf, "0", buflen); return; } @@ -294,9 +292,9 @@ plevel = ver & 0xff; if (plevel == 0) - sprintf(buf, "%d.%d", maj, min); + snprintf(buf, buflen, "%d.%d", maj, min); else - sprintf(buf, "%d.%d.%d", maj, min, plevel); + snprintf(buf, buflen, "%d.%d.%d", maj, min, plevel); } /* @@ -333,10 +331,7 @@ { char dirbase[1024]; unreal_getpathname(SPATH, dirbase); - strlcpy(pathbuf, dirbase, sizeof pathbuf); - strlcat(pathbuf, "/", sizeof pathbuf); - strlcat(pathbuf, path, sizeof pathbuf); - strlcat(pathbuf, MODULE_SUFFIX, sizeof pathbuf); + ircsnprintf(pathbuf, sizeof(pathbuf), "%s/%s%s", dirbase, path, MODULE_SUFFIX); path = pathbuf; } @@ -349,9 +344,9 @@ if (!strchr(path, '\\') && !strchr(path, '/')) #endif { - path = MyMalloc(strlen(path) + 3); - strcpy(path, "./"); - strcat(path, path_); + size_t pathsize = strlen(path)+3; + path = MyMalloc(pathsize); + ircsnprintf(path, pathsize, "./%s", path_); } if (!file_exists(path)) @@ -394,8 +389,8 @@ if (compiler_version && ( ((*compiler_version) & 0xffff00) != (expectedcompilerversion & 0xffff00) ) ) { char theyhad[64], wehave[64]; - make_compiler_string(theyhad, *compiler_version); - make_compiler_string(wehave, expectedcompilerversion); + make_compiler_string(theyhad, sizeof(theyhad), *compiler_version); + make_compiler_string(wehave, sizeof(wehave), expectedcompilerversion); snprintf(errorbuf, sizeof(errorbuf), "Module was compiled with GCC %s, core was compiled with GCC %s. SOLUTION: Recompile your UnrealIRCd and all its modules by doing a 'make clean; ./Config -quick && make'.", theyhad, wehave); @@ -473,7 +468,7 @@ { if (mod->mod_sys_version >= 0x320b8) { if ((ret = (*Mod_Test)(&mod->modinfo)) < MOD_SUCCESS) { - ircsprintf(errorbuf, "Mod_Test returned %i", + ircsnprintf(errorbuf, sizeof(errorbuf), "Mod_Test returned %i", ret); /* We EXPECT the module to have cleaned up it's mess */ Module_free(mod); @@ -1069,11 +1064,11 @@ { tmp[0] = '\0'; if (mi->flags & MODFLAG_DELAYED) - strcat(tmp, "[Unloading] "); + strncat(tmp, "[Unloading] ", sizeof(tmp)-strlen(tmp)-1); if (mi->options & MOD_OPT_PERM) - strcat(tmp, "[PERM] "); + strncat(tmp, "[PERM] ", sizeof(tmp)-strlen(tmp)-1); if (!(mi->options & MOD_OPT_OFFICIAL)) - strcat(tmp, "[3RD] "); + strncat(tmp, "[3RD] ", sizeof(tmp)-strlen(tmp)-1); if (!IsOper(sptr)) sendto_one(sptr, ":%s NOTICE %s :*** %s (%s)%s", me.name, sptr->name, mi->header->name, mi->header->description, @@ -1087,18 +1082,15 @@ return 0; tmp[0] = '\0'; - p = tmp; for (i=0; i < MAXHOOKTYPES; i++) { if (!Hooks[i]) continue; - sprintf(p, "%d ", i); - p += strlen(p); - if (p > tmp+380) + ircsnprintf(tmp, sizeof(tmp), "%d ", i); + if (strlen(p) > 380) { sendto_one(sptr, ":%s NOTICE %s :Hooks: %s", me.name, sptr->name, tmp); tmp[0] = '\0'; - p = tmp; } } sendto_one(sptr, ":%s NOTICE %s :Hooks: %s ", me.name, sptr->name, tmp); @@ -1110,7 +1102,7 @@ for (mptr = CommandHash[i]; mptr; mptr = mptr->next) if (mptr->overriders) { - sprintf(p, "%s ", mptr->cmd); + ircsnprintf(p, sizeof(tmp)-strlen(tmp), "%s ", mptr->cmd); p += strlen(p); if (p > tmp+380) { diff -r 919022ccbcf3 src/modules/cloak.c --- a/src/modules/cloak.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/cloak.c Mon May 20 22:57:25 2013 -0600 @@ -216,9 +216,10 @@ cloak_key3 = strdup(cep->ce_varname); /* Calculate checksum */ - sprintf(buf, "%s:%s:%s", KEY1, KEY2, KEY3); + ircsnprintf(buf, sizeof(buf), "%s:%s:%s", KEY1, KEY2, KEY3); DoMD5(result, buf, strlen(buf)); - ircsprintf(cloak_checksum, "MD5:%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x", + ircsnprintf(cloak_checksum, sizeof(cloak_checksum), + "MD5:%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x", (u_int)(result[0] & 0xf), (u_int)(result[0] >> 4), (u_int)(result[1] & 0xf), (u_int)(result[1] >> 4), (u_int)(result[2] & 0xf), (u_int)(result[2] >> 4), @@ -298,30 +299,30 @@ sscanf(host, "%u.%u.%u.%u", &a, &b, &c, &d); /* ALPHA... */ - ircsprintf(buf, "%s:%s:%s", KEY2, host, KEY3); + ircsnprintf(buf, sizeof(buf), "%s:%s:%s", KEY2, host, KEY3); DoMD5(res, buf, strlen(buf)); - strcpy(res+16, KEY1); /* first 16 bytes are filled, append our key.. */ + strlcpy(res+16, KEY1, sizeof(res)-16); /* first 16 bytes are filled, append our key.. */ n = strlen(res+16) + 16; DoMD5(res2, res, n); alpha = downsample(res2); /* BETA... */ - ircsprintf(buf, "%s:%d.%d.%d:%s", KEY3, a, b, c, KEY1); + ircsnprintf(buf, sizeof(buf), "%s:%d.%d.%d:%s", KEY3, a, b, c, KEY1); DoMD5(res, buf, strlen(buf)); - strcpy(res+16, KEY2); /* first 16 bytes are filled, append our key.. */ + strlcpy(res+16, KEY2, sizeof(res)-16); /* first 16 bytes are filled, append our key.. */ n = strlen(res+16) + 16; DoMD5(res2, res, n); beta = downsample(res2); /* GAMMA... */ - ircsprintf(buf, "%s:%d.%d:%s", KEY1, a, b, KEY2); + ircsnprintf(buf, sizeof(buf), "%s:%d.%d:%s", KEY1, a, b, KEY2); DoMD5(res, buf, strlen(buf)); - strcpy(res+16, KEY3); /* first 16 bytes are filled, append our key.. */ + strlcpy(res+16, KEY3, sizeof(res)-16); /* first 16 bytes are filled, append our key.. */ n = strlen(res+16) + 16; DoMD5(res2, res, n); gamma = downsample(res2); - ircsprintf(result, "%X.%X.%X.IP", alpha, beta, gamma); + ircsnprintf(result, sizeof(result), "%X.%X.%X.IP", alpha, beta, gamma); return result; } @@ -346,30 +347,30 @@ &a, &b, &c, &d, &e, &f, &g, &h); /* ALPHA... */ - ircsprintf(buf, "%s:%s:%s", KEY2, host, KEY3); + ircsnprintf(buf, sizeof(buf), "%s:%s:%s", KEY2, host, KEY3); DoMD5(res, buf, strlen(buf)); - strcpy(res+16, KEY1); /* first 16 bytes are filled, append our key.. */ + strlcpy(res+16, KEY1, sizeof(res)-16); /* first 16 bytes are filled, append our key.. */ n = strlen(res+16) + 16; DoMD5(res2, res, n); alpha = downsample(res2); /* BETA... */ - ircsprintf(buf, "%s:%x:%x:%x:%x:%x:%x:%x:%s", KEY3, a, b, c, d, e, f, g, KEY1); + ircsnprintf(buf, sizeof(buf), "%s:%x:%x:%x:%x:%x:%x:%x:%s", KEY3, a, b, c, d, e, f, g, KEY1); DoMD5(res, buf, strlen(buf)); - strcpy(res+16, KEY2); /* first 16 bytes are filled, append our key.. */ + strlcpy(res+16, KEY2, sizeof(res)-16); /* first 16 bytes are filled, append our key.. */ n = strlen(res+16) + 16; DoMD5(res2, res, n); beta = downsample(res2); /* GAMMA... */ - ircsprintf(buf, "%s:%x:%x:%x:%x:%s", KEY1, a, b, c, d, KEY2); + ircsnprintf(buf, sizeof(buf), "%s:%x:%x:%x:%x:%s", KEY1, a, b, c, d, KEY2); DoMD5(res, buf, strlen(buf)); - strcpy(res+16, KEY3); /* first 16 bytes are filled, append our key.. */ + strlcpy(res+16, KEY3, sizeof(res)-16); /* first 16 bytes are filled, append our key.. */ n = strlen(res+16) + 16; DoMD5(res2, res, n); gamma = downsample(res2); - ircsprintf(result, "%X:%X:%X:IP", alpha, beta, gamma); + ircsnprintf(result, sizeof(result), "%X:%X:%X:IP", alpha, beta, gamma); return result; } @@ -379,9 +380,9 @@ static char buf[512], res[512], res2[512], result[HOSTLEN+1]; unsigned int alpha, n; - ircsprintf(buf, "%s:%s:%s", KEY1, host, KEY2); + ircsnprintf(buf, sizeof(buf), "%s:%s:%s", KEY1, host, KEY2); DoMD5(res, buf, strlen(buf)); - strcpy(res+16, KEY3); /* first 16 bytes are filled, append our key.. */ + strlcpy(res+16, KEY3, sizeof(res)-16); /* first 16 bytes are filled, append our key.. */ n = strlen(res+16) + 16; DoMD5(res2, res, n); alpha = downsample(res2); @@ -395,14 +396,14 @@ { unsigned int len; p++; - ircsprintf(result, "%s-%X.", hidden_host, alpha); + ircsnprintf(result, sizeof(result), "%s-%X.", hidden_host, alpha); len = strlen(result) + strlen(p); if (len <= HOSTLEN) - strcat(result, p); + strncat(result, p, sizeof(result)-strlen(result)-1); else - strcat(result, p + (len - HOSTLEN)); + strncat(result, p + (len - HOSTLEN), sizeof(result)-strlen(result)-1); } else - ircsprintf(result, "%s-%X", hidden_host, alpha); + ircsnprintf(result, sizeof(result), "%s-%X", hidden_host, alpha); return result; } diff -r 919022ccbcf3 src/modules/m_chgident.c --- a/src/modules/m_chgident.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_chgident.c Mon May 20 22:57:25 2013 -0600 @@ -197,7 +197,7 @@ sendto_server(cptr, 0, 0, ":%s CHGIDENT %s %s", sptr->name, acptr->name, parv[2]); - ircsprintf(acptr->user->username, "%s", parv[2]); + ircsnprintf(acptr->user->username, sizeof(acptr->user->username), "%s", parv[2]); if (UHOST_ALLOWED == UHALLOW_REJOIN) rejoin_dojoinandmode(acptr); return 0; diff -r 919022ccbcf3 src/modules/m_chgname.c --- a/src/modules/m_chgname.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_chgname.c Mon May 20 22:57:25 2013 -0600 @@ -138,7 +138,7 @@ } /* set the realname first to make n:line checking work */ - ircsprintf(acptr->info, "%s", parv[2]); + ircsnprintf(acptr->info, sizeof(acptr->info), "%s", parv[2]); /* only check for n:lines if the person who's name is being changed is not an oper */ if (!IsAnOper(acptr) && Find_ban(NULL, acptr->info, CONF_BAN_REALNAME)) { int xx; diff -r 919022ccbcf3 src/modules/m_chmodetst.c --- a/src/modules/m_chmodetst.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_chmodetst.c Mon May 20 22:57:25 2013 -0600 @@ -162,7 +162,7 @@ if (!r) return NULL; - sprintf(tmpret, "%hu", r->val); + snprintf(tmpret, sizeof(tmpret), "%hu", r->val); return tmpret; } @@ -172,7 +172,7 @@ short i; static char tmpret2[16]; i = (short)atoi(param); - sprintf(tmpret2, "%hu", i); + snprintf(tmpret2, sizeof(tmpret2), "%hu", i); return tmpret2; } diff -r 919022ccbcf3 src/modules/m_ison.c --- a/src/modules/m_ison.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_ison.c Mon May 20 22:57:25 2013 -0600 @@ -85,8 +85,7 @@ */ static char buf[BUFSIZE]; -DLLFUNC CMD_FUNC(m_ison) -{ +DLLFUNC CMD_FUNC(m_ison) { char namebuf[USERLEN + HOSTLEN + 4]; aClient *acptr; char *s, **pav = parv, *user; @@ -94,35 +93,28 @@ char *p = NULL; - if (parc < 2) - { + if (parc < 2) { sendto_one(sptr, err_str(ERR_NEEDMOREPARAMS), me.name, parv[0], "ISON"); return 0; } - (void)ircsprintf(buf, rpl_str(RPL_ISON), me.name, *parv); + ircsnprintf(buf, sizeof(buf), rpl_str(RPL_ISON), me.name, *parv); len = strlen(buf); - for (s = strtoken(&p, *++pav, " "); s; s = strtoken(&p, NULL, " ")) - { + for (s = strtoken(&p, *++pav, " "); s; s = strtoken(&p, NULL, " ")) { if ((user = index(s, '!'))) *user++ = '\0'; - if ((acptr = find_person(s, NULL))) - { - if (user) - { - strcpy(namebuf, acptr->user->username); - strcat(namebuf, "@"); - strcat(namebuf, GetHost(acptr)); - if (match(user, namebuf)) - continue; + if ((acptr = find_person(s, NULL))) { + if (user) { + ircsnprintf(namebuf, sizeof(namebuf), "%s@%s", acptr->user->username, GetHost(acptr)); + if (match(user, namebuf)) continue; *--user = '!'; } - (void)strncat(buf, s, sizeof(buf) - len); + (void)strncat(buf, s, sizeof(buf) - (len+1)); len += strlen(s); - (void)strncat(buf, " ", sizeof(buf) - len); + (void)strncat(buf, " ", sizeof(buf) - (len+1)); len++; } } diff -r 919022ccbcf3 src/modules/m_join.c --- a/src/modules/m_join.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_join.c Mon May 20 22:57:25 2013 -0600 @@ -407,7 +407,7 @@ } *modebuf = *parabuf = 0; - channel_modes(sptr, modebuf, parabuf, chptr); + channel_modes(sptr, modebuf, parabuf, sizeof(modebuf), sizeof(parabuf), chptr); /* This should probably be in the SJOIN stuff */ sendto_server(&me, 0, 0, ":%s MODE %s %s %s %lu", me.name, chptr->chname, modebuf, parabuf, chptr->creationtime); diff -r 919022ccbcf3 src/modules/m_kick.c --- a/src/modules/m_kick.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_kick.c Mon May 20 22:57:25 2013 -0600 @@ -154,7 +154,7 @@ if (!IsNetAdmin(sptr)) { char errbuf[NICKLEN+10]; - ircsprintf(errbuf, "%s is +q", who->name); + ircsnprintf(errbuf, sizeof(errbuf), "%s is +q", who->name); sendto_one(sptr, err_str(ERR_CANNOTDOCOMMAND), me.name, sptr->name, "KICK", errbuf); @@ -235,10 +235,10 @@ { char errbuf[NICKLEN+25]; if (who_flags & CHFL_CHANOWNER) - ircsprintf(errbuf, "%s is a channel owner", + ircsnprintf(errbuf, sizeof(errbuf), "%s is a channel owner", who->name); else - ircsprintf(errbuf, "%s is a channel admin", + ircsnprintf(errbuf, sizeof(errbuf), "%s is a channel admin", who->name); sendto_one(sptr, err_str(ERR_CANNOTDOCOMMAND), me.name, sptr->name, "KICK", @@ -253,7 +253,7 @@ && !(sptr_flags & CHFL_ISOP) && !IsULine(sptr) && MyClient(sptr)) { char errbuf[NICKLEN+30]; - ircsprintf(errbuf, "%s is a channel operator", who->name); + ircsnprintf(errbuf, sizeof(errbuf), "%s is a channel operator", who->name); sendto_one(sptr, err_str(ERR_CANNOTDOCOMMAND), me.name, sptr->name, "KICK", errbuf); @@ -265,7 +265,7 @@ && !(sptr_flags & CHFL_ISOP) && MyClient(sptr)) { char errbuf[NICKLEN+15]; - ircsprintf(errbuf, "%s is a halfop", who->name); + ircsnprintf(errbuf, sizeof(errbuf), "%s is a halfop", who->name); sendto_one(sptr, err_str(ERR_CANNOTDOCOMMAND), me.name, sptr->name, "KICK", errbuf); diff -r 919022ccbcf3 src/modules/m_kill.c --- a/src/modules/m_kill.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_kill.c Mon May 20 22:57:25 2013 -0600 @@ -213,7 +213,7 @@ around, or it gets appended to itself. */ if (!BadPtr(path)) { - (void)ircsprintf(buf, "%s%s (%s)", + (void)ircsnprintf(buf, sizeof(buf), "%s%s (%s)", cptr->name, IsOper(sptr) ? "" : "(L)", path); path = buf; @@ -287,7 +287,7 @@ */ if (MyConnect(acptr) && MyConnect(sptr) && IsAnOper(sptr)) - (void)ircsprintf(buf2, "[%s] Local kill by %s (%s)", + ircsnprintf(buf2, sizeof(buf2), "[%s] Local kill by %s (%s)", me.name, sptr->name, BadPtr(parv[2]) ? sptr->name : parv[2]); else @@ -303,7 +303,7 @@ } else killer = path; - (void)ircsprintf(buf2, "Killed (%s)", killer); + ircsnprintf(buf2, sizeof(buf2), "Killed (%s)", killer); } if (MyClient(sptr)) diff -r 919022ccbcf3 src/modules/m_list.c --- a/src/modules/m_list.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_list.c Mon May 20 22:57:25 2013 -0600 @@ -255,7 +255,7 @@ if (chptr && (ShowChannel(sptr, chptr) || OPCanSeeSecret(sptr))) { #ifdef LIST_SHOW_MODES modebuf[0] = '['; - channel_modes(sptr, &modebuf[1], parabuf, chptr); + channel_modes(sptr, modebuf+1, parabuf, sizeof(modebuf)-1, sizeof(parabuf), chptr); if (modebuf[2] == '\0') modebuf[0] = '\0'; else @@ -382,7 +382,7 @@ } #ifdef LIST_SHOW_MODES modebuf[0] = '['; - channel_modes(cptr, &modebuf[1], parabuf, chptr); + channel_modes(cptr, modebuf+1, parabuf, sizeof(modebuf)-1, sizeof(parabuf), chptr); if (modebuf[2] == '\0') modebuf[0] = '\0'; else diff -r 919022ccbcf3 src/modules/m_message.c --- a/src/modules/m_message.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_message.c Mon May 20 22:57:25 2013 -0600 @@ -649,7 +649,7 @@ if (!(acptr->user) || !(lp = acptr->user->silence) || !(user = sptr->user)) return 0; - ircsprintf(sender, "%s!%s@%s", sptr->name, user->username, + ircsnprintf(sender, sizeof(sender), "%s!%s@%s", sptr->name, user->username, user->realhost); /* We also check for matches against sptr->user->virthost if present, * this is checked regardless of mode +x so you can't do tricks like: @@ -658,7 +658,7 @@ */ if (sptr->user->virthost) { - ircsprintf(senderx, "%s!%s@%s", sptr->name, user->username, + ircsnprintf(senderx, sizeof(senderx), "%s!%s@%s", sptr->name, user->username, sptr->user->virthost); checkv = 1; } diff -r 919022ccbcf3 src/modules/m_mode.c --- a/src/modules/m_mode.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_mode.c Mon May 20 22:57:25 2013 -0600 @@ -62,7 +62,8 @@ aClient *cptr, u_int *pcount, char pvar[MAXMODEPARAMS][MODEBUFLEN + 3], char bounce); void make_mode_str(aChannel *chptr, long oldm, Cmode_t oldem, long oldl, int pcount, - char pvar[MAXMODEPARAMS][MODEBUFLEN + 3], char *mode_buf, char *para_buf, char bounce); + char pvar[MAXMODEPARAMS][MODEBUFLEN + 3], char *mode_buf, char *para_buf, + size_t mode_buf_size, size_t para_buf_size, char bounce); static void mode_cutoff(char *s); static void mode_cutoff2(aClient *sptr, aChannel *chptr, int *parc_out, char *parv[]); @@ -153,7 +154,7 @@ *modebuf = *parabuf = '\0'; modebuf[1] = '\0'; - channel_modes(sptr, modebuf, parabuf, chptr); + channel_modes(sptr, modebuf, parabuf, sizeof(modebuf), sizeof(parabuf), chptr); sendto_one(sptr, rpl_str(RPL_CHANNELMODEIS), me.name, parv[0], chptr->chname, modebuf, parabuf); sendto_one(sptr, rpl_str(RPL_CREATIONTIME), me.name, parv[0], @@ -576,8 +577,8 @@ * If bounce is set to 1, it will make the string it needs for a bounce. */ void make_mode_str(aChannel *chptr, long oldm, Cmode_t oldem, long oldl, int pcount, - char pvar[MAXMODEPARAMS][MODEBUFLEN + 3], char *mode_buf, char *para_buf, char bounce) -{ + char pvar[MAXMODEPARAMS][MODEBUFLEN + 3], char *mode_buf, char *para_buf, + size_t mode_buf_size, size_t para_buf_size, char bounce) { char tmpbuf[MODEBUFLEN+3], *tmpstr; aCtab *tab = &cFlagTab[0]; @@ -694,7 +695,7 @@ *x++ = 'l'; if (bounce) chptr->mode.limit = oldl; /* set it back */ - ircsprintf(para_buf, "%s%d ", para_buf, chptr->mode.limit); + ircsnprintf(para_buf, para_buf_size, "%s%d ", para_buf, chptr->mode.limit); } } /* reconstruct bkov chain */ @@ -1010,7 +1011,7 @@ if (IsServices(member->cptr) && MyClient(cptr) && !IsNetAdmin(cptr) && (what == MODE_DEL)) { char errbuf[NICKLEN+50]; - ircsprintf(errbuf, "%s is a network service", member->cptr->name); + ircsnprintf(errbuf, sizeof(errbuf), "%s is a network service", member->cptr->name); sendto_one(cptr, err_str(ERR_CANNOTCHANGECHANMODE), me.name, cptr->name, modechar, errbuf); break; @@ -1032,7 +1033,7 @@ if (!op_can_override(cptr)) { char errbuf[NICKLEN+30]; - ircsprintf(errbuf, "%s is a channel owner", member->cptr->name); + ircsnprintf(errbuf, sizeof(errbuf), "%s is a channel owner", member->cptr->name); sendto_one(cptr, err_str(ERR_CANNOTCHANGECHANMODE), me.name, cptr->name, modechar, errbuf); break; @@ -1058,7 +1059,7 @@ if (!op_can_override(cptr)) { char errbuf[NICKLEN+30]; - ircsprintf(errbuf, "%s is a channel admin", member->cptr->name); + ircsnprintf(errbuf, sizeof(errbuf), "%s is a channel admin", member->cptr->name); sendto_one(cptr, err_str(ERR_CANNOTCHANGECHANMODE), me.name, cptr->name, modechar, errbuf); break; @@ -1093,7 +1094,7 @@ tc = 'v'; /* Make sure membership->flags and member->flags is the same */ membership->flags = member->flags; - (void)ircsprintf(pvar[*pcount], "%c%c%s", + ircsnprintf(pvar[*pcount], MODEBUFLEN + 3, "%c%c%s", what == MODE_ADD ? '+' : '-', tc, who->name); (*pcount)++; break; @@ -1169,7 +1170,7 @@ } retval = 1; - (void)ircsprintf(pvar[*pcount], "%ck%s", + ircsnprintf(pvar[*pcount], MODEBUFLEN + 3, "%ck%s", what == MODE_ADD ? '+' : '-', tmpstr); (*pcount)++; break; @@ -1211,7 +1212,7 @@ ((what == MODE_ADD && add_listmode(&chptr->banlist, cptr, chptr, tmpstr)) || (what == MODE_DEL && del_listmode(&chptr->banlist, chptr, tmpstr)))) break; /* already exists */ - (void)ircsprintf(pvar[*pcount], "%cb%s", + ircsnprintf(pvar[*pcount], MODEBUFLEN + 3, "%cb%s", what == MODE_ADD ? '+' : '-', tmpstr); (*pcount)++; break; @@ -1252,7 +1253,7 @@ ((what == MODE_ADD && add_listmode(&chptr->exlist, cptr, chptr, tmpstr)) || (what == MODE_DEL && del_listmode(&chptr->exlist, chptr, tmpstr)))) break; /* already exists */ - (void)ircsprintf(pvar[*pcount], "%ce%s", + ircsnprintf(pvar[*pcount], MODEBUFLEN + 3, "%ce%s", what == MODE_ADD ? '+' : '-', tmpstr); (*pcount)++; break; @@ -1296,7 +1297,7 @@ ((what == MODE_ADD && add_listmode(&chptr->invexlist, cptr, chptr, tmpstr)) || (what == MODE_DEL && del_listmode(&chptr->invexlist, chptr, tmpstr)))) break; /* already exists */ - (void)ircsprintf(pvar[*pcount], "%cI%s", + ircsnprintf(pvar[*pcount], MODEBUFLEN + 3, "%cI%s", what == MODE_ADD ? '+' : '-', tmpstr); (*pcount)++; break; @@ -1389,7 +1390,7 @@ } retval = 1; - (void)ircsprintf(pvar[*pcount], "%cL%s", + ircsnprintf(pvar[*pcount], MODEBUFLEN + 3, "%cL%s", what == MODE_ADD ? '+' : '-', tmpstr); (*pcount)++; break; @@ -1665,7 +1666,7 @@ retval = 1; } - (void)ircsprintf(pvar[*pcount], "%cf%s", + ircsnprintf(pvar[*pcount], MODEBUFLEN + 3, "%cf%s", what == MODE_ADD ? '+' : '-', tmpstr); (*pcount)++; break_flood: @@ -1732,7 +1733,7 @@ if (!(chptr->mode.extmode & Channelmode_Table[modeindex].mode)) return paracnt; /* There's nothing to remove! */ /* del means any parameter is ok, the one-who-is-set will be used */ - ircsprintf(pvar[*pcount], "-%c", Channelmode_Table[modeindex].flag); + ircsnprintf(pvar[*pcount], MODEBUFLEN + 3, "-%c", Channelmode_Table[modeindex].flag); } else { /* add: is the parameter ok? */ if (Channelmode_Table[modeindex].is_ok(cptr, chptr, param, EXCHK_PARAM, what) == FALSE) @@ -1746,7 +1747,7 @@ if (p && p2 && !strcmp(p, p2)) return paracnt; /* ignore... */ } - ircsprintf(pvar[*pcount], "+%c%s", + ircsnprintf(pvar[*pcount], MODEBUFLEN + 3, "+%c%s", Channelmode_Table[modeindex].flag, Channelmode_Table[modeindex].conv_param(param)); (*pcount)++; } @@ -1970,7 +1971,7 @@ } } - make_mode_str(chptr, oldm, oldem, oldl, *pcount, pvar, modebuf, parabuf, bounce); + make_mode_str(chptr, oldm, oldem, oldl, *pcount, pvar, modebuf, parabuf, sizeof(modebuf), sizeof(parabuf), bounce); #ifndef NO_OPEROVERRIDE if (htrig == 1) diff -r 919022ccbcf3 src/modules/m_nick.c --- a/src/modules/m_nick.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_nick.c Mon May 20 22:57:25 2013 -0600 @@ -130,7 +130,7 @@ return 0; } - if (!IsServer(cptr)) + if ((NICKLEN < iConf.nicklen) || !IsServer(cptr)) strlcpy(nick, parv[1], iConf.nicklen + 1); else strlcpy(nick, parv[1], NICKLEN + 1); @@ -884,7 +884,7 @@ i == -3 ? "Too many connections" : "Unauthorized connection", get_client_host(sptr)); ircstp->is_ref++; - ircsprintf(mo, "This server is full."); + ircsnprintf(mo, sizeof(mo), "This server is full."); return exit_client(cptr, sptr, &me, i == @@ -920,21 +920,21 @@ * Moved the noident stuff here. -OnyxDragon */ if (!(sptr->flags & FLAGS_DOID)) - strlcpy(user->username, username, USERLEN + 1); + strlcpy(user->username, username, USERLEN+1); else if (sptr->flags & FLAGS_GOTID) - strlcpy(user->username, sptr->username, USERLEN + 1); + strlcpy(user->username, sptr->username, USERLEN+1); else { /* because username may point to user->username */ char temp[USERLEN + 1]; - strlcpy(temp, username, USERLEN + 1); + strlcpy(temp, username, USERLEN+1); if (IDENT_CHECK == 0) { - strlcpy(user->username, temp, USERLEN + 1); + strlcpy(user->username, temp, USERLEN+1); } else { *user->username = '~'; - strlcpy((user->username + 1), temp, USERLEN); + strlcpy((user->username + 1), temp, USERLEN+1); #ifdef HOSTILENAME noident = 1; #endif @@ -983,8 +983,8 @@ return exit_client(cptr, cptr, cptr, "Hostile username. Please use only 0-9 a-z A-Z _ - and . in your username."); } - strcpy(olduser, user->username + noident); - strncpy(user->username + 1, stripuser, USERLEN - 1); + strlcpy(olduser, user->username + noident, USERLEN+1); + strlcpy(user->username + 1, stripuser, USERLEN+1); user->username[0] = '~'; user->username[USERLEN] = '\0'; } @@ -1047,7 +1047,7 @@ } else { - strlcpy(user->username, username, USERLEN + 1); + strlcpy(user->username, username, USERLEN+1); } SetClient(sptr); IRCstats.clients++; @@ -1232,7 +1232,7 @@ if (user->snomask) sendto_one(sptr, rpl_str(RPL_SNOMASK), me.name, sptr->name, get_snostr(user->snomask)); - strcpy(userhost,make_user_host(cptr->user->username, cptr->user->realhost)); + strlcpy(userhost,make_user_host(cptr->user->username, cptr->user->realhost), USERLEN+1); /* NOTE: Code after this 'if (savetkl)' will not be executed for quarantined- * virus-users. So be carefull with the order. -- Syzop diff -r 919022ccbcf3 src/modules/m_oper.c --- a/src/modules/m_oper.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_oper.c Mon May 20 22:57:25 2013 -0600 @@ -142,8 +142,7 @@ if ((c = strchr(host, '@'))) { vhost = c+1; - strncpy(sptr->user->username, host, c-host); - sptr->user->username[c-host] = 0; + strlcpy(sptr->user->username, host, c-vhost); sendto_server(NULL, 0, 0, ":%s SETIDENT %s", sptr->name, sptr->user->username); } @@ -267,8 +266,9 @@ if (aconf->swhois) { if (sptr->user->swhois) MyFree(sptr->user->swhois); - sptr->user->swhois = MyMalloc(strlen(aconf->swhois) +1); - strcpy(sptr->user->swhois, aconf->swhois); + size_t whois_size = strlen(aconf->swhois) + 1; + sptr->user->swhois = MyMalloc(whois_size); + strlcpy(sptr->user->swhois, aconf->swhois, whois_size); sendto_server(cptr, 0, 0, ":%s SWHOIS %s :%s", me.name, sptr->name, aconf->swhois); } diff -r 919022ccbcf3 src/modules/m_pass.c --- a/src/modules/m_pass.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_pass.c Mon May 20 22:57:25 2013 -0600 @@ -110,14 +110,14 @@ if ((bconf = Find_ban(cptr, Inet_ia2p(&cptr->ip), CONF_BAN_IP))) { - ircsprintf(zlinebuf, + ircsnprintf(zlinebuf, BUFSIZE, "You are not welcome on this server: %s. Email %s for more information.", bconf->reason ? bconf->reason : "no reason", KLINE_ADDRESS); return exit_client(cptr, cptr, &me, zlinebuf); } else if (find_tkline_match_zap_ex(cptr, &tk) != -1) { - ircsprintf(zlinebuf, "Z:Lined (%s)", tk->reason); + ircsnprintf(zlinebuf, BUFSIZE, "Z:Lined (%s)", tk->reason); return exit_client(cptr, cptr, &me, zlinebuf); } else @@ -125,7 +125,7 @@ int val; if (!(val = throttle_can_connect(cptr, &cptr->ip))) { - ircsprintf(zlinebuf, "Throttled: Reconnecting too fast - Email %s for more information.", + ircsnprintf(zlinebuf, BUFSIZE, "Throttled: Reconnecting too fast - Email %s for more information.", KLINE_ADDRESS); return exit_client(cptr, cptr, &me, zlinebuf); } diff -r 919022ccbcf3 src/modules/m_quit.c --- a/src/modules/m_quit.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_quit.c Mon May 20 22:57:25 2013 -0600 @@ -102,7 +102,7 @@ return exit_client(cptr, sptr, sptr, "Client exited"); if (!prefix_quit || strcmp(prefix_quit, "no")) - s = ircsprintf(comment, "%s ", + s = ircsnprintf(comment, sizeof(comment), "%s ", BadPtr(prefix_quit) ? "Quit:" : prefix_quit); #ifdef STRIPBADWORDS ocomment = (char *)stripbadwords_quit(ocomment, &blocked); diff -r 919022ccbcf3 src/modules/m_rping.c --- a/src/modules/m_rping.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_rping.c Mon May 20 22:57:25 2013 -0600 @@ -228,7 +228,7 @@ _ftime(&tv); #endif if (sec && usec) - ircsprintf(timebuf, "%ld", + ircsnprintf(timebuf, sizeof(timebuf), "%ld", #ifndef _WIN32 (tv.tv_sec - atoi(sec)) * 1000 + (tv.tv_usec - atoi(usec)) / 1000); #else @@ -236,9 +236,9 @@ #endif else #ifndef _WIN32 - ircsprintf(timebuf, "%ld %ld", tv.tv_sec, tv.tv_usec); + ircsnprintf(timebuf, sizeof(timebuf), "%ld %ld", tv.tv_sec, tv.tv_usec); #else - ircsprintf(timebuf, "%ld %ld", tv.time, tv.millitm * 1000); + ircsnprintf(timebuf, sizeof(timebuf), "%ld %ld", tv.time, tv.millitm * 1000); #endif return timebuf; } diff -r 919022ccbcf3 src/modules/m_sdesc.c --- a/src/modules/m_sdesc.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_sdesc.c Mon May 20 22:57:25 2013 -0600 @@ -115,7 +115,7 @@ return 0; } - ircsprintf(sptr->srvptr->info, "%s", parv[1]); + ircsnprintf(sptr->srvptr->info, sizeof(sptr->srvptr->info), "%s", parv[1]); sendto_server(cptr, 0, 0, ":%s SDESC :%s", sptr->name, parv[1]); diff -r 919022ccbcf3 src/modules/m_server.c --- a/src/modules/m_server.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_server.c Mon May 20 22:57:25 2013 -0600 @@ -105,7 +105,7 @@ if (!NEW_LINKING_PROTOCOL) return; - ircsprintf(buf, "PROTOCTL EAUTH=%s", + ircsnprintf(buf, sizeof(buf), "PROTOCTL EAUTH=%s", me.name); sendto_one(sptr, "%s", buf); @@ -172,11 +172,11 @@ break; } if (!link) { - snprintf(xerrmsg, 256, "No link block named '%s'", servername); + ircsnprintf(xerrmsg, sizeof(xerrmsg), "No link block named '%s'", servername); goto errlink; } if (link->username && match(link->username, cptr->username)) { - snprintf(xerrmsg, 256, "Username '%s' didn't match '%s'", + ircsnprintf(xerrmsg, sizeof(xerrmsg), "Username '%s' didn't match '%s'", cptr->username, link->username); /* I assume nobody will have 2 link blocks with the same servername * and different username. -- Syzop @@ -204,7 +204,7 @@ #endif if (!link) { - snprintf(xerrmsg, 256, "Server is in link block but IP/host didn't match"); + ircsnprintf(xerrmsg, sizeof(xerrmsg), "Server is in link block but IP/host didn't match"); errlink: /* Send the "simple" error msg to the server */ sendto_one(cptr, @@ -487,7 +487,7 @@ if (aconf->options & CONNECT_QUARANTINE) cptr->flags |= FLAGS_QUARANTINE; - snprintf(descbuf, sizeof descbuf, "Server: %s", servername); + ircsnprintf(descbuf, sizeof descbuf, "Server: %s", servername); fd_desc(cptr->fd, descbuf); /* Start synch now */ @@ -931,7 +931,7 @@ *parabuf = '\0'; *modebuf = '\0'; - channel_modes(cptr, modebuf, parabuf, chptr); + channel_modes(cptr, modebuf, parabuf, sizeof(modebuf), sizeof(parabuf), chptr); sent = send_mode_list(cptr, chptr->chname, chptr->creationtime, chptr->members, CHFL_CHANOP, 'o'); if (!sent && chptr->creationtime) @@ -1164,7 +1164,7 @@ /* First we'll send channel, channel modes and members and status */ *modebuf = *parabuf = '\0'; - channel_modes(cptr, modebuf, parabuf, chptr); + channel_modes(cptr, modebuf, parabuf, sizeof(modebuf), sizeof(parabuf), chptr); if (*parabuf) { @@ -1176,7 +1176,7 @@ else strlcpy(parabuf, "<->", sizeof parabuf); } - ircsprintf(buf, "SJOIN %ld %s %s %s :", + ircsnprintf(buf, sizeof(buf), "SJOIN %ld %s %s %s :", chptr->creationtime, chptr->chname, modebuf, parabuf); bufptr = buf + strlen(buf); @@ -1206,14 +1206,14 @@ *bufptr++ = ' '; n++; - if (bufptr - buf > BUFSIZE - 80) + if (bufptr > buf && bufptr - buf > BUFSIZE - 80) { *bufptr++ = '\0'; if (bufptr[-1] == ' ') bufptr[-1] = '\0'; sendto_one(cptr, "%s", buf); - ircsprintf(buf, "SJOIN %ld %s %s %s :", + ircsnprintf(buf, sizeof(buf), "SJOIN %ld %s %s %s :", chptr->creationtime, chptr->chname, modebuf, parabuf); n = 0; @@ -1281,7 +1281,7 @@ /* First we'll send channel, channel modes and members and status */ *modebuf = *parabuf = '\0'; - channel_modes(cptr, modebuf, parabuf, chptr); + channel_modes(cptr, modebuf, parabuf, sizeof(modebuf), sizeof(parabuf), chptr); if (!modebuf[1]) nomode = 1; @@ -1291,19 +1291,19 @@ if (nomode && nopara) { - ircsprintf(buf, + ircsnprintf(buf, sizeof(buf), ":%s SJOIN %ld %s :", me.name, (long)chptr->creationtime, chptr->chname); } if (nopara && !nomode) { - ircsprintf(buf, + ircsnprintf(buf, sizeof(buf), ":%s SJOIN %ld %s %s :", me.name, (long)chptr->creationtime, chptr->chname, modebuf); } if (!nopara && !nomode) { - ircsprintf(buf, + ircsnprintf(buf, sizeof(buf), ":%s SJOIN %ld %s %s %s :", me.name, (long)chptr->creationtime, chptr->chname, modebuf, parabuf); } diff -r 919022ccbcf3 src/modules/m_setident.c --- a/src/modules/m_setident.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_setident.c Mon May 20 22:57:25 2013 -0600 @@ -211,7 +211,7 @@ } /* get it in */ - ircsprintf(sptr->user->username, "%s", vident); + ircsnprintf(sptr->user->username, sizeof(sptr->user->username), "%s", vident); /* spread it out */ sendto_server(cptr, 0, 0, ":%s SETIDENT %s", sptr->name, parv[1]); diff -r 919022ccbcf3 src/modules/m_sjoin.c --- a/src/modules/m_sjoin.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_sjoin.c Mon May 20 22:57:25 2013 -0600 @@ -263,7 +263,7 @@ banbuf[0] = '\0'; exbuf[0] = '\0'; invexbuf[0] = '\0'; - channel_modes(cptr, modebuf, parabuf, chptr); + channel_modes(cptr, modebuf, parabuf, sizeof(modebuf), sizeof(parabuf), chptr); if (removeours) { modebuf[0] = '-'; diff -r 919022ccbcf3 src/modules/m_sqline.c --- a/src/modules/m_sqline.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_sqline.c Mon May 20 22:57:25 2013 -0600 @@ -107,7 +107,7 @@ if (parc < 2) return 0; - ircsprintf(mo, "%li", TStime()); + ircsnprintf(mo, sizeof(mo), "%li", TStime()); tkllayer[7] = mo; tkllayer[8] = comment ? comment : "no reason"; return m_tkl(&me, &me, 9, tkllayer); diff -r 919022ccbcf3 src/modules/m_stats.c --- a/src/modules/m_stats.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_stats.c Mon May 20 22:57:25 2013 -0600 @@ -214,9 +214,7 @@ inline char *stats_combine_parv(char *p1, char *p2) { static char buf[BUFSIZE+1]; - strcpy(buf, p1); - strcat(buf, " "); - strcat(buf, p2); + ircsnprintf(buf, sizeof(buf), "%s %s", p1, p2); return buf; } @@ -636,16 +634,13 @@ static char *stats_port_helper(ConfigItem_listen *listener) { -static char buf[256]; - buf[0] = '\0'; - if (listener->options & LISTENER_CLIENTSONLY) - strcat(buf, "clientsonly "); - if (listener->options & LISTENER_SERVERSONLY) - strcat(buf, "serversonly "); - if (listener->options & LISTENER_JAVACLIENT) - strcat(buf, "java "); - if (listener->options & LISTENER_SSL) - strcat(buf, "SSL "); + static char buf[256]; + + ircsnprintf(buf, sizeof(buf), "%s%s%s%s", + (listener->options & LISTENER_CLIENTSONLY)? "clientsonly ": "", + (listener->options & LISTENER_SERVERSONLY)? "serversonly ": "", + (listener->options & LISTENER_JAVACLIENT)? "java ": "", + (listener->options & LISTENER_SSL)? "ssl ": ""); return buf; } @@ -1223,7 +1218,7 @@ sendto_one(sptr, ":%s %i %s :modes-on-oper: %s", me.name, RPL_TEXT, sptr->name, get_modestr(OPER_MODES)); *modebuf = *parabuf = 0; - chmode_str(iConf.modes_on_join, modebuf, parabuf); + chmode_str(iConf.modes_on_join, modebuf, parabuf, sizeof(modebuf), sizeof(parabuf)); sendto_one(sptr, ":%s %i %s :modes-on-join: %s %s", me.name, RPL_TEXT, sptr->name, modebuf, parabuf); sendto_one(sptr, ":%s %i %s :nick-length: %i", me.name, RPL_TEXT, @@ -1512,7 +1507,7 @@ continue; #ifdef DEBUGMODE - ircsprintf(pbuf, "%ld :%ld", (long)acptr->cputime, + ircsnprintf(pbuf, sizeof(pbuf), "%ld :%ld", (long)acptr->cputime, (long)(acptr->user && MyConnect(acptr)) ? TStime() - acptr->last : 0); #endif if (IsOper(sptr)) diff -r 919022ccbcf3 src/modules/m_tkl.c --- a/src/modules/m_tkl.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_tkl.c Mon May 20 22:57:25 2013 -0600 @@ -319,7 +319,7 @@ } else { SetShunned(acptr); - ircsprintf(buf, "Temporary shun added on user %s (%s@%s) by %s [%s]", + ircsnprintf(buf, sizeof(buf), "Temporary shun added on user %s (%s@%s) by %s [%s]", acptr->name, acptr->user->username, acptr->user->realhost, sptr->name, comment); sendto_snomask(SNO_TKL, "%s", buf); @@ -331,7 +331,7 @@ sendnotice(sptr, "User '%s' is not shunned", acptr->name); } else { ClearShunned(acptr); - ircsprintf(buf, "Removed temporary shun on user %s (%s@%s) by %s", + ircsnprintf(buf, sizeof(buf), "Removed temporary shun on user %s (%s@%s) by %s", acptr->name, acptr->user->username, acptr->user->realhost, sptr->name); sendto_snomask(SNO_TKL, "%s", buf); @@ -677,13 +677,13 @@ if (secs == 0) { if (DEFAULT_BANTIME && (parc <= 3)) - ircsprintf(mo, "%li", DEFAULT_BANTIME + TStime()); + ircsnprintf(mo, sizeof(mo), "%li", DEFAULT_BANTIME + TStime()); else - ircsprintf(mo, "%li", secs); /* "0" */ + ircsnprintf(mo, sizeof(mo), "%li", secs); /* "0" */ } else - ircsprintf(mo, "%li", secs + TStime()); - ircsprintf(mo2, "%li", TStime()); + ircsnprintf(mo, sizeof(mo), "%li", secs + TStime()); + ircsnprintf(mo2, sizeof(mo2), "%li", TStime()); tkllayer[6] = mo; tkllayer[7] = mo2; if (parc > 3) { @@ -813,7 +813,7 @@ if (parv[4][0] == '-') { - ircsprintf(mo, "%li", SPAMFILTER_BAN_TIME); + ircsnprintf(mo, sizeof(mo), "%li", SPAMFILTER_BAN_TIME); tkllayer[8] = mo; } else @@ -845,7 +845,7 @@ if (whattodo == 0) { - ircsprintf(mo2, "%li", TStime()); + ircsnprintf(mo2, sizeof(mo2), "%li", TStime()); tkllayer[7] = mo2; } @@ -1105,28 +1105,27 @@ tmp->usermask, tmp->hostmask); return (tmp->next); } - /* Using strlcpy here is wasteful, we know it is < 512 */ if (tmp->type & TKL_GLOBAL) { if (tmp->type & TKL_KILL) - strcpy(whattype, "G:Line"); + strlcpy(whattype, "G:Line", sizeof(whattype)); else if (tmp->type & TKL_ZAP) - strcpy(whattype, "Global Z:Line"); + strlcpy(whattype, "Global Z:Line", sizeof(whattype)); else if (tmp->type & TKL_SHUN) - strcpy(whattype, "Shun"); + strlcpy(whattype, "Shun", sizeof(whattype)); else if (tmp->type & TKL_NICK) - strcpy(whattype, "Global Q:line"); + strlcpy(whattype, "Global Q:line", sizeof(whattype)); } else { if (tmp->type & TKL_KILL) - strcpy(whattype, "K:Line"); + strlcpy(whattype, "K:Line", sizeof(whattype)); else if (tmp->type & TKL_ZAP) - strcpy(whattype, "Z:Line"); + strlcpy(whattype, "Z:Line", sizeof(whattype)); else if (tmp->type & TKL_SHUN) - strcpy(whattype, "Local Shun"); + strlcpy(whattype, "Local Shun", sizeof(whattype)); else if (tmp->type & TKL_NICK) - strcpy(whattype, "Q:line"); + strlcpy(whattype, "Q:line", sizeof(whattype)); } if (!(tmp->type & TKL_NICK)) { @@ -1239,8 +1238,8 @@ if (points != 1) return 1; - strcpy(host, make_user_host(cname, chost)); - strcpy(host2, make_user_host(cname, cip)); + strlcpy(host, make_user_host(cname, chost), sizeof(host)); + strlcpy(host2, make_user_host(cname, cip), sizeof(host2)); if (((lp->type & TKL_KILL) || (lp->type & TKL_ZAP)) && !(lp->type & TKL_GLOBAL)) match_type = CONF_EXCEPT_BAN; else @@ -1279,7 +1278,7 @@ me.name, cptr->name, (lp->expire_at ? "banned" : "permanently banned"), ircnetwork, lp->reason); - ircsprintf(msge, "User has been %s from %s (%s)", + ircsnprintf(msge, sizeof(msge), "User has been %s from %s (%s)", (lp->expire_at ? "banned" : "permanently banned"), ircnetwork, lp->reason); return (exit_client(cptr, cptr, &me, msge)); @@ -1292,7 +1291,7 @@ me.name, cptr->name, (lp->expire_at ? "banned" : "permanently banned"), me.name, lp->reason, KLINE_ADDRESS); - ircsprintf(msge, "User is %s (%s)", + ircsnprintf(msge, sizeof(msge), "User is %s (%s)", (lp->expire_at ? "banned" : "permanently banned"), lp->reason); return (exit_client(cptr, cptr, &me, msge)); @@ -1302,7 +1301,7 @@ if (lp->type & TKL_ZAP) { ircstp->is_ref++; - ircsprintf(msge, "Z:lined (%s)",lp->reason); + ircsnprintf(msge, sizeof(msge), "Z:lined (%s)",lp->reason); return exit_client(cptr, cptr, &me, msge); } @@ -1366,8 +1365,8 @@ if (points != 1) return 1; - strcpy(host, make_user_host(cname, chost)); - strcpy(host2, make_user_host(cname, cip)); + strlcpy(host, make_user_host(cname, chost), sizeof(host)); + strlcpy(host2, make_user_host(cname, cip), sizeof(host2)); match_type = CONF_EXCEPT_TKL; for (excepts = conf_except; excepts; excepts = (ConfigItem_except *)excepts->next) { @@ -1395,13 +1394,13 @@ return i; /* otherwise, it's IPv6.. prepend it with [ and append a ] */ - ircsprintf(buf, "[%s]", i); + ircsnprintf(buf, sizeof(buf), "[%s]", i); return buf; } void _spamfilter_build_user_string(char *buf, char *nick, aClient *acptr) { - ircsprintf(buf, "%s!%s@%s:%s", + ircsnprintf(buf, sizeof(buf), "%s!%s@%s:%s", nick, acptr->user->username, SpamfilterMagicHost(acptr->user->realhost), acptr->info); } @@ -1438,7 +1437,7 @@ continue; /* No match */ /* matched! */ - ircsprintf(buf, "[Spamfilter] %s!%s@%s matches filter '%s': [%s: '%s'] [%s]", + ircsnprintf(buf, sizeof(buf), "[Spamfilter] %s!%s@%s matches filter '%s': [%s: '%s'] [%s]", acptr->name, acptr->user->username, acptr->user->realhost, tk->reason, "user", spamfilter_user, @@ -1518,12 +1517,12 @@ chost = cptr->user ? cptr->user->realhost : (MyConnect(cptr) ? cptr->sockhost : "unknown"); cname = cptr->user ? cptr->user->username : "unknown"; - strcpy(host, make_user_host(cname, chost)); + strlcpy(host, make_user_host(cname, chost), sizeof(host)); cip = GetIP(cptr); if (cip) { - strcpy(hostbuf2, make_user_host(cname, cip)); + strlcpy(hostbuf2, make_user_host(cname, cip), sizeof(hostbuf2)); host2 = hostbuf2; } @@ -1590,7 +1589,7 @@ return -1; ircstp->is_ref++; - ircsprintf(msge, + ircsnprintf(msge, sizeof(msge), "ERROR :Closing Link: [%s] Z:Lined (%s)\r\n", #ifndef INET6 inetntoa((char *)&cptr->ip), lp->reason); @@ -2061,33 +2060,33 @@ switch (type) { case TKL_KILL: - strcpy(txt, "K:Line"); + strlcpy(txt, "K:Line", sizeof(txt)); break; case TKL_ZAP: - strcpy(txt, "Z:Line"); + strlcpy(txt, "Z:Line", sizeof(txt)); break; case TKL_KILL | TKL_GLOBAL: - strcpy(txt, "G:Line"); + strlcpy(txt, "G:Line", sizeof(txt)); break; case TKL_ZAP | TKL_GLOBAL: - strcpy(txt, "Global Z:line"); + strlcpy(txt, "Global Z:line", sizeof(txt)); break; case TKL_SHUN | TKL_GLOBAL: - strcpy(txt, "Shun"); + strlcpy(txt, "Shun", sizeof(txt)); break; case TKL_NICK | TKL_GLOBAL: - strcpy(txt, "Global Q:line"); + strlcpy(txt, "Global Q:line", sizeof(txt)); break; case TKL_NICK: - strcpy(txt, "Q:line"); + strlcpy(txt, "Q:line", sizeof(txt)); break; default: - strcpy(txt, "Unknown *:Line"); + strlcpy(txt, "Unknown *:Line", sizeof(txt)); } if (type & TKL_SPAMF) { char buf[512]; - snprintf(buf, 512, + ircsnprintf(buf, sizeof(buf), "Spamfilter added: '%s' [target: %s] [action: %s] [reason: %s] on %s GMT (from %s)", reason, parv[3], banact_valtostring(banact_chartoval(*parv[4])), parc >= 10 ? unreal_decodespace(parv[9]) : SPAMFILTER_BAN_REASON, @@ -2104,11 +2103,11 @@ if (type & TKL_NICK) { if (*parv[3] != 'H') - snprintf(buf, 512, "%s added for %s on %s GMT (from %s to expire at %s GMT: %s)", + ircsnprintf(buf, sizeof(buf), "%s added for %s on %s GMT (from %s to expire at %s GMT: %s)", txt, parv[4], gmt, parv[5], gmt2, reason); } else - snprintf(buf, 512, "%s added for %s@%s on %s GMT (from %s to expire at %s GMT: %s)", + ircsnprintf(buf, sizeof(buf), "%s added for %s@%s on %s GMT (from %s to expire at %s GMT: %s)", txt, parv[3], parv[4], gmt, parv[5], gmt2, reason); } else @@ -2116,11 +2115,11 @@ if (type & TKL_NICK) { if (*parv[3] != 'H') - snprintf(buf, 512, "Permanent %s added for %s on %s GMT (from %s: %s)", + ircsnprintf(buf, sizeof(buf), "Permanent %s added for %s on %s GMT (from %s: %s)", txt, parv[4], gmt, parv[5], reason); } else - snprintf(buf, 512, "Permanent %s added for %s@%s on %s GMT (from %s: %s)", + ircsnprintf(buf, sizeof(buf), "Permanent %s added for %s@%s on %s GMT (from %s: %s)", txt, parv[3], parv[4], gmt, parv[5], reason); } if (!((type & TKL_NICK) && *parv[3] == 'H')) @@ -2208,28 +2207,28 @@ switch (type) { case TKL_KILL: - strcpy(txt, "K:Line"); + strlcpy(txt, "K:Line", sizeof(txt)); break; case TKL_ZAP: - strcpy(txt, "Z:Line"); + strlcpy(txt, "Z:Line", sizeof(txt)); break; case TKL_KILL | TKL_GLOBAL: - strcpy(txt, "G:Line"); + strlcpy(txt, "G:Line", sizeof(txt)); break; case TKL_ZAP | TKL_GLOBAL: - strcpy(txt, "Global Z:line"); + strlcpy(txt, "Global Z:line", sizeof(txt)); break; case TKL_SHUN | TKL_GLOBAL: - strcpy(txt, "Shun"); + strlcpy(txt, "Shun", sizeof(txt)); break; case TKL_NICK | TKL_GLOBAL: - strcpy(txt, "Global Q:line"); + strlcpy(txt, "Global Q:line", sizeof(txt)); break; case TKL_NICK: - strcpy(txt, "Q:line"); + strlcpy(txt, "Q:line", sizeof(txt)); break; default: - strcpy(txt, "Unknown *:Line"); + strlcpy(txt, "Unknown *:Line", sizeof(txt)); } found = 0; @@ -2376,10 +2375,10 @@ tkllayer[4] = hostip; tkllayer[5] = me.name; if (!duration) - strcpy(mo, "0"); /* perm */ + strlcpy(mo, "0", sizeof(mo)); /* perm */ else - ircsprintf(mo, "%li", duration + TStime()); - ircsprintf(mo2, "%li", TStime()); + ircsnprintf(mo, sizeof(mo), "%li", duration + TStime()); + ircsnprintf(mo2, sizeof(mo2), "%li", TStime()); tkllayer[6] = mo; tkllayer[7] = mo2; tkllayer[8] = reason; @@ -2438,8 +2437,8 @@ chptr = find_channel(SPAMFILTER_VIRUSCHAN, NULL); if (chptr) { - ircsprintf(chbuf, "@%s", chptr->chname); - ircsprintf(buf, "[Spamfilter] %s matched filter '%s' [%s] [%s]", + ircsnprintf(chbuf, sizeof(chbuf), "@%s", chptr->chname); + ircsnprintf(buf, sizeof(buf), "[Spamfilter] %s matched filter '%s' [%s] [%s]", sptr->name, tk->reason, cmdname_by_spamftarget(type), unreal_decodespace(tk->ptr.spamf->tkl_reason)); sendto_channelprefix_butone(NULL, &me, chptr, PREFIX_OP|PREFIX_ADMIN|PREFIX_OWNER, @@ -2534,7 +2533,7 @@ if (target && target_is_spamexcept(target)) return 0; /* No problem! */ - ircsprintf(buf, "[Spamfilter] %s!%s@%s matches filter '%s': [%s%s: '%s'] [%s]", + ircsnprintf(buf, sizeof(buf), "[Spamfilter] %s!%s@%s matches filter '%s': [%s%s: '%s'] [%s]", sptr->name, sptr->user->username, sptr->user->realhost, tk->reason, cmdname_by_spamftarget(type), targetbuf, str, diff -r 919022ccbcf3 src/modules/m_topic.c --- a/src/modules/m_topic.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_topic.c Mon May 20 22:57:25 2013 -0600 @@ -252,7 +252,7 @@ { topicoverride(sptr, chptr, topic); } else { - ircsprintf(buf, "You cannot change the topic on %s while being banned", chptr->chname); + ircsnprintf(buf, sizeof(buf), "You cannot change the topic on %s while being banned", chptr->chname); sendto_one(sptr, err_str(ERR_CANNOTDOCOMMAND), me.name, parv[0], "TOPIC", buf); return -1; } @@ -266,7 +266,7 @@ topicoverride(sptr, chptr, topic); } else { /* With +m and -t, only voice and higher may change the topic */ - ircsprintf(buf, "Voice (+v) or higher is required in order to change the topic on %s (channel is +m)", chptr->chname); + ircsnprintf(buf, sizeof(buf), "Voice (+v) or higher is required in order to change the topic on %s (channel is +m)", chptr->chname); sendto_one(sptr, err_str(ERR_CANNOTDOCOMMAND), me.name, parv[0], "TOPIC", buf); return -1; } diff -r 919022ccbcf3 src/modules/m_userhost.c --- a/src/modules/m_userhost.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_userhost.c Mon May 20 22:57:25 2013 -0600 @@ -99,7 +99,7 @@ /* The idea is to build up the response string out of pieces * none of this strlen() nonsense. * 5 * (NICKLEN*2+CHANNELLEN+USERLEN+HOSTLEN+30) is still << sizeof(buf) - * and our ircsprintf() truncates it to fit anyway. There is + * and our ircsnprintf() truncates it to fit anyway. There is * no danger of an overflow here. -Dianora */ response[0][0] = response[1][0] = response[2][0] = @@ -114,7 +114,8 @@ if ((acptr = find_person(cn, NULL))) { - ircsprintf(response[i], "%s%s=%c%s@%s", + ircsnprintf(response[i], NICKLEN * 2 + CHANNELLEN + USERLEN + HOSTLEN + 30, + "%s%s=%c%s@%s", acptr->name, (IsAnOper(acptr) && (!IsHideOper(acptr) || sptr == acptr || IsAnOper(sptr))) ? "*" : "", diff -r 919022ccbcf3 src/modules/m_userip.c --- a/src/modules/m_userip.c Tue May 21 03:42:22 2013 +0000 +++ b/src/modules/m_userip.c Mon May 20 22:57:25 2013 -0600 @@ -104,7 +104,7 @@ /* The idea is to build up the response string out of pieces * none of this strlen() nonsense. * 5 * (NICKLEN*2+CHANNELLEN+USERLEN+HOSTLEN+30) is still << sizeof(buf) - * and our ircsprintf() truncates it to fit anyway. There is + * and our ircsnprintf() truncates it to fit anyway. There is * no danger of an overflow here. -Dianora */ response[0][0] = response[1][0] = response[2][0] = @@ -127,7 +127,7 @@ ip = ipbuf; } - ircsprintf(response[i], "%s%s=%c%s@%s", + ircsnprintf(response[i], NICKLEN * 2 + CHANNELLEN + USERLEN + HOSTLEN + 30, "%s%s=%c%s@%s", acptr->name, (IsAnOper(acptr) && (!IsHideOper(acptr) || sptr == acptr || IsAnOper(sptr))) ? "*" : "", diff -r 919022ccbcf3 src/s_auth.c --- a/src/s_auth.c Tue May 21 03:42:22 2013 +0000 +++ b/src/s_auth.c Mon May 20 22:57:25 2013 -0600 @@ -172,7 +172,7 @@ goto authsenderr; } - (void)ircsprintf(authbuf, "%u , %u\r\n", + ircsnprintf(authbuf, sizeof(authbuf), "%u , %u\r\n", (unsigned int)ntohs(them.SIN_PORT), (unsigned int)ntohs(us.SIN_PORT)); diff -r 919022ccbcf3 src/s_bsd.c --- a/src/s_bsd.c Tue May 21 03:42:22 2013 +0000 +++ b/src/s_bsd.c Mon May 20 22:57:25 2013 -0600 @@ -352,10 +352,10 @@ */ #ifndef INET6 (void)sscanf(name, "%d.%d.%d.%d", &ad[0], &ad[1], &ad[2], &ad[3]); - (void)ircsprintf(ipname, "%d.%d.%d.%d", ad[0], ad[1], ad[2], ad[3]); + (void)ircsnprintf(ipname, sizeof(ipname), "%d.%d.%d.%d", ad[0], ad[1], ad[2], ad[3]); #else if (*name == '*') - ircsprintf(ipname, "::"); + ircsnprintf(ipname, sizeof(ipname), "::"); else strlcpy(ipname, name, sizeof(ipname)); #endif @@ -410,7 +410,7 @@ if (bind(listener->fd, (struct SOCKADDR *)&server, sizeof(server)) == -1) { - ircsprintf(backupbuf, "Error binding stream socket to IP %s port %i", + ircsnprintf(backupbuf, sizeof(backupbuf), "Error binding stream socket to IP %s port %i", ipname, port); strlcat(backupbuf, " - %s:%s", sizeof backupbuf); report_baderror(backupbuf, NULL); @@ -673,7 +673,7 @@ if ((fd = open(conf_files->pid_file, O_CREAT | O_WRONLY, 0600)) >= 0) { bzero(buff, sizeof(buff)); - (void)ircsprintf(buff, "%5d\n", (int)getpid()); + (void)ircsnprintf(buff, sizeof(buff), "%5d\n", (int)getpid()); if (write(fd, buff, strlen(buff)) == -1) Debug((DEBUG_NOTICE, "Error writing to pid file %s", conf_files->pid_file)); @@ -1039,7 +1039,7 @@ else if (opt > 0 && opt != sizeof(readbuf) / 8) { for (*readbuf = '\0'; opt > 0; opt--, s += 3) - (void)ircsprintf(s, "%2.2x:", *t++); + (void)ircsnprintf(s, sizeof(readbuf)-(s-readbuf), "%2.2x:", *t++); *s = '\0'; sendto_realops("Connection %s using IP opts: (%s)", get_client_name(cptr, TRUE), readbuf); @@ -1216,7 +1216,7 @@ j++; if (j > MAXUNKNOWNCONNECTIONSPERIP) { - ircsprintf(zlinebuf, + ircsnprintf(zlinebuf, sizeof(zlinebuf), "ERROR :Closing Link: [%s] (Too many unknown connections from your IP)" "\r\n", Inet_ia2p(&acptr->ip)); @@ -1230,7 +1230,7 @@ if ((bconf = Find_ban(acptr, Inet_ia2p(&acptr->ip), CONF_BAN_IP))) { if (bconf) { - ircsprintf(zlinebuf, + ircsnprintf(zlinebuf, sizeof(zlinebuf), "ERROR :Closing Link: [%s] (You are not welcome on " "this server: %s. Email %s for more information.)\r\n", Inet_ia2p(&acptr->ip), @@ -1254,7 +1254,7 @@ int val; if (!(val = throttle_can_connect(acptr, &acptr->ip))) { - ircsprintf(zlinebuf, + ircsnprintf(zlinebuf, sizeof(zlinebuf), "ERROR :Closing Link: [%s] (Throttled: Reconnecting too fast) -" "Email %s for more information.\r\n", Inet_ia2p(&acptr->ip), diff -r 919022ccbcf3 src/s_conf.c --- a/src/s_conf.c Tue May 21 03:42:22 2013 +0000 +++ b/src/s_conf.c Mon May 20 22:57:25 2013 -0600 @@ -853,18 +853,25 @@ free(parambuf); } -void chmode_str(struct ChMode modes, char *mbuf, char *pbuf) -{ +void chmode_str(struct ChMode modes, char *mbuf, char *pbuf, size_t mbuf_size, size_t pbuf_size) +{ + if (!(mbuf_size && pbuf_size)) return; aCtab *tab; int i; *pbuf = 0; *mbuf++ = '+'; + if (--mbuf_size == 0) return; for (tab = &cFlagTab[0]; tab->mode; tab++) { if (modes.mode & tab->mode) { - if (!tab->parameters) + if (!tab->parameters) { *mbuf++ = tab->flag; + if (!--mbuf_size) { + *--mbuf=0; + break; + } + } } } for (i=0; i <= Channelmode_highest; i++) @@ -874,20 +881,30 @@ if (modes.extmodes & Channelmode_Table[i].mode) { - *mbuf++ = Channelmode_Table[i].flag; + if (mbuf_size) { + *mbuf++ = Channelmode_Table[i].flag; + if (!--mbuf_size) { + *--mbuf=0; + break; + } + } if (Channelmode_Table[i].paracount) { - strcat(pbuf, modes.extparams[i]); - strcat(pbuf, " "); + strncat(pbuf, modes.extparams[i], pbuf_size-1); + pbuf_size-=strlen(modes.extparams[i]); + if (!pbuf_size) break; + strncat(pbuf, " ", pbuf_size-1); + if (!--pbuf_size) break; } } } if (modes.floodprot.per) { - *mbuf++ = 'f'; - strcat(pbuf, channel_modef_string(&modes.floodprot)); - } - *mbuf++=0; + if (!mbuf_size) return; + if (--mbuf_size) *mbuf++ = 'f'; + if (pbuf_size) strncat(pbuf, channel_modef_string(&modes.floodprot), pbuf_size-1); + } + *mbuf=0; } int channellevel_to_int(char *s) @@ -1362,7 +1379,7 @@ char *ptr; va_start(ap, format); - vsprintf(buffer, format, ap); + vsnprintf(buffer, sizeof(buffer), format, ap); va_end(ap); if ((ptr = strchr(buffer, '\n')) != NULL) *ptr = '\0'; @@ -3105,13 +3122,13 @@ buf[0] = 0; if (timeval/86400) - sprintf(buf, "%ld day%s ", timeval/86400, timeval/86400 != 1 ? "s" : ""); + snprintf(buf, sizeof(buf), "%ld day%s ", timeval/86400, timeval/86400 != 1 ? "s" : ""); if ((timeval/3600) % 24) - sprintf(buf, "%s%ld hour%s ", buf, (timeval/3600)%24, (timeval/3600)%24 != 1 ? "s" : ""); + snprintf(buf, sizeof(buf), "%s%ld hour%s ", buf, (timeval/3600)%24, (timeval/3600)%24 != 1 ? "s" : ""); if ((timeval/60)%60) - sprintf(buf, "%s%ld minute%s ", buf, (timeval/60)%60, (timeval/60)%60 != 1 ? "s" : ""); + snprintf(buf, sizeof(buf), "%s%ld minute%s ", buf, (timeval/60)%60, (timeval/60)%60 != 1 ? "s" : ""); if ((timeval%60)) - sprintf(buf, "%s%ld second%s", buf, timeval%60, timeval%60 != 1 ? "s" : ""); + snprintf(buf, sizeof(buf), "%s%ld second%s", buf, timeval%60, timeval%60 != 1 ? "s" : ""); return buf; } @@ -7348,7 +7365,7 @@ { char tmpbuf[512]; IsupportSetValue(IsupportFind("MAXCHANNELS"), cep->ce_vardata); - ircsprintf(tmpbuf, "#:%s", cep->ce_vardata); + ircsnprintf(tmpbuf, sizeof(tmpbuf), "#:%s", cep->ce_vardata); IsupportSetValue(IsupportFind("CHANLIMIT"), tmpbuf); } } diff -r 919022ccbcf3 src/s_debug.c --- a/src/s_debug.c Tue May 21 03:42:22 2013 +0000 +++ b/src/s_debug.c Mon May 20 22:57:25 2013 -0600 @@ -199,26 +199,17 @@ if ((debuglevel >= 0) && (level <= debuglevel)) { #ifndef USE_VARARGS - (void)ircsprintf(debugbuf, form, p1, p2, p3, p4, p5, p6, p7, p8, p9, p10); + (void)ircsnprintf(debugbuf, sizeof(debugbuf), form, p1, p2, p3, p4, p5, p6, p7, p8, p9, p10); #else - (void)ircvsprintf(debugbuf, form, vl); -#if 0 -# ifdef _WIN32 - strcat(debugbuf,"\r\n"); -# endif -#endif + (void)ircvsnprintf(debugbuf, sizeof(debugbuf), form, vl); #endif #ifndef _WIN32 (void)fprintf(stderr, "%s", debugbuf); (void)fputc('\n', stderr); #else -//# ifndef _WIN32GUI -// Cio_Puts(hCio, debugbuf, strlen(debugbuf)); -//# else - strcat(debugbuf, "\r\n"); + strncat(debugbuf, "\r\n", sizeof(debugbuf)-strlen(debugbuf)-1); OutputDebugString(debugbuf); -//# endif #endif } va_end(vl); diff -r 919022ccbcf3 src/s_extra.c --- a/src/s_extra.c Tue May 21 03:42:22 2013 +0000 +++ b/src/s_extra.c Mon May 20 22:57:25 2013 -0600 @@ -290,11 +290,11 @@ int written = 0, write_failure = 0; va_start(ap, format); - ircvsprintf(buf, format, ap); + ircvsnprintf(buf, sizeof(buf), format, ap); va_end(ap); - snprintf(timebuf, sizeof timebuf, "[%s] - ", myctime(TStime())); + snprintf(timebuf, sizeof(timebuf), "[%s] - ", myctime(TStime())); RunHook3(HOOKTYPE_LOG, flags, timebuf, buf); - strlcat(buf, "\n", sizeof buf); + strlcat(buf, "\n", sizeof(buf)); for (logs = conf_log; logs; logs = (ConfigItem_log *) logs->next) { #ifdef HAVE_SYSLOG diff -r 919022ccbcf3 src/s_misc.c --- a/src/s_misc.c Tue May 21 03:42:22 2013 +0000 +++ b/src/s_misc.c Mon May 20 22:57:25 2013 -0600 @@ -148,7 +148,7 @@ plus = (minswest > 0) ? '-' : '+'; if (minswest < 0) minswest = -minswest; - (void)ircsprintf(buf, "%s %s %d %d -- %02d:%02d %c%02d:%02d", + ircsnprintf(buf, sizeof(buf), "%s %s %d %d -- %02d:%02d %c%02d:%02d", weekdays[lt->tm_wday], months[lt->tm_mon], lt->tm_mday, 1900 + lt->tm_year, lt->tm_hour, lt->tm_min, plus, minswest / 60, minswest % 60); @@ -170,9 +170,9 @@ ltime = (ltime - minutes) / 60; hours = ltime % 24; days = (ltime - hours) / 24; - ircsprintf(buffer, "%ludays %luhours %luminutes %lusecs", + ircsnprintf(buffer, sizeof(buffer), "%ludays %luhours %luminutes %lusecs", days, hours, minutes, seconds); - return(*buffer ? buffer : ""); + return buffer; } @@ -347,7 +347,7 @@ if (MyConnect(sptr)) { if (showip) - (void)ircsprintf(nbuf, "%s[%s@%s.%u]", + (void)ircsnprintf(nbuf, sizeof(nbuf), "%s[%s@%s.%u]", sptr->name, (!(sptr->flags & FLAGS_GOTID)) ? "" : sptr->username, @@ -361,7 +361,7 @@ else { if (mycmp(sptr->name, sptr->sockhost)) - (void)ircsprintf(nbuf, "%s[%s]", + (void)ircsnprintf(nbuf, sizeof(nbuf), "%s[%s]", sptr->name, sptr->sockhost); else return sptr->name; @@ -379,7 +379,7 @@ return cptr->name; if (!cptr->hostp) return get_client_name(cptr, FALSE); - (void)ircsprintf(nbuf, "%s[%-.*s@%-.*s]", + (void)ircsnprintf(nbuf, sizeof(nbuf), "%s[%-.*s@%-.*s]", cptr->name, USERLEN, (!(cptr->flags & FLAGS_GOTID)) ? "" : cptr->username, HOSTLEN, cptr->hostp->h_name); @@ -587,16 +587,7 @@ * in the quit msg. -Cabal95 */ if (cptr && !recurse) - { - /* - * We are sure as we RELY on sptr->srvptr->name and - * sptr->name to be less or equal to HOSTLEN - * Waste of strlcpy/strlcat here - */ - (void)strcpy(comment1, sptr->srvptr->name); - (void)strcat(comment1, " "); - (void)strcat(comment1, sptr->name); - } + ircsnprintf(comment1, sizeof(comment1), "%s %s", sptr->srvptr->name, sptr->name); /* * First, remove the clients on the server itself. */ @@ -817,7 +808,7 @@ } if (counted == IRCstats.operators) return; - sprintf(text, "[BUG] operator count bug! value in /lusers is '%d', we counted '%d', " + snprintf(text, sizeof(text), "[BUG] operator count bug! value in /lusers is '%d', we counted '%d', " "user='%s', userserver='%s', tag=%s. Corrected. ", IRCstats.operators, counted, orig->name ? orig->name : "", orig->srvptr ? orig->srvptr->name : "", tag ? tag : ""); diff -r 919022ccbcf3 src/send.c --- a/src/send.c Tue May 21 03:42:22 2013 +0000 +++ b/src/send.c Mon May 20 22:57:25 2013 -0600 @@ -167,7 +167,7 @@ void vsendto_one(aClient *to, const char *pattern, va_list vl) { - ircvsprintf(sendbuf, pattern, vl); + ircvsnprintf(sendbuf, sizeof(sendbuf), pattern, vl); sendbufto_one(to, sendbuf, 0); } @@ -405,8 +405,8 @@ int i; int remote = MyClient(from) ? 0 : 1; - sprintf(ccmd, ":%s PRIVMSG %s :%s", from->name, chptr->chname, text); /* msg */ - sprintf(xcmd, ":IRC!IRC@%s PRIVMSG %s :%s: %s", me.name, chptr->chname, from->name, text); /* local */ + snprintf(ccmd, sizeof(ccmd), ":%s PRIVMSG %s :%s", from->name, chptr->chname, text); /* msg */ + snprintf(xcmd, sizeof(xcmd), ":IRC!IRC@%s PRIVMSG %s :%s: %s", me.name, chptr->chname, from->name, text); /* local */ ++current_serial; for (lp = chptr->members; lp; lp = lp->next) @@ -796,7 +796,7 @@ list_for_each_entry(cptr, &lclient_list, lclient_node) if (!IsServer(cptr) && !IsMe(cptr) && SendServNotice(cptr)) { - (void)ircsprintf(nbuf, ":%s NOTICE %s :*** Notice -- ", me.name, cptr->name); + (void)ircsnprintf(nbuf, sizeof(nbuf), ":%s NOTICE %s :*** Notice -- ", me.name, cptr->name); (void)strncat(nbuf, pattern, sizeof(nbuf) - strlen(nbuf)); va_start(vl, pattern); @@ -819,7 +819,7 @@ list_for_each_entry(cptr, &lclient_list, lclient_node) if (!IsServer(cptr) && !IsMe(cptr) && SendFailops(cptr)) { - (void)ircsprintf(nbuf, ":%s NOTICE %s :*** Global -- ", + (void)ircsnprintf(nbuf, sizeof(nbuf), ":%s NOTICE %s :*** Global -- ", me.name, cptr->name); (void)strncat(nbuf, pattern, sizeof(nbuf) - strlen(nbuf)); @@ -844,7 +844,7 @@ list_for_each_entry(cptr, &lclient_list, lclient_node) if (IsPerson(cptr) && (cptr->umodes & umodes) == umodes) { - (void)ircsprintf(nbuf, ":%s NOTICE %s :", + (void)ircsnprintf(nbuf, sizeof(nbuf), ":%s NOTICE %s :", me.name, cptr->name); (void)strncat(nbuf, pattern, sizeof(nbuf) - strlen(nbuf)); @@ -887,7 +887,7 @@ char nbuf[2048]; va_start(vl, pattern); - ircvsprintf(nbuf, pattern, vl); + ircvsnprintf(nbuf, sizeof(nbuf), pattern, vl); va_end(vl); list_for_each_entry(cptr, &oper_list, special_node) @@ -910,7 +910,7 @@ char nbuf[2048], snobuf[32], *p; va_start(vl, pattern); - ircvsprintf(nbuf, pattern, vl); + ircvsnprintf(nbuf, sizeof(nbuf), pattern, vl); va_end(vl); list_for_each_entry(cptr, &oper_list, special_node) @@ -942,7 +942,7 @@ char nbuf[2048]; va_start(vl, pattern); - ircvsprintf(nbuf, pattern, vl); + ircvsnprintf(nbuf, sizeof(nbuf), pattern, vl); va_end(vl); list_for_each_entry(cptr, &lclient_list, lclient_node) @@ -963,7 +963,7 @@ char nbuf[2048], snobuf[32], *p; va_start(vl, pattern); - ircvsprintf(nbuf, pattern, vl); + ircvsnprintf(nbuf, sizeof(nbuf), pattern, vl); va_end(vl); list_for_each_entry(cptr, &lclient_list, lclient_node) @@ -996,7 +996,7 @@ { if (SendFailops(cptr)) { - (void)ircsprintf(nbuf, ":%s NOTICE %s :*** Global -- ", + (void)ircsnprintf(nbuf, sizeof(nbuf), ":%s NOTICE %s :*** Global -- ", me.name, cptr->name); (void)strncat(nbuf, pattern, sizeof(nbuf) - strlen(nbuf)); @@ -1024,7 +1024,7 @@ { if (SendFailops(cptr)) { - (void)ircsprintf(nbuf, ":%s NOTICE %s :*** LocOps -- ", + (void)ircsnprintf(nbuf, sizeof(nbuf), ":%s NOTICE %s :*** LocOps -- ", me.name, cptr->name); (void)strncat(nbuf, pattern, sizeof(nbuf) - strlen(nbuf)); @@ -1049,7 +1049,7 @@ list_for_each_entry(cptr, &oper_list, special_node) { - (void)ircsprintf(nbuf, ":%s NOTICE %s :*** Oper -- ", + (void)ircsnprintf(nbuf, sizeof(nbuf), ":%s NOTICE %s :*** Oper -- ", me.name, cptr->name); (void)strncat(nbuf, pattern, sizeof(nbuf) - strlen(nbuf)); @@ -1151,7 +1151,7 @@ * is a person, taking into account the rules for hidden/cloaked host. * NOTE: Do not send this prepared buffer to remote clients or servers, * they do not want or need the expanded prefix. In that case, simply - * use ircvsprintf() directly. + * use ircvsnprintf() directly. */ int vmakebuf_local_withprefix(char *buf, struct Client *from, const char *pattern, va_list vl) { @@ -1187,10 +1187,10 @@ if (!strcmp(&pattern[3], "%s")) strcpy(buf + strlen(buf), va_arg(vl, char *)); /* This can speed things up by 30% -- Syzop */ else - ircvsprintf(buf + strlen(buf), &pattern[3], vl); + ircvsnprintf(buf + strlen(buf), sizeof(buf)-strlen(buf), &pattern[3], vl); } else - ircvsprintf(buf, pattern, vl); + ircvsnprintf(buf, sizeof(buf), pattern, vl); len = strlen(buf); ADD_CRLF(buf, len); @@ -1203,7 +1203,7 @@ if (to && from && MyClient(to) && from->user) vmakebuf_local_withprefix(sendbuf, from, pattern, vl); else - ircvsprintf(sendbuf, pattern, vl); + ircvsnprintf(sendbuf, sizeof(sendbuf), pattern, vl); sendbufto_one(to, sendbuf, 0); } @@ -1239,7 +1239,7 @@ list_for_each_entry(cptr, &oper_list, special_node) { - (void)ircsprintf(nbuf, ":%s NOTICE %s :*** Notice -- ", + (void)ircsnprintf(nbuf, sizeof(nbuf), ":%s NOTICE %s :*** Notice -- ", me.name, cptr->name); (void)strlcat(nbuf, pattern, sizeof nbuf); @@ -1259,7 +1259,7 @@ if (!disconnect) { RunHook(HOOKTYPE_LOCAL_CONNECT, sptr); - ircsprintf(connectd, + ircsnprintf(connectd, sizeof(connectd), "*** Notice -- Client connecting on port %d: %s (%s@%s) [%s] %s%s%s", sptr->listener->port, nick, user->username, user->realhost, sptr->class ? sptr->class->name : "", @@ -1270,16 +1270,16 @@ #else "", "", ""); #endif - ircsprintf(connecth, + ircsnprintf(connecth, sizeof(connecth), "*** Notice -- Client connecting: %s (%s@%s) [%s] {%s}", nick, user->username, user->realhost, Inet_ia2p(&sptr->ip), sptr->class ? sptr->class->name : "0"); } else { - ircsprintf(connectd, "*** Notice -- Client exiting: %s (%s@%s) [%s]", + ircsnprintf(connectd, sizeof(connectd), "*** Notice -- Client exiting: %s (%s@%s) [%s]", nick, user->username, user->realhost, comment); - ircsprintf(connecth, "*** Notice -- Client exiting: %s (%s@%s) [%s] [%s]", + ircsnprintf(connecth, sizeof(connecth), "*** Notice -- Client exiting: %s (%s@%s) [%s] [%s]", nick, user->username, user->realhost, comment, Inet_ia2p(&sptr->ip)); } @@ -1307,17 +1307,17 @@ if (!disconnect) { - ircsprintf(connectd, "*** Notice -- Client connecting at %s: %s (%s@%s)", + ircsnprintf(connectd, sizeof(connectd), "*** Notice -- Client connecting at %s: %s (%s@%s)", user->server, nick, user->username, user->realhost); - ircsprintf(connecth, + ircsnprintf(connecth, sizeof(connecth), "*** Notice -- Client connecting at %s: %s (%s@%s) [%s] {0}", user->server, nick, user->username, user->realhost, user->ip_str ? user->ip_str : "0"); } else { - ircsprintf(connectd, "*** Notice -- Client exiting at %s: %s!%s@%s (%s)", + ircsnprintf(connectd, sizeof(connectd), "*** Notice -- Client exiting at %s: %s!%s@%s (%s)", user->server, nick, user->username, user->realhost, comment); - ircsprintf(connecth, "*** Notice -- Client exiting at %s: %s (%s@%s) [%s] [%s]", + ircsnprintf(connecth, sizeof(connecth), "*** Notice -- Client exiting at %s: %s (%s@%s) [%s] [%s]", user->server, nick, user->username, user->realhost, comment, user->ip_str ? user->ip_str : "0"); } @@ -1437,7 +1437,7 @@ va_list vl; char *name = *to->name ? to->name : "*"; - ircsprintf(realpattern, ":%s NOTICE %s :%s", me.name, name, pattern); + ircsnprintf(realpattern, sizeof(realpattern), ":%s NOTICE %s :%s", me.name, name, pattern); va_start(vl, pattern); vsendto_one(to, realpattern, vl); @@ -1449,7 +1449,7 @@ static char realpattern[1024]; va_list vl; - ircsprintf(realpattern, ":%s %d %s :%s", me.name, RPL_TEXT, to->name, pattern); + ircsnprintf(realpattern, sizeof(realpattern), ":%s %d %s :%s", me.name, RPL_TEXT, to->name, pattern); va_start(vl, pattern); vsendto_one(to, realpattern, vl); diff -r 919022ccbcf3 src/socket.c --- a/src/socket.c Tue May 21 03:42:22 2013 +0000 +++ b/src/socket.c Mon May 20 22:57:25 2013 -0600 @@ -1,4 +1,4 @@ -/* + /* * Unreal Internet Relay Chat Daemon, src/socket.c * Copyright (C) 1990 Jarkko Oikarinen and * University of Oulu, Computing Center @@ -151,7 +151,7 @@ && cp[9] == 0 && cp[10] == 0xff && cp[11] == 0xff) { - (void)ircsprintf(buf, "%u.%u.%u.%u", + (void)ircsnprintf(buf, sz, "%u.%u.%u.%u", (u_int)(cp[12]), (u_int)(cp[13]), (u_int)(cp[14]), (u_int)(cp[15])); @@ -189,7 +189,7 @@ && cp[9] == 0 && cp[10] == 0xff && cp[11] == 0xff) { - (void)ircsprintf(buf, "%u.%u.%u.%u", + (void)ircsnprintf(buf, sizeof(buf), "%u.%u.%u.%u", (u_int)(cp[12]), (u_int)(cp[13]), (u_int)(cp[14]), (u_int)(cp[15])); diff -r 919022ccbcf3 src/ssl.c --- a/src/ssl.c Tue May 21 03:42:22 2013 +0000 +++ b/src/ssl.c Mon May 20 22:57:25 2013 -0600 @@ -183,7 +183,7 @@ static char buf[2048]; va_start(vl, fmt); - ircvsprintf(buf, fmt, vl); + ircvsnprintf(buf, sizeof(buf), fmt, vl); va_end(vl); sendto_realops("[SSL rehash] %s", buf); ircd_log(LOG_ERROR, "%s", buf); diff -r 919022ccbcf3 src/support.c --- a/src/support.c Tue May 21 03:42:22 2013 +0000 +++ b/src/support.c Mon May 20 22:57:25 2013 -0600 @@ -53,9 +53,9 @@ { static char buf[128]; #ifndef _WIN32 - ircsprintf(buf, "%d", i); + ircsnprintf(buf, sizeof(buf), "%d", i); #else - _itoa(i, buf, 10); + _itoa_s(i, buf, sizeof(buf), 10); #endif return (buf); } @@ -129,7 +129,7 @@ if (errp == (char *)NULL) { errp = buff; - (void)ircsprintf(errp, "Unknown Error %d", err_no); + (void)ircsnprintf(buff, sizeof(buff), "Unknown Error %d", err_no); } return errp; @@ -157,7 +157,7 @@ b = (int)*s++; c = (int)*s++; d = (int)*s++; - (void)ircsprintf(buf, "%d.%d.%d.%d", a, b, c, d); + (void)ircsnprintf(buf, sizeof(buf), "%d.%d.%d.%d", a, b, c, d); return buf; } @@ -1867,8 +1867,8 @@ static const char fmt[] = "%u.%u.%u.%u"; char tmp[sizeof "255.255.255.255"]; - sprintf(tmp, fmt, src[0], src[1], src[2], src[3]); - if ((size_t)strlen(tmp) > size) { + snprintf(tmp, sizeof(tmp), fmt, src[0], src[1], src[2], src[3]); + if ((size_t)strlen(tmp)+1 > size) { #ifndef _WIN32 errno = ENOSPC; #else @@ -1876,7 +1876,7 @@ #endif return (NULL); } - strcpy(dst, tmp); + strlcpy(dst, tmp, size); return (dst); } @@ -1934,9 +1934,10 @@ /* * Format the result. */ + if (size < (IN6ADDRSZ / INT16SZ)) return 0; tp = tmp; for (i = 0; i < (IN6ADDRSZ / INT16SZ); i++) { - /* Are we inside the best run of 0x00's? */ + /* Are we inside the best run of 0x00? */ if (best.base != -1 && i >= best.base && i < (best.base + best.len)) { if (i == best.base) @@ -1954,7 +1955,7 @@ tp += strlen(tp); break; } - sprintf(tp, "%x", words[i]); + snprintf(tp, sizeof(tmp)-strlen(tmp), "%x", words[i]); tp += strlen(tp); } /* Was it a trailing run of 0x00's? */ @@ -1973,7 +1974,7 @@ #endif return (NULL); } - strcpy(dst, tmp); + strlcpy(dst, tmp, size); return (dst); } @@ -2290,7 +2291,7 @@ else return WSAErrors[mid].error_string; } - sprintf(unkerr, "Unknown Error: %d", error); + snprintf(unkerr, sizeof(unkerr), "Unknown Error: %d", error); return unkerr; } #endif diff -r 919022ccbcf3 src/timesynch.c --- a/src/timesynch.c Tue May 21 03:42:22 2013 +0000 +++ b/src/timesynch.c Mon May 20 22:57:25 2013 -0600 @@ -168,7 +168,7 @@ s[n] = fd_socket(AF_INET, SOCK_DGRAM, 0, buf); /* always ipv4 */ if (s[n] < 0) { - ircsprintf(tserr, "unable to create socket: %s [%d]", STRERROR(ERRNO), (int)ERRNO); + ircsnprintf(tserr, sizeof(tserr), "unable to create socket: %s [%d]", STRERROR(ERRNO), (int)ERRNO); goto end; } @@ -180,7 +180,7 @@ addr[n].sin_addr.s_addr = inet_addr(servname); if (addr[n].sin_addr.s_addr == INADDR_NONE) { - ircsprintf(tserr, "invalid timeserver IP '%s'", servname); + ircsnprintf(tserr, sizeof(tserr), "invalid timeserver IP '%s'", servname); goto end; } @@ -205,7 +205,7 @@ { ircd_log(LOG_ERROR, "TimeSync: WARNING: Unable to send time synchronization packets to ANY time server. " "Perhaps your firewall is blocking outgoing packets to UDP port 123?"); - strcpy(tserr, "Unable to send packets"); + strlcpy(tserr, "Unable to send packets", sizeof(tserr)); goto end; } @@ -216,7 +216,7 @@ now = time(NULL); if (start + timeout <= now) { - strcpy(tserr, "Timeout"); + strlcpy(tserr, "Timeout", sizeof(tserr)); goto end; } @@ -232,7 +232,7 @@ if (n < 0) { /* select error == teh bad.. */ - ircsprintf(tserr, "select() error: %s [%d]", STRERROR(ERRNO), (int)ERRNO); + ircsnprintf(tserr, sizeof(tserr), "select() error: %s [%d]", STRERROR(ERRNO), (int)ERRNO); goto end; } diff -r 919022ccbcf3 src/win32/gui.c --- a/src/win32/gui.c Tue May 21 03:42:22 2013 +0000 +++ b/src/win32/gui.c Mon May 20 22:57:25 2013 -0600 @@ -38,6 +38,7 @@ #include #include #include "win32.h" +#include __inline void ShowDialog(HWND *handle, HINSTANCE inst, char *template, HWND parent, DLGPROC proc) @@ -750,7 +751,7 @@ unsigned char szText[256]; struct stat sb; HWND hWnd = GetDlgItem(hDlg, IDC_TEXT), hTip; - wsprintf(szText, "UnrealIRCd Viewer - %s", (unsigned char *)lParam); + StringCbPrintf(szText, sizeof(szText), "UnrealIRCd Viewer - %s", (unsigned char *)lParam); SetWindowText(hDlg, szText); lpfnOldWndProc = (FARPROC)SetWindowLong(hWnd, GWL_WNDPROC, (DWORD)RESubClassFunc); if ((fd = open((unsigned char *)lParam, _O_RDONLY|_O_BINARY)) != -1) @@ -1028,21 +1029,21 @@ unsigned char buf[2048]; unsigned char *buf2; va_start(ap, format); - ircvsprintf(buf, format, ap); + ircvsnprintf(buf, sizeof(buf), format, ap); if (!IsService) { strcat(buf, "\r\n"); if (errors) { buf2 = MyMalloc(strlen(errors)+strlen(buf)+1); - sprintf(buf2, "%s%s",errors,buf); + snprintf(buf2, sizeof(buf2), "%s%s",errors,buf); MyFree(errors); errors = NULL; } else { buf2 = MyMalloc(strlen(buf)+1); - sprintf(buf2, "%s",buf); + snprintf(buf2, sizeof(buf2), "%s",buf); } errors = buf2; }