Use BUF_strlcpy() instead of strcpy().
authorRichard Levitte <levitte@openssl.org>
Sat, 27 Dec 2003 14:40:17 +0000 (14:40 +0000)
committerRichard Levitte <levitte@openssl.org>
Sat, 27 Dec 2003 14:40:17 +0000 (14:40 +0000)
Use BUF_strlcat() instead of strcat().
Use BIO_snprintf() instead of sprintf().
In some cases, keep better track of buffer lengths.
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>

43 files changed:
apps/apps.c
apps/ca.c
apps/dgst.c
apps/enc.c
apps/engine.c
apps/pkcs12.c
apps/req.c
apps/s_socket.c
apps/s_time.c
apps/x509.c
crypto/asn1/a_gentm.c
crypto/asn1/a_mbstr.c
crypto/asn1/a_time.c
crypto/asn1/a_utctm.c
crypto/asn1/asn1_lib.c
crypto/asn1/asn1_par.c
crypto/asn1/t_pkey.c
crypto/asn1/x_long.c
crypto/bio/b_dump.c
crypto/bio/b_sock.c
crypto/bio/bio_cb.c
crypto/bio/bss_conn.c
crypto/bio/bss_file.c
crypto/bn/bn_lib.c
crypto/bn/bn_print.c
crypto/conf/conf_def.c
crypto/conf/conf_mod.c
crypto/cversion.c
crypto/des/ecb_enc.c
crypto/dso/dso_lib.c
crypto/engine/eng_ctrl.c
crypto/err/err.c
crypto/evp/evp_pbe.c
crypto/evp/evp_pkey.c
crypto/mem_dbg.c
crypto/objects/obj_dat.c
crypto/pem/pem_lib.c
crypto/rand/rand_egd.c
crypto/ui/ui_lib.c
crypto/x509/by_dir.c
crypto/x509/x509_txt.c
crypto/x509v3/v3_alt.c
crypto/x509v3/v3_info.c

index 6e72f11..47b59b4 100644 (file)
@@ -1396,14 +1396,16 @@ int load_config(BIO *err, CONF *cnf)
 char *make_config_name()
        {
        const char *t=X509_get_default_cert_area();
+       size_t len;
        char *p;
 
-       p=OPENSSL_malloc(strlen(t)+strlen(OPENSSL_CONF)+2);
-       strcpy(p,t);
+       len=strlen(t)+strlen(OPENSSL_CONF)+2;
+       p=OPENSSL_malloc(len);
+       BUF_strlcpy(p,t,len);
 #ifndef OPENSSL_SYS_VMS
-       strcat(p,"/");
+       BUF_strlcat(p,"/",len);
 #endif
-       strcat(p,OPENSSL_CONF);
+       BUF_strlcat(p,OPENSSL_CONF,len);
 
        return p;
        }
index 0b33811..afcbfcd 100644 (file)
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -557,16 +557,19 @@ bad:
        if (configfile == NULL)
                {
                const char *s=X509_get_default_cert_area();
+               size_t len;
 
 #ifdef OPENSSL_SYS_VMS
-               tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE));
+               len = strlen(s)+sizeof(CONFIG_FILE);
+               tofree=OPENSSL_malloc(len);
                strcpy(tofree,s);
 #else
-               tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE)+1);
-               strcpy(tofree,s);
-               strcat(tofree,"/");
+               len = strlen(s)+sizeof(CONFIG_FILE)+1;
+               tofree=OPENSSL_malloc(len);
+               BUF_strlcpy(tofree,s,len);
+               BUF_strlcat(tofree,"/",len);
 #endif
-               strcat(tofree,CONFIG_FILE);
+               BUF_strlcat(tofree,CONFIG_FILE,len);
                configfile=tofree;
                }
 
@@ -1236,7 +1239,7 @@ bad:
                for (i=0; i<sk_X509_num(cert_sk); i++)
                        {
                        int k;
-                       unsigned char *n;
+                       char *n;
 
                        x=sk_X509_value(cert_sk,i);
 
@@ -1252,15 +1255,19 @@ bad:
                        strcpy(buf[2],outdir);
 
 #ifndef OPENSSL_SYS_VMS
-                       strcat(buf[2],"/");
+                       BUF_strlcat(buf[2],"/",sizeof(buf[2]));
 #endif
 
-                       n=(unsigned char *)&(buf[2][strlen(buf[2])]);
+                       n=(char *)&(buf[2][strlen(buf[2])]);
                        if (j > 0)
                                {
                                for (k=0; k<j; k++)
                                        {
-                                       sprintf((char *)n,"%02X",(unsigned char)*(p++));
+                                       if (n >= &(buf[2][sizeof(buf[2])]))
+                                               break;
+                                       BIO_snprintf(n,
+                                                    &buf[2][0] + sizeof(buf[2]) - n,
+                                                    "%02X",(unsigned char)*(p++));
                                        n+=2;
                                        }
                                }
@@ -2127,7 +2134,7 @@ again2:
                BIO_printf(bio_err,"Memory allocation failure\n");
                goto err;
                }
-       strcpy(row[DB_file],"unknown");
+       BUF_strlcpy(row[DB_file],"unknown",8);
        row[DB_type][0]='V';
        row[DB_type][1]='\0';
 
@@ -2428,7 +2435,7 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
                        BIO_printf(bio_err,"Memory allocation failure\n");
                        goto err;
                        }
-               strcpy(row[DB_file],"unknown");
+               BUF_strlcpy(row[DB_file],"unknown",8);
                row[DB_type][0]='V';
                row[DB_type][1]='\0';
 
@@ -2752,16 +2759,16 @@ char *make_revocation_str(int rev_type, char *rev_arg)
 
        if (!str) return NULL;
 
-       strcpy(str, (char *)revtm->data);
+       BUF_strlcpy(str, (char *)revtm->data, i);
        if (reason)
                {
-               strcat(str, ",");
-               strcat(str, reason);
+               BUF_strlcat(str, ",", i);
+               BUF_strlcat(str, reason, i);
                }
        if (other)
                {
-               strcat(str, ",");
-               strcat(str, other);
+               BUF_strlcat(str, ",", i);
+               BUF_strlcat(str, other, i);
                }
        ASN1_UTCTIME_free(revtm);
        return str;
index 47d1309..be25daf 100644 (file)
@@ -347,8 +347,9 @@ int MAIN(int argc, char **argv)
                                }
                        if(!out_bin)
                                {
-                               tmp=tofree=OPENSSL_malloc(strlen(name)+strlen(argv[i])+5);
-                               sprintf(tmp,"%s(%s)= ",name,argv[i]);
+                               size_t len = strlen(name)+strlen(argv[i])+5;
+                               tmp=tofree=OPENSSL_malloc(len);
+                               BIO_snprintf(tmp,len,"%s(%s)= ",name,argv[i]);
                                }
                        else
                                tmp="";
index ae18452..69f4beb 100644 (file)
@@ -373,9 +373,9 @@ bad:
                        {
                        char buf[200];
 
-                       sprintf(buf,"enter %s %s password:",
-                               OBJ_nid2ln(EVP_CIPHER_nid(cipher)),
-                               (enc)?"encryption":"decryption");
+                       BIO_snprintf(buf,sizeof buf,"enter %s %s password:",
+                                    OBJ_nid2ln(EVP_CIPHER_nid(cipher)),
+                                    (enc)?"encryption":"decryption");
                        strbuf[0]='\0';
                        i=EVP_read_pw_string((char *)strbuf,SIZE,buf,enc);
                        if (i == 0)
index feee965..b951254 100644 (file)
@@ -123,8 +123,8 @@ static int append_buf(char **buf, const char *s, int *size, int step)
                return 0;
 
        if (**buf != '\0')
-               strcat(*buf, ", ");
-       strcat(*buf, s);
+               BUF_strlcat(*buf, ", ", *size);
+       BUF_strlcat(*buf, s, *size);
 
        return 1;
        }
index 385011b..cbd9336 100644 (file)
@@ -551,7 +551,7 @@ int MAIN(int argc, char **argv)
                BIO_printf (bio_err, "Can't read Password\n");
                goto export_end;
                }
-       if (!twopass) strcpy(macpass, pass);
+       if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass);
 
 #ifdef CRYPTO_MDEBUG
        CRYPTO_pop_info();
@@ -613,7 +613,7 @@ int MAIN(int argc, char **argv)
     CRYPTO_pop_info();
 #endif
 
-    if (!twopass) strcpy(macpass, pass);
+    if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass);
 
     if (options & INFO) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1);
     if(macver) {
index c5becc9..c4594c4 100644 (file)
@@ -1321,34 +1321,34 @@ start:          for (;;)
                                mval = 0;
                        /* If OBJ not recognised ignore it */
                        if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start;
-
-                       if(strlen(v->name) > sizeof buf-9)
+                       if (BIO_snprintf(buf,sizeof buf,"%s_default",v->name)
+                               >= sizeof buf)
                           {
                           BIO_printf(bio_err,"Name '%s' too long\n",v->name);
                           return 0;
                           }
 
-                       sprintf(buf,"%s_default",v->name);
                        if ((def=NCONF_get_string(req_conf,dn_sect,buf)) == NULL)
                                {
                                ERR_clear_error();
                                def="";
                                }
-                       sprintf(buf,"%s_value",v->name);
+                               
+                       BIO_snprintf(buf,sizeof buf,"%s_value",v->name);
                        if ((value=NCONF_get_string(req_conf,dn_sect,buf)) == NULL)
                                {
                                ERR_clear_error();
                                value=NULL;
                                }
 
-                       sprintf(buf,"%s_min",v->name);
+                       BIO_snprintf(buf,sizeof buf,"%s_min",v->name);
                        if (!NCONF_get_number(req_conf,dn_sect,buf, &n_min))
                                {
                                ERR_clear_error();
                                n_min = -1;
                                }
 
-                       sprintf(buf,"%s_max",v->name);
+                       BIO_snprintf(buf,sizeof buf,"%s_max",v->name);
                        if (!NCONF_get_number(req_conf,dn_sect,buf, &n_max))
                                {
                                ERR_clear_error();
@@ -1386,13 +1386,13 @@ start2:                 for (;;)
                                if ((nid=OBJ_txt2nid(type)) == NID_undef)
                                        goto start2;
 
-                               if(strlen(v->name) > sizeof buf-9)
+                               if (BIO_snprintf(buf,sizeof buf,"%s_default",type)
+                                       >= sizeof buf)
                                   {
                                   BIO_printf(bio_err,"Name '%s' too long\n",v->name);
                                   return 0;
                                   }
 
-                               sprintf(buf,"%s_default",type);
                                if ((def=NCONF_get_string(req_conf,attr_sect,buf))
                                        == NULL)
                                        {
@@ -1401,7 +1401,7 @@ start2:                   for (;;)
                                        }
                                
                                
-                               sprintf(buf,"%s_value",type);
+                               BIO_snprintf(buf,sizeof buf,"%s_value",type);
                                if ((value=NCONF_get_string(req_conf,attr_sect,buf))
                                        == NULL)
                                        {
@@ -1409,11 +1409,11 @@ start2:                 for (;;)
                                        value=NULL;
                                        }
 
-                               sprintf(buf,"%s_min",type);
+                               BIO_snprintf(buf,sizeof buf,"%s_min",type);
                                if (!NCONF_get_number(req_conf,attr_sect,buf, &n_min))
                                        n_min = -1;
 
-                               sprintf(buf,"%s_max",type);
+                               BIO_snprintf(buf,sizeof buf,"%s_max",type);
                                if (!NCONF_get_number(req_conf,attr_sect,buf, &n_max))
                                        n_max = -1;
 
@@ -1507,9 +1507,8 @@ start:
        (void)BIO_flush(bio_err);
        if(value != NULL)
                {
-               OPENSSL_assert(strlen(value) < sizeof buf-2);
-               strcpy(buf,value);
-               strcat(buf,"\n");
+               BUF_strlcpy(buf,value,sizeof buf);
+               BUF_strlcat(buf,"\n",sizeof buf);
                BIO_printf(bio_err,"%s\n",value);
                }
        else
@@ -1531,8 +1530,8 @@ start:
                {
                if ((def == NULL) || (def[0] == '\0'))
                        return(1);
-               strcpy(buf,def);
-               strcat(buf,"\n");
+               BUF_strlcpy(buf,def,sizeof buf);
+               BUF_strlcat(buf,"\n",sizeof buf);
                }
        else if ((buf[0] == '.') && (buf[1] == '\n')) return(1);
 
@@ -1566,9 +1565,8 @@ start:
        (void)BIO_flush(bio_err);
        if (value != NULL)
                {
-               OPENSSL_assert(strlen(value) < sizeof buf-2);
-               strcpy(buf,value);
-               strcat(buf,"\n");
+               BUF_strlcpy(buf,value,sizeof buf);
+               BUF_strlcat(buf,"\n",sizeof buf);
                BIO_printf(bio_err,"%s\n",value);
                }
        else
@@ -1590,8 +1588,8 @@ start:
                {
                if ((def == NULL) || (def[0] == '\0'))
                        return(1);
-               strcpy(buf,def);
-               strcat(buf,"\n");
+               BUF_strlcpy(buf,def,sizeof buf);
+               BUF_strlcat(buf,"\n",sizeof buf);
                }
        else if ((buf[0] == '.') && (buf[1] == '\n')) return(1);
 
index ff8c282..28c6b1e 100644 (file)
@@ -429,7 +429,7 @@ redoit:
                        perror("OPENSSL_malloc");
                        return(0);
                        }
-               strcpy(*host,h1->h_name);
+               BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
 
                h2=GetHostByName(*host);
                if (h2 == NULL)
index 1134020..904945e 100644 (file)
@@ -516,7 +516,7 @@ int MAIN(int argc, char **argv)
 
                if (s_www_path != NULL)
                        {
-                       sprintf(buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path);
+                       BIO_snprintf(buf,sizeof buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path);
                        SSL_write(scon,buf,strlen(buf));
                        while ((i=SSL_read(scon,buf,sizeof(buf))) > 0)
                                bytes_read+=i;
@@ -571,7 +571,7 @@ next:
 
        if (s_www_path != NULL)
                {
-               sprintf(buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path);
+               BIO_snprintf(buf,sizeof buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path);
                SSL_write(scon,buf,strlen(buf));
                while (SSL_read(scon,buf,sizeof(buf)) > 0)
                        ;
@@ -609,7 +609,7 @@ next:
 
                if (s_www_path)
                        {
-                       sprintf(buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path);
+                       BIO_snprintf(buf,sizeof buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path);
                        SSL_write(scon,buf,strlen(buf));
                        while ((i=SSL_read(scon,buf,sizeof(buf))) > 0)
                                bytes_read+=i;
index 036e255..d30fbbe 100644 (file)
@@ -1048,24 +1048,26 @@ static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, int create
        char *buf = NULL, *p;
        ASN1_INTEGER *bs = NULL;
        BIGNUM *serial = NULL;
+       size_t len;
 
-       buf=OPENSSL_malloc( ((serialfile == NULL)
-                       ?(strlen(CAfile)+strlen(POSTFIX)+1)
-                       :(strlen(serialfile)))+1);
+       len = ((serialfile == NULL)
+               ?(strlen(CAfile)+strlen(POSTFIX)+1)
+               :(strlen(serialfile)))+1;
+       buf=OPENSSL_malloc(len);
        if (buf == NULL) { BIO_printf(bio_err,"out of mem\n"); goto end; }
        if (serialfile == NULL)
                {
-               strcpy(buf,CAfile);
+               BUF_strlcpy(buf,CAfile,len);
                for (p=buf; *p; p++)
                        if (*p == '.')
                                {
                                *p='\0';
                                break;
                                }
-               strcat(buf,POSTFIX);
+               BUF_strlcat(buf,POSTFIX,len);
                }
        else
-               strcpy(buf,serialfile);
+               BUF_strlcpy(buf,serialfile,len);
 
        serial = load_serial(buf, create, NULL);
        if (serial == NULL) goto end;
index cd09f68..1aba86d 100644 (file)
@@ -208,6 +208,7 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,
        char *p;
        struct tm *ts;
        struct tm data;
+       size_t len = 20; 
 
        if (s == NULL)
                s=M_ASN1_GENERALIZEDTIME_new();
@@ -219,17 +220,17 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,
                return(NULL);
 
        p=(char *)s->data;
-       if ((p == NULL) || (s->length < 16))
+       if ((p == NULL) || (s->length < len))
                {
-               p=OPENSSL_malloc(20);
+               p=OPENSSL_malloc(len);
                if (p == NULL) return(NULL);
                if (s->data != NULL)
                        OPENSSL_free(s->data);
                s->data=(unsigned char *)p;
                }
 
-       sprintf(p,"%04d%02d%02d%02d%02d%02dZ",ts->tm_year + 1900,
-               ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec);
+       BIO_snprintf(p,len,"%04d%02d%02d%02d%02d%02dZ",ts->tm_year + 1900,
+                    ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec);
        s->length=strlen(p);
        s->type=V_ASN1_GENERALIZEDTIME;
 #ifdef CHARSET_EBCDIC_not
index e8a26af..208b3ec 100644 (file)
@@ -145,14 +145,14 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 
        if((minsize > 0) && (nchar < minsize)) {
                ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_SHORT);
-               sprintf(strbuf, "%ld", minsize);
+               BIO_snprintf(strbuf, sizeof strbuf, "%ld", minsize);
                ERR_add_error_data(2, "minsize=", strbuf);
                return -1;
        }
 
        if((maxsize > 0) && (nchar > maxsize)) {
                ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_LONG);
-               sprintf(strbuf, "%ld", maxsize);
+               BIO_snprintf(strbuf, sizeof strbuf, "%ld", maxsize);
                ERR_add_error_data(2, "maxsize=", strbuf);
                return -1;
        }
index 7348da9..159681f 100644 (file)
@@ -128,6 +128,7 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE
        {
        ASN1_GENERALIZEDTIME *ret;
        char *str;
+       int newlen;
 
        if (!ASN1_TIME_check(t)) return NULL;
 
@@ -150,12 +151,14 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE
        /* grow the string */
        if (!ASN1_STRING_set(ret, NULL, t->length + 2))
                return NULL;
+       /* ASN1_STRING_set() allocated 'len + 1' bytes. */
+       newlen = t->length + 2 + 1;
        str = (char *)ret->data;
        /* Work out the century and prepend */
-       if (t->data[0] >= '5') strcpy(str, "19");
-       else strcpy(str, "20");
+       if (t->data[0] >= '5') BUF_strlcpy(str, "19", newlen);
+       else BUF_strlcpy(str, "20", newlen);
 
-       BUF_strlcat(str, (char *)t->data, t->length+3); /* Include space for a '\0' */
+       BUF_strlcat(str, (char *)t->data, newlen);
 
        return ret;
        }
index dbb4a42..6bc609a 100644 (file)
@@ -188,6 +188,7 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
        char *p;
        struct tm *ts;
        struct tm data;
+       size_t len = 20;
 
        if (s == NULL)
                s=M_ASN1_UTCTIME_new();
@@ -199,17 +200,17 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
                return(NULL);
 
        p=(char *)s->data;
-       if ((p == NULL) || (s->length < 14))
+       if ((p == NULL) || (s->length < len))
                {
-               p=OPENSSL_malloc(20);
+               p=OPENSSL_malloc(len);
                if (p == NULL) return(NULL);
                if (s->data != NULL)
                        OPENSSL_free(s->data);
                s->data=(unsigned char *)p;
                }
 
-       sprintf(p,"%02d%02d%02d%02d%02d%02dZ",ts->tm_year%100,
-               ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec);
+       BIO_snprintf(p,len,"%02d%02d%02d%02d%02d%02dZ",ts->tm_year%100,
+                    ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec);
        s->length=strlen(p);
        s->type=V_ASN1_UTCTIME;
 #ifdef CHARSET_EBCDIC_not
index 1905b09..b720bcc 100644 (file)
@@ -423,8 +423,8 @@ void asn1_add_error(unsigned char *address, int offset)
        {
        char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];
 
-       sprintf(buf1,"%lu",(unsigned long)address);
-       sprintf(buf2,"%d",offset);
+       BIO_snprintf(buf1,sizeof buf1,"%lu",(unsigned long)address);
+       BIO_snprintf(buf2,sizeof buf2,"%d",offset);
        ERR_add_error_data(4,"address=",buf1," offset=",buf2);
        }
 
index d64edbd..bd8de1e 100644 (file)
@@ -83,11 +83,11 @@ static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,
 
        p=str;
        if ((xclass & V_ASN1_PRIVATE) == V_ASN1_PRIVATE)
-               sprintf(str,"priv [ %d ] ",tag);
+               BIO_snprintf(str,sizeof str,"priv [ %d ] ",tag);
        else if ((xclass & V_ASN1_CONTEXT_SPECIFIC) == V_ASN1_CONTEXT_SPECIFIC)
-               sprintf(str,"cont [ %d ]",tag);
+               BIO_snprintf(str,sizeof str,"cont [ %d ]",tag);
        else if ((xclass & V_ASN1_APPLICATION) == V_ASN1_APPLICATION)
-               sprintf(str,"appl [ %d ]",tag);
+               BIO_snprintf(str,sizeof str,"appl [ %d ]",tag);
        else p = ASN1_tag2str(tag);
 
        if (p2 != NULL)
index 06e85f3..86bd2e0 100644 (file)
@@ -150,9 +150,9 @@ int RSA_print(BIO *bp, const RSA *x, int off)
                }
 
        if (x->d == NULL)
-               sprintf(str,"Modulus (%d bit):",BN_num_bits(x->n));
+               BIO_snprintf(str,sizeof str,"Modulus (%d bit):",BN_num_bits(x->n));
        else
-               strcpy(str,"modulus:");
+               BUF_strlcpy(str,"modulus:",sizeof str);
        if (!print(bp,str,x->n,m,off)) goto err;
        s=(x->d == NULL)?"Exponent:":"publicExponent:";
        if (!print(bp,s,x->e,m,off)) goto err;
index 954d183..4b5953c 100644 (file)
@@ -104,7 +104,12 @@ static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const A
        long ltmp;
        unsigned long utmp;
        int clen, pad, i;
-       ltmp = *(long *)pval;
+       /* this exists to bypass broken gcc optimization */
+       char *cp = (char *)pval;
+
+       /* use memcpy, because we may not be long aligned */
+       memcpy(&ltmp, cp, sizeof(long));
+
        if(ltmp == it->size) return -1;
        /* Convert the long to positive: we subtract one if negative so
         * we can cleanly handle the padding if only the MSB of the leading
@@ -136,6 +141,7 @@ static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype,
        int neg, i;
        long ltmp;
        unsigned long utmp = 0;
+       char *cp = (char *)pval;
        if(len > (int)sizeof(long)) {
                ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
                return 0;
@@ -158,6 +164,6 @@ static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype,
                ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
                return 0;
        }
-       *(long *)pval = ltmp;
+       memcpy(cp, &ltmp, sizeof(long));
        return 1;
 }
index 0f61768..76fee2d 100644 (file)
@@ -104,38 +104,41 @@ int BIO_dump_indent(BIO *bio, const char *s, int len, int indent)
        for(i=0;i<rows;i++)
                {
                buf[0]='\0';    /* start with empty string */
-               strcpy(buf,str);
-               sprintf(tmp,"%04x - ",i*dump_width);
-               strcat(buf,tmp);
+               BUF_strlcpy(buf,str,sizeof buf);
+               BIO_snprintf(tmp,sizeof tmp,"%04x - ",i*dump_width);
+               BUF_strlcat(buf,tmp,sizeof buf);
                for(j=0;j<dump_width;j++)
                        {
                        if (((i*dump_width)+j)>=len)
                                {
-                               strcat(buf,"   ");
+                               BUF_strlcat(buf,"   ",sizeof buf);
                                }
                        else
                                {
                                ch=((unsigned char)*(s+i*dump_width+j)) & 0xff;
-                               sprintf(tmp,"%02x%c",ch,j==7?'-':' ');
-                               strcat(buf,tmp);
+                               BIO_snprintf(tmp,sizeof tmp,"%02x%c",ch,
+                                        j==7?'-':' ');
+                               BUF_strlcat(buf,tmp,sizeof buf);
                                }
                        }
-               strcat(buf,"  ");
+               BUF_strlcat(buf,"  ",sizeof buf);
                for(j=0;j<dump_width;j++)
                        {
                        if (((i*dump_width)+j)>=len)
                                break;
                        ch=((unsigned char)*(s+i*dump_width+j)) & 0xff;
 #ifndef CHARSET_EBCDIC
-                       sprintf(tmp,"%c",((ch>=' ')&&(ch<='~'))?ch:'.');
+                       BIO_snprintf(tmp,sizeof tmp,"%c",
+                                ((ch>=' ')&&(ch<='~'))?ch:'.');
 #else
-                       sprintf(tmp,"%c",((ch>=os_toascii[' '])&&(ch<=os_toascii['~']))
-                               ? os_toebcdic[ch]
-                               : '.');
+                       BIO_snprintf(tmp,sizeof tmp,"%c",
+                                ((ch>=os_toascii[' '])&&(ch<=os_toascii['~']))
+                                ? os_toebcdic[ch]
+                                : '.');
 #endif
-                       strcat(buf,tmp);
+                       BUF_strlcat(buf,tmp,sizeof buf);
                        }
-               strcat(buf,"\n");
+               BUF_strlcat(buf,"\n",sizeof buf);
                /* if this is the last call then update the ddt_dump thing so that
                 * we will move the selection point in the debug window 
                 */
@@ -144,7 +147,8 @@ int BIO_dump_indent(BIO *bio, const char *s, int len, int indent)
 #ifdef TRUNCATE
        if (trc > 0)
                {
-               sprintf(buf,"%s%04x - <SPACES/NULS>\n",str,len+trc);
+               BIO_snprintf(buf,sizeof buf,"%s%04x - <SPACES/NULS>\n",str,
+                            len+trc);
                ret+=BIO_write(bio,(char *)buf,strlen(buf));
                }
 #endif
index d619bcf..268517f 100644 (file)
@@ -740,12 +740,12 @@ int BIO_accept(int sock, char **addr)
                        }
                *addr=p;
                }
-       sprintf(*addr,"%d.%d.%d.%d:%d",
-               (unsigned char)(l>>24L)&0xff,
-               (unsigned char)(l>>16L)&0xff,
-               (unsigned char)(l>> 8L)&0xff,
-               (unsigned char)(l     )&0xff,
-               port);
+       BIO_snprintf(*addr,24,"%d.%d.%d.%d:%d",
+                    (unsigned char)(l>>24L)&0xff,
+                    (unsigned char)(l>>16L)&0xff,
+                    (unsigned char)(l>> 8L)&0xff,
+                    (unsigned char)(l     )&0xff,
+                    port);
 end:
        return(ret);
        }
index 0ffa4d2..6f4254a 100644 (file)
@@ -70,55 +70,61 @@ long MS_CALLBACK BIO_debug_callback(BIO *bio, int cmd, const char *argp,
        MS_STATIC char buf[256];
        char *p;
        long r=1;
+       size_t p_maxlen;
 
        if (BIO_CB_RETURN & cmd)
                r=ret;
 
-       sprintf(buf,"BIO[%08lX]:",(unsigned long)bio);
+       BIO_snprintf(buf,sizeof buf,"BIO[%08lX]:",(unsigned long)bio);
        p= &(buf[14]);
+       p_maxlen = sizeof buf - 14;
        switch (cmd)
                {
        case BIO_CB_FREE:
-               sprintf(p,"Free - %s\n",bio->method->name);
+               BIO_snprintf(p,p_maxlen,"Free - %s\n",bio->method->name);
                break;
        case BIO_CB_READ:
                if (bio->method->type & BIO_TYPE_DESCRIPTOR)
-                       sprintf(p,"read(%d,%d) - %s fd=%d\n",bio->num,argi,bio->method->name,bio->num);
+                       BIO_snprintf(p,p_maxlen,"read(%d,%d) - %s fd=%d\n",
+                                bio->num,argi,bio->method->name,bio->num);
                else
-                       sprintf(p,"read(%d,%d) - %s\n",bio->num,argi,bio->method->name);
+                       BIO_snprintf(p,p_maxlen,"read(%d,%d) - %s\n",
+                                bio->num,argi,bio->method->name);
                break;
        case BIO_CB_WRITE:
                if (bio->method->type & BIO_TYPE_DESCRIPTOR)
-                       sprintf(p,"write(%d,%d) - %s fd=%d\n",bio->num,argi,bio->method->name,bio->num);
+                       BIO_snprintf(p,p_maxlen,"write(%d,%d) - %s fd=%d\n",
+                                bio->num,argi,bio->method->name,bio->num);
                else
-                       sprintf(p,"write(%d,%d) - %s\n",bio->num,argi,bio->method->name);
+                       BIO_snprintf(p,p_maxlen,"write(%d,%d) - %s\n",
+                                bio->num,argi,bio->method->name);
                break;
        case BIO_CB_PUTS:
-               sprintf(p,"puts() - %s\n",bio->method->name);
+               BIO_snprintf(p,p_maxlen,"puts() - %s\n",bio->method->name);
                break;
        case BIO_CB_GETS:
-               sprintf(p,"gets(%d) - %s\n",argi,bio->method->name);
+               BIO_snprintf(p,p_maxlen,"gets(%d) - %s\n",argi,bio->method->name);
                break;
        case BIO_CB_CTRL:
-               sprintf(p,"ctrl(%d) - %s\n",argi,bio->method->name);
+               BIO_snprintf(p,p_maxlen,"ctrl(%d) - %s\n",argi,bio->method->name);
                break;
        case BIO_CB_RETURN|BIO_CB_READ:
-               sprintf(p,"read return %ld\n",ret);
+               BIO_snprintf(p,p_maxlen,"read return %ld\n",ret);
                break;
        case BIO_CB_RETURN|BIO_CB_WRITE:
-               sprintf(p,"write return %ld\n",ret);
+               BIO_snprintf(p,p_maxlen,"write return %ld\n",ret);
                break;
        case BIO_CB_RETURN|BIO_CB_GETS:
-               sprintf(p,"gets return %ld\n",ret);
+               BIO_snprintf(p,p_maxlen,"gets return %ld\n",ret);
                break;
        case BIO_CB_RETURN|BIO_CB_PUTS:
-               sprintf(p,"puts return %ld\n",ret);
+               BIO_snprintf(p,p_maxlen,"puts return %ld\n",ret);
                break;
        case BIO_CB_RETURN|BIO_CB_CTRL:
-               sprintf(p,"ctrl return %ld\n",ret);
+               BIO_snprintf(p,p_maxlen,"ctrl return %ld\n",ret);
                break;
        default:
-               sprintf(p,"bio callback - unknown type (%d)\n",cmd);
+               BIO_snprintf(p,p_maxlen,"bio callback - unknown type (%d)\n",cmd);
                break;
                }
 
index 33702eb..f1016e5 100644 (file)
@@ -521,8 +521,8 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
                                char buf[16];
                                unsigned char *p = ptr;
 
-                               sprintf(buf,"%d.%d.%d.%d",
-                                       p[0],p[1],p[2],p[3]);
+                               BIO_snprintf(buf,sizeof buf,"%d.%d.%d.%d",
+                                            p[0],p[1],p[2],p[3]);
                                if (data->param_hostname != NULL)
                                        OPENSSL_free(data->param_hostname);
                                data->param_hostname=BUF_strdup(buf);
@@ -532,7 +532,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
                                {
                                char buf[DECIMAL_SIZE(int)+1];
 
-                               sprintf(buf,"%d",*(int *)ptr);
+                               BIO_snprintf(buf,sizeof buf,"%d",*(int *)ptr);
                                if (data->param_port != NULL)
                                        OPENSSL_free(data->param_port);
                                data->param_port=BUF_strdup(buf);
index 774bc5a..f36bec2 100644 (file)
@@ -256,15 +256,15 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
                if (num & BIO_FP_APPEND)
                        {
                        if (num & BIO_FP_READ)
-                               strcpy(p,"a+");
-                       else    strcpy(p,"a");
+                               BUF_strlcpy(p,"a+",sizeof p);
+                       else    BUF_strlcpy(p,"a",sizeof p);
                        }
                else if ((num & BIO_FP_READ) && (num & BIO_FP_WRITE))
-                       strcpy(p,"r+");
+                       BUF_strlcpy(p,"r+",sizeof p);
                else if (num & BIO_FP_WRITE)
-                       strcpy(p,"w");
+                       BUF_strlcpy(p,"w",sizeof p);
                else if (num & BIO_FP_READ)
-                       strcpy(p,"r");
+                       BUF_strlcpy(p,"r",sizeof p);
                else
                        {
                        BIOerr(BIO_F_FILE_CTRL,BIO_R_BAD_FOPEN_MODE);
index d29a7cc..3f607cd 100644 (file)
@@ -145,11 +145,11 @@ char *BN_options(void)
                {
                init++;
 #ifdef BN_LLONG
-               sprintf(data,"bn(%d,%d)",(int)sizeof(BN_ULLONG)*8,
-                       (int)sizeof(BN_ULONG)*8);
+               BIO_snprintf(data,sizeof data,"bn(%d,%d)",
+                            (int)sizeof(BN_ULLONG)*8,(int)sizeof(BN_ULONG)*8);
 #else
-               sprintf(data,"bn(%d,%d)",(int)sizeof(BN_ULONG)*8,
-                       (int)sizeof(BN_ULONG)*8);
+               BIO_snprintf(data,sizeof data,"bn(%d,%d)",
+                            (int)sizeof(BN_ULONG)*8,(int)sizeof(BN_ULONG)*8);
 #endif
                }
        return(data);
index 4bc51d3..7f7b36a 100644 (file)
@@ -119,6 +119,7 @@ char *BN_bn2dec(const BIGNUM *a)
                }
        if ((t=BN_dup(a)) == NULL) goto err;
 
+#define BUF_REMAIN (num+3 - (size_t)(p - buf))
        p=buf;
        lp=bn_data;
        if (t->neg) *(p++)='-';
@@ -139,12 +140,12 @@ char *BN_bn2dec(const BIGNUM *a)
                /* We now have a series of blocks, BN_DEC_NUM chars
                 * in length, where the last one needs truncation.
                 * The blocks need to be reversed in order. */
-               sprintf(p,BN_DEC_FMT1,*lp);
+               BIO_snprintf(p,BUF_REMAIN,BN_DEC_FMT1,*lp);
                while (*p) p++;
                while (lp != bn_data)
                        {
                        lp--;
-                       sprintf(p,BN_DEC_FMT2,*lp);
+                       BIO_snprintf(p,BUF_REMAIN,BN_DEC_FMT2,*lp);
                        while (*p) p++;
                        }
                }
index 52a87aa..0451be0 100644 (file)
@@ -235,7 +235,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
                CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_MALLOC_FAILURE);
                goto err;
                }
-       strcpy(section,"default");
+       BUF_strlcpy(section,"default",10);
 
        if (_CONF_new_data(conf) == 0)
                {
@@ -392,7 +392,7 @@ again:
                                                        ERR_R_MALLOC_FAILURE);
                                goto err;
                                }
-                       strcpy(v->name,pname);
+                       BUF_strlcpy(v->name,pname,strlen(pname)+1);
                        if (!str_copy(conf,psection,&(v->value),start)) goto err;
 
                        if (strcmp(psection,section) != 0)
@@ -447,7 +447,7 @@ err:
        if (buff != NULL) BUF_MEM_free(buff);
        if (section != NULL) OPENSSL_free(section);
        if (line != NULL) *line=eline;
-       sprintf(btmp,"%ld",eline);
+       BIO_snprintf(btmp,sizeof btmp,"%ld",eline);
        ERR_add_error_data(2,"line ",btmp);
        if ((h != conf->data) && (conf->data != NULL))
                {
index 8ceab6a..d45adea 100644 (file)
@@ -232,7 +232,7 @@ static int module_run(const CONF *cnf, char *name, char *value,
                        {
                        char rcode[DECIMAL_SIZE(ret)+1];
                        CONFerr(CONF_F_CONF_MODULES_LOAD, CONF_R_MODULE_INITIALIZATION_ERROR);
-                       sprintf(rcode, "%-8d", ret);
+                       BIO_snprintf(rcode, sizeof rcode, "%-8d", ret);
                        ERR_add_error_data(6, "module=", name, ", value=", value, ", retcode=", rcode);
                        }
                }
@@ -561,11 +561,11 @@ char *CONF_get1_default_config_file(void)
 
        if (!file)
                return NULL;
-       strcpy(file,X509_get_default_cert_area());
+       BUF_strlcpy(file,X509_get_default_cert_area(),len + 1);
 #ifndef OPENSSL_SYS_VMS
-       strcat(file,"/");
+       BUF_strlcat(file,"/",len + 1);
 #endif
-       strcat(file,OPENSSL_CONF);
+       BUF_strlcat(file,OPENSSL_CONF,len + 1);
 
        return file;
        }
index 8ecfba7..beeeb14 100644 (file)
@@ -61,7 +61,9 @@
 #include "cryptlib.h"
 #include <openssl/crypto.h>
 
+#ifndef NO_WINDOWS_BRAINDEATH
 #include "buildinf.h"
+#endif
 
 const char *SSLeay_version(int t)
        {
@@ -72,7 +74,7 @@ const char *SSLeay_version(int t)
 #ifdef DATE
                static char buf[sizeof(DATE)+11];
 
-               sprintf(buf,"built on: %s",DATE);
+               BIO_snprintf(buf,sizeof buf,"built on: %s",DATE);
                return(buf);
 #else
                return("built on: date not available");
@@ -83,7 +85,7 @@ const char *SSLeay_version(int t)
 #ifdef CFLAGS
                static char buf[sizeof(CFLAGS)+11];
 
-               sprintf(buf,"compiler: %s",CFLAGS);
+               BIO_snprintf(buf,sizeof buf,"compiler: %s",CFLAGS);
                return(buf);
 #else
                return("compiler: information not available");
@@ -94,7 +96,7 @@ const char *SSLeay_version(int t)
 #ifdef PLATFORM
                static char buf[sizeof(PLATFORM)+11];
 
-               sprintf(buf,"platform: %s", PLATFORM);
+               BIO_snprintf(buf,sizeof buf,"platform: %s", PLATFORM);
                return(buf);
 #else
                return("platform: information not available");
index 1b70f68..784aa5b 100644 (file)
@@ -60,6 +60,7 @@
 #include "des_ver.h"
 #include "spr.h"
 #include <openssl/opensslv.h>
+#include <openssl/bio.h>
 
 OPENSSL_GLOBAL const char *libdes_version="libdes" OPENSSL_VERSION_PTEXT;
 OPENSSL_GLOBAL const char *DES_version="DES" OPENSSL_VERSION_PTEXT;
@@ -97,7 +98,8 @@ const char *DES_options(void)
                        size="int";
                else
                        size="long";
-               sprintf(buf,"des(%s,%s,%s,%s)",ptr,risc,unroll,size);
+               BIO_snprintf(buf,sizeof buf,"des(%s,%s,%s,%s)",ptr,risc,unroll,
+                            size);
                init=0;
                }
        return(buf);
index 1045d1d..49bdd71 100644 (file)
@@ -383,7 +383,7 @@ int DSO_set_filename(DSO *dso, const char *filename)
                DSOerr(DSO_F_DSO_SET_FILENAME,ERR_R_MALLOC_FAILURE);
                return(0);
                }
-       strcpy(copied, filename);
+       BUF_strlcpy(copied, filename, strlen(filename) + 1);
        if(dso->filename)
                OPENSSL_free(dso->filename);
        dso->filename = copied;
@@ -449,7 +449,7 @@ char *DSO_convert_filename(DSO *dso, const char *filename)
                                        ERR_R_MALLOC_FAILURE);
                        return(NULL);
                        }
-               strcpy(result, filename);
+               BUF_strlcpy(result, filename, strlen(filename) + 1);
                }
        return(result);
        }
index d9104d3..1a808be 100644 (file)
@@ -160,15 +160,19 @@ static int int_ctrl_helper(ENGINE *e, int cmd, long i, void *p, void (*f)())
        case ENGINE_CTRL_GET_NAME_LEN_FROM_CMD:
                return strlen(e->cmd_defns[idx].cmd_name);
        case ENGINE_CTRL_GET_NAME_FROM_CMD:
-               return sprintf(s, "%s", e->cmd_defns[idx].cmd_name);
+               return BIO_snprintf(s,strlen(e->cmd_defns[idx].cmd_name) + 1,
+                                   "%s", e->cmd_defns[idx].cmd_name);
        case ENGINE_CTRL_GET_DESC_LEN_FROM_CMD:
                if(e->cmd_defns[idx].cmd_desc)
                        return strlen(e->cmd_defns[idx].cmd_desc);
                return strlen(int_no_description);
        case ENGINE_CTRL_GET_DESC_FROM_CMD:
                if(e->cmd_defns[idx].cmd_desc)
-                       return sprintf(s, "%s", e->cmd_defns[idx].cmd_desc);
-               return sprintf(s, "%s", int_no_description);
+                       return BIO_snprintf(s,
+                                           strlen(e->cmd_defns[idx].cmd_desc) + 1,
+                                           "%s", e->cmd_defns[idx].cmd_desc);
+               return BIO_snprintf(s, strlen(int_no_description) + 1,"%s",
+                                   int_no_description);
        case ENGINE_CTRL_GET_CMD_FLAGS:
                return e->cmd_defns[idx].cmd_flags;
                }
index f2c322c..04cea41 100644 (file)
@@ -1075,7 +1075,7 @@ void ERR_add_error_data(int num, ...)
                                else
                                        str=p;
                                }
-                       strcat(str,a);
+                       BUF_strlcat(str,a,s+1);
                        }
                }
        ERR_set_error_data(str,ERR_TXT_MALLOCED|ERR_TXT_STRING);
index 0da88fd..91e545a 100644 (file)
@@ -87,7 +87,7 @@ int EVP_PBE_CipherInit (ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
        if (i == -1) {
                char obj_tmp[80];
                EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_PBE_ALGORITHM);
-               if (!pbe_obj) strcpy (obj_tmp, "NULL");
+               if (!pbe_obj) BUF_strlcpy (obj_tmp, "NULL", sizeof obj_tmp);
                else i2t_ASN1_OBJECT(obj_tmp, sizeof obj_tmp, pbe_obj);
                ERR_add_error_data(2, "TYPE=", obj_tmp);
                return 0;
index 74c974e..a08eb43 100644 (file)
@@ -313,7 +313,7 @@ ecerr:
 #endif
                default:
                EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);
-               if (!a->algorithm) strcpy (obj_tmp, "NULL");
+               if (!a->algorithm) BUF_strlcpy (obj_tmp, "NULL", sizeof obj_tmp);
                else i2t_ASN1_OBJECT(obj_tmp, 80, a->algorithm);
                ERR_add_error_data(2, "TYPE=", obj_tmp);
                EVP_PKEY_free (pkey);
index 57bd08f..e212de2 100644 (file)
@@ -597,6 +597,8 @@ static void print_leak(const MEM *m, MEM_LEAK *l)
        struct tm *lcl = NULL;
        unsigned long ti;
 
+#define BUF_REMAIN (sizeof buf - (size_t)(bufp - buf))
+
        if(m->addr == (char *)l->bio)
            return;
 
@@ -604,22 +606,22 @@ static void print_leak(const MEM *m, MEM_LEAK *l)
                {
                lcl = localtime(&m->time);
        
-               sprintf(bufp, "[%02d:%02d:%02d] ",
+               BIO_snprintf(bufp, BUF_REMAIN, "[%02d:%02d:%02d] ",
                        lcl->tm_hour,lcl->tm_min,lcl->tm_sec);
                bufp += strlen(bufp);
                }
 
-       sprintf(bufp, "%5lu file=%s, line=%d, ",
+       BIO_snprintf(bufp, BUF_REMAIN, "%5lu file=%s, line=%d, ",
                m->order,m->file,m->line);
        bufp += strlen(bufp);
 
        if (options & V_CRYPTO_MDEBUG_THREAD)
                {
-               sprintf(bufp, "thread=%lu, ", m->thread);
+               BIO_snprintf(bufp, BUF_REMAIN, "thread=%lu, ", m->thread);
                bufp += strlen(bufp);
                }
 
-       sprintf(bufp, "number=%d, address=%08lX\n",
+       BIO_snprintf(bufp, BUF_REMAIN, "number=%d, address=%08lX\n",
                m->num,(unsigned long)m->addr);
        bufp += strlen(bufp);
 
@@ -641,7 +643,7 @@ static void print_leak(const MEM *m, MEM_LEAK *l)
 
                ami_cnt++;
                memset(buf,'>',ami_cnt);
-               sprintf(buf + ami_cnt,
+               BIO_snprintf(buf + ami_cnt, sizeof buf - ami_cnt,
                        " thread=%lu, file=%s, line=%d, info=\"",
                        amip->thread, amip->file, amip->line);
                buf_len=strlen(buf);
@@ -653,10 +655,11 @@ static void print_leak(const MEM *m, MEM_LEAK *l)
                        }
                else
                        {
-                       strcpy(buf + buf_len, amip->info);
+                       BUF_strlcpy(buf + buf_len, amip->info,
+                                   sizeof buf - buf_len);
                        buf_len = strlen(buf);
                        }
-               sprintf(buf + buf_len, "\"\n");
+               BIO_snprintf(buf + buf_len, sizeof buf - buf_len, "\"\n");
                
                BIO_puts(l->bio,buf);
 
index d463c11..b110856 100644 (file)
@@ -462,7 +462,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
                if (i > 2) i=2;
                l-=(long)(i*40);
 
-               sprintf(tbuf,"%d.%lu",i,l);
+               BIO_snprintf(tbuf,sizeof tbuf,"%d.%lu",i,l);
                i=strlen(tbuf);
                BUF_strlcpy(buf,tbuf,buf_len);
                buf_len-=i;
@@ -473,7 +473,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
                for (; idx<len; idx++) {
                        l|=p[idx]&0x7f;
                        if (!(p[idx] & 0x80)) {
-                               sprintf(tbuf,".%lu",l);
+                               BIO_snprintf(tbuf,sizeof tbuf,".%lu",l);
                                i=strlen(tbuf);
                                if (buf_len > 0)
                                        BUF_strlcpy(buf,tbuf,buf_len);
index d536b52..e921cc4 100644 (file)
@@ -131,9 +131,9 @@ void PEM_proc_type(char *buf, int type)
        else
                str="BAD-TYPE";
                
-       strcat(buf,"Proc-Type: 4,");
-       strcat(buf,str);
-       strcat(buf,"\n");
+       BUF_strlcat(buf,"Proc-Type: 4,",PEM_BUFSIZE);
+       BUF_strlcat(buf,str,PEM_BUFSIZE);
+       BUF_strlcat(buf,"\n",PEM_BUFSIZE);
        }
 
 void PEM_dek_info(char *buf, const char *type, int len, char *str)
@@ -142,10 +142,12 @@ void PEM_dek_info(char *buf, const char *type, int len, char *str)
        long i;
        int j;
 
-       strcat(buf,"DEK-Info: ");
-       strcat(buf,type);
-       strcat(buf,",");
+       BUF_strlcat(buf,"DEK-Info: ",PEM_BUFSIZE);
+       BUF_strlcat(buf,type,PEM_BUFSIZE);
+       BUF_strlcat(buf,",",PEM_BUFSIZE);
        j=strlen(buf);
+       if (j + (len * 2) + 1 > PEM_BUFSIZE)
+               return;
        for (i=0; i<len; i++)
                {
                buf[j+i*2]  =map[(str[i]>>4)&0x0f];
index 8e1efc1..3eb36c7 100644 (file)
@@ -56,6 +56,7 @@
 
 #include <openssl/e_os2.h>
 #include <openssl/rand.h>
+#include <openssl/buffer.h>
 
 /*
  * Query the EGD <URL: http://www.lothar.com/tech/crypto/>.
@@ -145,7 +146,7 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
        addr.sun_family = AF_UNIX;
        if (strlen(path) >= sizeof(addr.sun_path))
                return (-1);
-       strcpy(addr.sun_path,path);
+       BUF_strlcpy(addr.sun_path,path,sizeof addr.sun_path);
        len = offsetof(struct sockaddr_un, sun_path) + strlen(path);
        fd = socket(AF_UNIX, SOCK_STREAM, 0);
        if (fd == -1) return (-1);
index 13e5f20..dbc9711 100644 (file)
@@ -430,14 +430,14 @@ char *UI_construct_prompt(UI *ui, const char *object_desc,
                len += sizeof(prompt3) - 1;
 
                prompt = (char *)OPENSSL_malloc(len + 1);
-               strcpy(prompt, prompt1);
-               strcat(prompt, object_desc);
+               BUF_strlcpy(prompt, prompt1, len + 1);
+               BUF_strlcat(prompt, object_desc, len + 1);
                if (object_name)
                        {
-                       strcat(prompt, prompt2);
-                       strcat(prompt, object_name);
+                       BUF_strlcat(prompt, prompt2, len + 1);
+                       BUF_strlcat(prompt, object_name, len + 1);
                        }
-               strcat(prompt, prompt3);
+               BUF_strlcat(prompt, prompt3, len + 1);
                }
        return prompt;
        }
@@ -865,7 +865,8 @@ int UI_set_result(UI *ui, UI_STRING *uis, const char *result)
                        return -1;
                        }
 
-               strcpy(uis->result_buf, result);
+               BUF_strlcpy(uis->result_buf, result,
+                           uis->_.string_data.result_maxsize + 1);
                break;
        case UIT_BOOLEAN:
                {
index 448bd7e..a9752d6 100644 (file)
@@ -302,8 +302,9 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
                k=0;
                for (;;)
                        {
-                       sprintf(b->data,"%s/%08lx.%s%d",ctx->dirs[i],h,
-                               postfix,k);
+                       BIO_snprintf(b->data,b->max,
+                                    "%s/%08lx.%s%d",ctx->dirs[i],h,
+                                    postfix,k);
                        k++;
                        if (stat(b->data,&st) < 0)
                                break;
index 4f83db8..5a945a7 100644 (file)
@@ -148,7 +148,7 @@ const char *X509_verify_cert_error_string(long n)
                return("unhandled critical extension");
 
        default:
-               sprintf(buf,"error number %ld",n);
+               BIO_snprintf(buf,sizeof buf,"error number %ld",n);
                return(buf);
                }
        }
index ad6cb08..c29eff8 100644 (file)
@@ -137,13 +137,15 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
                case GEN_IPADD:
                p = gen->d.ip->data;
                if(gen->d.ip->length == 4)
-                       sprintf(oline, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
+                       BIO_snprintf(oline, sizeof oline,
+                                    "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
                else if(gen->d.ip->length == 16)
                        {
                        oline[0] = 0;
                        for (i = 0; i < 8; i++)
                                {
-                               sprintf(htmp, "%X", p[0] << 8 | p[1]);
+                               BIO_snprintf(htmp, sizeof htmp,
+                                            "%X", p[0] << 8 | p[1]);
                                p += 2;
                                strcat(oline, htmp);
                                if (i != 7)
index 4e1a1f3..b46ff13 100644 (file)
@@ -105,7 +105,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method
                                                STACK_OF(CONF_VALUE) *ret)
 {
        ACCESS_DESCRIPTION *desc;
-       int i;
+       int i,nlen;
        char objtmp[80], *ntmp;
        CONF_VALUE *vtmp;
        for(i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) {
@@ -114,15 +114,16 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method
                if(!ret) break;
                vtmp = sk_CONF_VALUE_value(ret, i);
                i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method);
-               ntmp = OPENSSL_malloc(strlen(objtmp) + strlen(vtmp->name) + 5);
+               nlen = strlen(objtmp) + strlen(vtmp->name) + 5;
+               ntmp = OPENSSL_malloc(nlen);
                if(!ntmp) {
                        X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS,
                                        ERR_R_MALLOC_FAILURE);
                        return NULL;
                }
-               strcpy(ntmp, objtmp);
-               strcat(ntmp, " - ");
-               strcat(ntmp, vtmp->name);
+               BUF_strlcpy(ntmp, objtmp, nlen);
+               BUF_strlcat(ntmp, " - ", nlen);
+               BUF_strlcat(ntmp, vtmp->name, nlen);
                OPENSSL_free(vtmp->name);
                vtmp->name = ntmp;