Skip to content

Commit

Permalink
Simplify bounds checks
Browse files Browse the repository at this point in the history
We can save a lot of work this way.

Also, detect truncation in strlcpy.
  • Loading branch information
AZero13 committed May 15, 2023
1 parent 4310a07 commit 594271c
Show file tree
Hide file tree
Showing 22 changed files with 209 additions and 156 deletions.
30 changes: 17 additions & 13 deletions backend/dnssd.c
Original file line number Diff line number Diff line change
Expand Up @@ -1094,12 +1094,13 @@ query_callback(

if (!_cups_strncasecmp(key, "usb_", 4))
{
size_t device_id_len = strlen(device_id);
/*
* Add USB device ID information...
*/

ptr = device_id + strlen(device_id);
snprintf(ptr, sizeof(device_id) - (size_t)(ptr - device_id), "%s:%s;", key + 4, value);
ptr = device_id + device_id_len;
snprintf(ptr, sizeof(device_id) - device_id_len, "%s:%s;", key + 4, value);
}

if (!_cups_strcasecmp(key, "usb_MFG") || !_cups_strcasecmp(key, "usb_MANU") ||
Expand All @@ -1111,14 +1112,14 @@ query_callback(
{
if (value[0] == '(')
{
/*
* Strip parenthesis...
*/

if ((ptr = value + strlen(value) - 1) > value && *ptr == ')')
*ptr = '\0';

strlcpy(model, value + 1, sizeof(model));
size_t val_len = strlen(value);
/*
* Strip parenthesis...
*/
if (val_len > 1 && value[val_len - 1] == ')')
value[val_len - 1] = '\0';

strlcpy(model, value + 1, sizeof(model));
}
else
strlcpy(model, value, sizeof(model));
Expand Down Expand Up @@ -1198,7 +1199,7 @@ query_callback(
char *valptr = value + strlen(value);
/* Pointer into value */

if (valptr < (value + sizeof(value) - 1))
if (valptr < (value + (sizeof(value) - 1)))
*valptr++ = ',';

ptr += 6;
Expand All @@ -1213,8 +1214,11 @@ query_callback(
*valptr = '\0';
}

ptr = device_id + strlen(device_id);
snprintf(ptr, sizeof(device_id) - (size_t)(ptr - device_id), "CMD:%s;", value + 1);
{
size_t device_len = strlen(device_id);
ptr = device_id + device_len;
snprintf(ptr, sizeof(device_id) - device_len, "CMD:%s;", value + 1);
}
}

if (device_id[0])
Expand Down
15 changes: 8 additions & 7 deletions backend/network.c
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,7 @@ backendNetworkSideCB(
const char *snmp_count; /* CUPS_SNMP_COUNT env var */
int count; /* Repetition count */

datalen = (int)strlen(data);
if ((snmp_count = getenv("CUPS_SNMP_COUNT")) != NULL)
{
if ((count = atoi(snmp_count)) <= 0)
Expand All @@ -178,16 +179,16 @@ backendNetworkSideCB(
else
count = 1;

for (dataptr = data + strlen(data) + 1;
count > 0 && dataptr < (data + sizeof(data) - 1);
for (dataptr = data + datalen + 1;
count > 0 && dataptr < (data + (sizeof(data) - 1));
count --, dataptr += strlen(dataptr))
strlcpy(dataptr, snmp_value, sizeof(data) - (size_t)(dataptr - data));


datalen = (int)(dataptr - data);
fprintf(stderr, "DEBUG: Returning %s %s\n", data,
data + strlen(data) + 1);
data + datalen);

status = CUPS_SC_STATUS_OK;
datalen = (int)(dataptr - data);
break;
}

Expand All @@ -210,7 +211,7 @@ backendNetworkSideCB(
{
if (_cupsSNMPRead(snmp_fd, &packet, 1.0))
{
size_t i; /* Looping var */
unsigned i; /* Looping var */


if (!_cupsSNMPOIDToString(packet.object_name, data, sizeof(data)))
Expand Down Expand Up @@ -240,7 +241,7 @@ backendNetworkSideCB(
if (packet.object_value.string.num_bytes < (sizeof(data) - (size_t)(dataptr - data)))
i = packet.object_value.string.num_bytes;
else
i = sizeof(data) - (size_t)(dataptr - data);
i = (unsigned)sizeof(data) - (size_t)(dataptr - data);

memcpy(dataptr, packet.object_value.string.bytes, i);

Expand Down
12 changes: 6 additions & 6 deletions cgi-bin/ipp-var.c
Original file line number Diff line number Diff line change
Expand Up @@ -97,13 +97,13 @@ cgiGetAttributes(ipp_t *request, /* I - IPP request */
break;
else if (nameptr > name && ch == '?')
break;
else if (nameptr < (name + sizeof(name) - 1))
{
if (ch == '_')
else if (nameptr < (name + (sizeof(name) - 1)))
{
if (ch == '_')
*nameptr++ = '-';
else
*nameptr++ = (char)ch;
}
}

*nameptr = '\0';

Expand Down Expand Up @@ -875,7 +875,7 @@ cgiRewriteURL(const char *uri, /* I - Current URI */
*resptr++ = hexchars[*rawptr & 15];
}
}
else if (resptr < (resource + sizeof(resource) - 1))
else if (resptr < (resource + (sizeof(resource) - 1)))
*resptr++ = *rawptr;

*resptr = '\0';
Expand Down Expand Up @@ -967,7 +967,7 @@ cgiSetIPPObjectVars(
else
nameptr = name;

for (i = 0; attr->name[i] && nameptr < (name + sizeof(name) - 1); i ++)
for (i = 0; attr->name[i] && nameptr < (name + (sizeof(name) - 1)); i++)
if (attr->name[i] == '-')
*nameptr++ = '_';
else
Expand Down
6 changes: 3 additions & 3 deletions cgi-bin/template.c
Original file line number Diff line number Diff line change
Expand Up @@ -249,7 +249,7 @@ cgi_copy(FILE *out, /* I - Output file */
uriencode = 1;
else if (s > name && ch == '?')
break;
else if (s < (name + sizeof(name) - 1))
else if (s < (name + (sizeof(name) - 1)))
*s++ = (char)ch;

*s = '\0';
Expand Down Expand Up @@ -454,8 +454,8 @@ cgi_copy(FILE *out, /* I - Output file */
for (s = compare; (ch = getc(in)) != EOF;)
if (ch == '?')
break;
else if (s >= (compare + sizeof(compare) - 1))
continue;
else if (s >= (compare + (sizeof(compare) - 1)))
continue;
else if (ch == '#')
{
snprintf(s, sizeof(compare) - (size_t)(s - compare), "%d", element + 1);
Expand Down
12 changes: 6 additions & 6 deletions cgi-bin/var.c
Original file line number Diff line number Diff line change
Expand Up @@ -651,7 +651,7 @@ cgi_initialize_cookies(void)
*/

for (ptr = name; *cookie && *cookie != '=';)
if (ptr < (name + sizeof(name) - 1))
if (ptr < (name + (sizeof(name) - 1)))
{
*ptr++ = *cookie++;
}
Expand All @@ -674,7 +674,7 @@ cgi_initialize_cookies(void)
if (*cookie == '\"')
{
for (cookie ++, ptr = value; *cookie && *cookie != '\"';)
if (ptr < (value + sizeof(value) - 1))
if (ptr < (value + (sizeof(value) - 1)))
{
*ptr++ = *cookie++;
}
Expand All @@ -692,7 +692,7 @@ cgi_initialize_cookies(void)
else
{
for (ptr = value; *cookie && *cookie != ';';)
if (ptr < (value + sizeof(value) - 1))
if (ptr < (value + (sizeof(value) - 1)))
{
*ptr++ = *cookie++;
}
Expand Down Expand Up @@ -1103,7 +1103,7 @@ cgi_initialize_string(const char *data) /* I - Form data string */
break;

case '+' : /* Escaped space character */
if (s < (value + sizeof(value) - 1))
if (s < (value + (sizeof(value) - 1)))
*s++ = ' ';
break;

Expand All @@ -1115,7 +1115,7 @@ cgi_initialize_string(const char *data) /* I - Form data string */
if (!isxdigit(data[1] & 255) || !isxdigit(data[2] & 255))
return (0);

if (s < (value + sizeof(value) - 1))
if (s < (value + (sizeof(value) - 1)))
{
data ++;
ch = *data - '0';
Expand All @@ -1134,7 +1134,7 @@ cgi_initialize_string(const char *data) /* I - Form data string */
break;

default : /* Other characters come straight through */
if (*data >= ' ' && s < (value + sizeof(value) - 1))
if (*data >= ' ' && s < (value + (sizeof(value) - 1)))
*s++ = *data;
break;
}
Expand Down
12 changes: 6 additions & 6 deletions cups/debug.c
Original file line number Diff line number Diff line change
Expand Up @@ -407,7 +407,7 @@ _cups_safe_vsnprintf(

while (isdigit(*format & 255))
{
if (tptr < (tformat + sizeof(tformat) - 1))
if (tptr < (tformat + (sizeof(tformat) - 1)))
*tptr++ = *format;

width = width * 10 + *format++ - '0';
Expand All @@ -416,7 +416,7 @@ _cups_safe_vsnprintf(

if (*format == '.')
{
if (tptr < (tformat + sizeof(tformat) - 1))
if (tptr < (tformat + (sizeof(tformat) - 1)))
*tptr++ = *format;

format ++;
Expand All @@ -439,7 +439,7 @@ _cups_safe_vsnprintf(

while (isdigit(*format & 255))
{
if (tptr < (tformat + sizeof(tformat) - 1))
if (tptr < (tformat + (sizeof(tformat) - 1)))
*tptr++ = *format;

prec = prec * 10 + *format++ - '0';
Expand All @@ -461,8 +461,8 @@ _cups_safe_vsnprintf(
}
else if (*format == 'h' || *format == 'l' || *format == 'L')
{
if (tptr < (tformat + sizeof(tformat) - 1))
*tptr++ = *format;
if (tptr < (tformat + (sizeof(tformat) - 1)))
*tptr++ = *format;

size = *format++;
}
Expand All @@ -472,7 +472,7 @@ _cups_safe_vsnprintf(
if (!*format)
break;

if (tptr < (tformat + sizeof(tformat) - 1))
if (tptr < (tformat + (sizeof(tformat) - 1)))
*tptr++ = *format;

type = *format++;
Expand Down
9 changes: 8 additions & 1 deletion cups/dest-options.c
Original file line number Diff line number Diff line change
Expand Up @@ -1933,11 +1933,18 @@ cups_create_defaults(

for (attr = ippFirstAttribute(dinfo->attrs); attr; attr = ippNextAttribute(dinfo->attrs))
{
size_t temp;
if (!ippGetName(attr) || ippGetGroupTag(attr) != IPP_TAG_PRINTER)
continue;

strlcpy(name, ippGetName(attr), sizeof(name));
if ((nameptr = name + strlen(name) - 8) <= name || strcmp(nameptr, "-default"))

temp = strlen(name);
if (temp <= 8)
continue;

nameptr = name + (temp - 8);
if (strcmp(nameptr, "-default"))
continue;

*nameptr = '\0';
Expand Down
17 changes: 13 additions & 4 deletions cups/dest.c
Original file line number Diff line number Diff line change
Expand Up @@ -3080,14 +3080,20 @@ cups_dnssd_query_cb(
{
if (value[0] == '(')
{
size_t value_len = strlen(value);

/*
* Strip parenthesis...
*/

if ((ptr = value + strlen(value) - 1) > value && *ptr == ')')
*ptr = '\0';

strlcpy(model, value + 1, sizeof(model));
if (value_len > 1)
{
if (value[value_len - 1] == ')')
value[value_len - 1] = '\0';
strlcpy(model, value + 1, sizeof(model));
}
else
model[0] = '\0';
}
else
strlcpy(model, value, sizeof(model));
Expand Down Expand Up @@ -4425,6 +4431,9 @@ cups_queue_name(
const char *ptr; /* Pointer into serviceName */
char *nameptr; /* Pointer into name */

if (namesize == 0) {
return;
}

for (nameptr = name, ptr = serviceName; *ptr && nameptr < (name + namesize - 1); ptr ++)
{
Expand Down
5 changes: 2 additions & 3 deletions cups/encode.c
Original file line number Diff line number Diff line change
Expand Up @@ -862,10 +862,9 @@ cupsEncodeOptions2(
const char * /* O - First out-of-order option or NULL */
_ippCheckOptions(void)
{
int i; /* Looping var */
size_t i; /* Looping var */


for (i = 0; i < (int)(sizeof(ipp_options) / sizeof(ipp_options[0]) - 1); i ++)
for (i = 0; i < sizeof(ipp_options) / sizeof(ipp_options[0]) - 1; i++)
if (strcmp(ipp_options[i].name, ipp_options[i + 1].name) >= 0)
return (ipp_options[i + 1].name);

Expand Down
5 changes: 3 additions & 2 deletions cups/http-addr.c
Original file line number Diff line number Diff line change
Expand Up @@ -795,6 +795,7 @@ httpGetHostname(http_t *http, /* I - HTTP connection or NULL */
char *s, /* I - String buffer for name */
int slen) /* I - Size of buffer */
{
size_t temp_len; /* Len of string s (not to be confused with buffer size) */
if (http)
{
if (!s || slen <= 1)
Expand Down Expand Up @@ -872,8 +873,8 @@ httpGetHostname(http_t *http, /* I - HTTP connection or NULL */
/*
* Make sure .local hostnames end with a period...
*/

if (strlen(s) > 6 && !strcmp(s + strlen(s) - 6, ".local"))
temp_len = strlen(s);
if (temp_len > 6 && !strcmp(s + temp_len - 6, ".local"))
strlcat(s, ".", (size_t)slen);
}

Expand Down
Loading

0 comments on commit 594271c

Please sign in to comment.