Avoid use of unchecked sprintf in libraries. Use asprintf if the

output buffer is allocated according to the size of data to be
written, or snprintf otherwise.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19703 dc483132-0cff-0310-8789-dd5450dbe970

6 files changed, 15 insertions, 14 deletions

diff --git a/src/lib/krb4/CCache-glue.c b/src/lib/krb4/CCache-glue.c
index 2ccbb153a1..a078c9f697 100644
--- a/src/lib/krb4/CCache-glue.c
+++ b/src/lib/krb4/CCache-glue.c
@@ -93,7 +93,7 @@ krb_in_tkt (
 	err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL);
     
 	if (err == ccNoError) {
-        sprintf (principal, "%s%s%s@%s", pname, (pinst [0] == '\0') ? "" : ".", pinst, realm);
+	    snprintf (principal, sizeof(principal), "%s%s%s@%s", pname, (pinst [0] == '\0') ? "" : ".", pinst, realm);
 	}
     
 	if (err == ccNoError) {
diff --git a/src/lib/krb4/RealmsConfig-glue.c b/src/lib/krb4/RealmsConfig-glue.c
index 740d881c41..df663adb56 100644
--- a/src/lib/krb4/RealmsConfig-glue.c
+++ b/src/lib/krb4/RealmsConfig-glue.c
@@ -473,7 +473,7 @@ krb_get_krbhst(
 	    return KFAILURE;
 	if (strlen(entry->host) + 6 >= MAXHOSTNAMELEN)
 	    return KFAILURE;
-	sprintf(host, "%s:%d", entry->host, entry->port);
+	snprintf(host, MAXHOSTNAMELEN, "%s:%d", entry->host, entry->port);
 	return KSUCCESS;
     }
 #endif
diff --git a/src/lib/krb4/klog.c b/src/lib/krb4/klog.c
index da48efeb2c..4e9661a891 100644
--- a/src/lib/krb4/klog.c
+++ b/src/lib/krb4/klog.c
@@ -91,7 +91,7 @@ char * klog(type,format,a1,a2,a3,a4,a5,a6,a7,a8,a9,a0)
         logtype_array[L_ERR_UNK] = 1;
     }
 
-    (void) sprintf(logtxt,format,a1,a2,a3,a4,a5,a6,a7,a8,a9,a0);
+    (void) snprintf(logtxt,sizeof(logtxt),format,a1,a2,a3,a4,a5,a6,a7,a8,a9,a0);
 
     if (!logtype_array[type])
 	return(logtxt);
diff --git a/src/lib/krb4/password_to_key.c b/src/lib/krb4/password_to_key.c
index c6e60d98cd..d5ca7a5ccc 100644
--- a/src/lib/krb4/password_to_key.c
+++ b/src/lib/krb4/password_to_key.c
@@ -35,6 +35,8 @@
 #include "krb.h"
 #include "krb4int.h"
 
+#include "k5-platform.h"
+
 /*
  * passwd_to_key(): given a password, return a DES key.
  * There are extra arguments here which (used to be?)
@@ -107,17 +109,15 @@ krb5_passwd_to_key(
     char	*passwd,
     C_Block	key)
 {
-    size_t	len, tlen;
     char	*p;
 
     if (user && instance && realm && passwd) {
-        len = MAX_K_NAME_SZ + strlen(passwd) + 1;
-	tlen = strlen(passwd) + strlen(realm) + strlen(user) + strlen(instance) + 1;
-	if (tlen > len)
+	if (strlen(realm) + strlen(user) + strlen(instance) > MAX_K_NAME_SZ)
+	    /* XXX Is this right?  The old code returned 0, which is
+	       also what it returns after sucessfully generating a
+	       key.  The other error path returns -1.  */
 	    return 0;
-        p = malloc (tlen);
-        if (p != NULL) {
-            sprintf (p, "%s%s%s%s", passwd, realm, user, instance);
+	if (asprintf(&p, "%s%s%s%s", passwd, realm, user, instance) >= 0) {
             des_string_to_key (p, key);
             free (p);
             return 0;
diff --git a/src/lib/krb4/stime.c b/src/lib/krb4/stime.c
index 92c86895e8..f73c6f5201 100644
--- a/src/lib/krb4/stime.c
+++ b/src/lib/krb4/stime.c
@@ -49,9 +49,9 @@ char *krb_stime(t)
 
     adjusted_time = *t - CONVERT_TIME_EPOCH;
     tm = localtime(&adjusted_time);
-    (void) sprintf(st,"%2d-%s-%d %02d:%02d:%02d",tm->tm_mday,
-                   month_sname(tm->tm_mon + 1),1900+tm->tm_year,
-                   tm->tm_hour, tm->tm_min, tm->tm_sec);
+    (void) snprintf(st,sizeof(st),"%2d-%s-%d %02d:%02d:%02d",tm->tm_mday,
+		    month_sname(tm->tm_mon + 1),1900+tm->tm_year,
+		    tm->tm_hour, tm->tm_min, tm->tm_sec);
     return st;
 }
 
diff --git a/src/lib/krb4/tkt_string.c b/src/lib/krb4/tkt_string.c
index 123596ca24..f6ed927b74 100644
--- a/src/lib/krb4/tkt_string.c
+++ b/src/lib/krb4/tkt_string.c
@@ -74,7 +74,8 @@ const char *tkt_string()
 	} else {
 	    /* 32 bits of signed integer will always fit in 11 characters
 	     (including the sign), so no need to worry about overflow */
-	    (void) sprintf(krb_ticket_string, "%s%d",TKT_ROOT,(int) getuid());
+	    (void) snprintf(krb_ticket_string, sizeof(krb_ticket_string),
+			    "%s%d",TKT_ROOT,(int) getuid());
         }
     }
     return krb_ticket_string;