Page MenuHomeFreeBSD
Files F151356199

D45086.id138284.diff
No OneTemporary
Actions

D45086.id138284.diff
View Options

diff --git a/libexec/tftpd/tftpd.c b/libexec/tftpd/tftpd.c
--- a/libexec/tftpd/tftpd.c
+++ b/libexec/tftpd/tftpd.c
@@ -611,12 +611,20 @@
static int
find_next_name(char *filename, int *fd)
{
- int i;
+ /*
+ * GCC "knows" that we might write all of yyyymmdd plus the static
+ * elemenents in the format into into newname and thus complains
+ * unless we reduce the size. This array is still too big, but since
+ * the format is user supplied, it's not clear what a better limit
+ * value would be and this is sufficent to silence the warnings.
+ */
+ static const int suffix_len = strlen("..00");
+ char yyyymmdd[MAXPATHLEN - suffix_len];
+ char newname[MAXPATHLEN];
+ int i, ret;
time_t tval;
- size_t len;
+ size_t len, namelen;
struct tm lt;
- char yyyymmdd[MAXPATHLEN];
- char newname[MAXPATHLEN];
/* Create the YYYYMMDD part of the filename */
time(&tval);
@@ -624,26 +632,33 @@
len = strftime(yyyymmdd, sizeof(yyyymmdd), newfile_format, &lt);
if (len == 0) {
syslog(LOG_WARNING,
- "Filename suffix too long (%d characters maximum)",
- MAXPATHLEN);
+ "Filename suffix too long (%zu characters maximum)",
+ sizeof(yyyymmdd) - 1);
return (EACCESS);
}
/* Make sure the new filename is not too long */
- if (strlen(filename) > MAXPATHLEN - len - 5) {
+ namelen = strlen(filename);
+ if (namelen >= sizeof(newname) - len - suffix_len) {
syslog(LOG_WARNING,
- "Filename too long (%zd characters, %zd maximum)",
- strlen(filename), MAXPATHLEN - len - 5);
+ "Filename too long (%zu characters, %zu maximum)",
+ namelen,
+ sizeof(newname) - len - suffix_len);
return (EACCESS);
}
/* Find the first file which doesn't exist */
for (i = 0; i < 100; i++) {
- sprintf(newname, "%s.%s.%02d", filename, yyyymmdd, i);
- *fd = open(newname,
- O_WRONLY | O_CREAT | O_EXCL,
- S_IRUSR | S_IWUSR | S_IRGRP |
- S_IWGRP | S_IROTH | S_IWOTH);
+ ret = snprintf(newname, sizeof(newname), "%s.%s.%02d",
+ filename, yyyymmdd, i);
+ /*
+ * Size checked above so this can't happen, we'd use a
+ * (void) cast, but gcc intentionally ignores that if
+ * snprintf has __attribute__((warn_unused_result)).
+ */
+ if (ret < 0 || (size_t)ret >= sizeof(newname))
+ __unreachable();
+ *fd = open(newname, O_WRONLY | O_CREAT | O_EXCL, 0666);
if (*fd > 0)
return 0;
}

File Metadata

Mime Type
text/plain
Expires
Wed, Apr 8, 8:47 PM (4 h, 42 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
31066356
Default Alt Text
D45086.id138284.diff (2 KB)

Event Timeline