Lines 135-141
Link Here
|
135 |
#ifdef KERBEROS |
135 |
#ifdef KERBEROS |
136 |
case 'k': |
136 |
case 'k': |
137 |
dest_realm = dst_realm_buf; |
137 |
dest_realm = dst_realm_buf; |
138 |
(void)strncpy(dst_realm_buf, optarg, REALM_SZ); |
138 |
memset(dst_realm_buf, 0, REALM_SZ); |
|
|
139 |
(void)strncpy(dst_realm_buf, optarg, REALM_SZ-1); |
139 |
break; |
140 |
break; |
140 |
#ifdef CRYPT |
141 |
#ifdef CRYPT |
141 |
case 'x': |
142 |
case 'x': |
Lines 197-209
Link Here
|
197 |
|
198 |
|
198 |
if (fflag) { /* Follow "protocol", send data. */ |
199 |
if (fflag) { /* Follow "protocol", send data. */ |
199 |
(void)response(); |
200 |
(void)response(); |
200 |
(void)setuid(userid); |
201 |
if(setuid(userid) != 0) |
|
|
202 |
errx(1, "can't change to uid %d", (int)userid); |
201 |
source(argc, argv); |
203 |
source(argc, argv); |
202 |
exit(errs); |
204 |
exit(errs); |
203 |
} |
205 |
} |
204 |
|
206 |
|
205 |
if (tflag) { /* Receive data. */ |
207 |
if (tflag) { /* Receive data. */ |
206 |
(void)setuid(userid); |
208 |
if(setuid(userid) != 0) |
|
|
209 |
errx(1, "can't change to uid %d", (int)userid); |
207 |
sink(argc, argv); |
210 |
sink(argc, argv); |
208 |
exit(errs); |
211 |
exit(errs); |
209 |
} |
212 |
} |
Lines 637-642
Link Here
|
637 |
|
640 |
|
638 |
for (size = 0; isdigit(*cp);) |
641 |
for (size = 0; isdigit(*cp);) |
639 |
size = size * 10 + (*cp++ - '0'); |
642 |
size = size * 10 + (*cp++ - '0'); |
|
|
643 |
if(size < 0) // integer overflow, more can happen in the loop but lets avoid testing for the sake of performance |
644 |
SCREWUP("size becomes too big and swapped"); |
645 |
|
640 |
if (*cp++ != ' ') |
646 |
if (*cp++ != ' ') |
641 |
SCREWUP("size not delimited"); |
647 |
SCREWUP("size not delimited"); |
642 |
if (targisdir) { |
648 |
if (targisdir) { |
Lines 644-655
Link Here
|
644 |
static int cursize; |
650 |
static int cursize; |
645 |
size_t need; |
651 |
size_t need; |
646 |
|
652 |
|
647 |
need = strlen(targ) + strlen(cp) + 250; |
653 |
need = strlen(targ) + strlen(cp) + 250; // b/c this might overflow (very unlikely) we use sNprintf() later |
648 |
if (need > cursize) { |
654 |
if (need > cursize) { |
649 |
if (!(namebuf = malloc(need))) |
655 |
if (!(namebuf = malloc(need))) // will not set a limit here |
650 |
run_err("%s", strerror(errno)); |
656 |
run_err("%s", strerror(errno)); |
651 |
} |
657 |
} |
652 |
(void)sprintf(namebuf, "%s%s%s", targ, |
658 |
(void)snprintf(namebuf, need, "%s%s%s", targ, |
653 |
*targ ? "/" : "", cp); |
659 |
*targ ? "/" : "", cp); |
654 |
np = namebuf; |
660 |
np = namebuf; |
655 |
} else |
661 |
} else |
Lines 818-823
Link Here
|
818 |
{ |
824 |
{ |
819 |
char ch, *cp, resp, rbuf[BUFSIZ]; |
825 |
char ch, *cp, resp, rbuf[BUFSIZ]; |
820 |
|
826 |
|
|
|
827 |
memset(rbuf, 0, BUFSIZ); |
828 |
|
821 |
if (read(rem, &resp, sizeof(resp)) != sizeof(resp)) |
829 |
if (read(rem, &resp, sizeof(resp)) != sizeof(resp)) |
822 |
lostconn(0); |
830 |
lostconn(0); |
823 |
|
831 |
|
Lines 834-840
Link Here
|
834 |
if (read(rem, &ch, sizeof(ch)) != sizeof(ch)) |
842 |
if (read(rem, &ch, sizeof(ch)) != sizeof(ch)) |
835 |
lostconn(0); |
843 |
lostconn(0); |
836 |
*cp++ = ch; |
844 |
*cp++ = ch; |
837 |
} while (cp < &rbuf[BUFSIZ] && ch != '\n'); |
845 |
} while (cp < &rbuf[BUFSIZ-1] && ch != '\n'); |
838 |
|
846 |
|
839 |
if (!iamremote) |
847 |
if (!iamremote) |
840 |
(void)write(STDERR_FILENO, rbuf, cp - rbuf); |
848 |
(void)write(STDERR_FILENO, rbuf, cp - rbuf); |