--- a/usr/src/cmd/cmd-inet/usr.bin/rdist/server.c Wed Feb 03 00:22:16 2010 -0800
+++ b/usr/src/cmd/cmd-inet/usr.bin/rdist/server.c Wed Feb 03 10:04:17 2010 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -16,7 +16,6 @@
* University may not be used to endorse or promote products derived
* from this software without specific prior written permission.
*/
-#pragma ident "%Z%%M% %I% %E% SMI"
#include "defs.h"
#include <signal.h>
@@ -185,10 +184,10 @@
}
if (bp == NULL)
except = bp = expand(makeblock(NAME, cp),
- E_VARS);
+ E_VARS);
else
bp->b_next = expand(makeblock(NAME, cp),
- E_VARS);
+ E_VARS);
while (bp->b_next != NULL)
bp = bp->b_next;
ack();
@@ -577,12 +576,18 @@
lp->inum = stp->st_ino;
lp->devnum = stp->st_dev;
lp->count = stp->st_nlink - 1;
- strcpy(lp->pathname,
- opts & WHOLE ?
- target : strsub(source, destination, target));
- if (Tdest)
- strcpy(lp->target, Tdest);
- else
+
+ if (strlcpy(lp->pathname,
+ opts & WHOLE ? target : strsub(source, destination, target),
+ sizeof (lp->pathname)) >= sizeof (lp->pathname)) {
+ error("%s: target name too long\n", target);
+ }
+
+ if (Tdest) {
+ if (strlcpy(lp->target, Tdest,
+ sizeof (lp->target)) >= sizeof (lp->target))
+ error("%s: target name too long\n", Tdest);
+ } else
*lp->target = 0;
}
return (NULL);
@@ -892,7 +897,13 @@
(void) sprintf(new, "/%s", tmpname);
else {
*cp = '\0';
- (void) sprintf(new, "%s/%s", target, tmpname);
+
+ /*
+ * sizeof (target) = RDIST_BUFSIZ and sizeof (tmpname) = 11
+ * RDIST_BUFSIZ = 50*1024 is much greater than PATH_MAX that is
+ * allowed by the kernel, so it's safe to call snprintf() here
+ */
+ (void) snprintf(new, sizeof (new), "%s/%s", target, tmpname);
*cp = '/';
}