Bug(s) fixed: 186280

Bug Description: ldapserver: Close potential security vulnerabilities in CGI code
Reviewed by: Nathan, Noriko, and Pete (Thanks!)
Fix Description: Clean up usage of sprintf, strcpy, fgets instead of
gets, fixed buffer usage, etc., mostly in the CGI code and other user
facing code (i.e. setup).  Also, Steve Grubb told me about a GCC trick
to force it to check printf style varargs functions, to check the format
string against the argument string, for type mismatches, missing
arguments, and too many arguments.
In the CGI form argument parsing code, we needed to be more careful
about checking for bad input - good input is supposed to look like this:
name=value&name=value&.....
&name=value.  I don't think the original code
was checking properly for something like name&name=value.
There was another place where we were not checking to see if a buffer
had enough room before appending a string to it.
I had to change a couple of functions to allow passing in the size of
the buffer.
Fixed some issues raised by Noriko and Nathan.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none

5 files changed, 14 insertions, 4 deletions

diff --git a/ldap/servers/slapd/tools/ldclt/ldclt.c b/ldap/servers/slapd/tools/ldclt/ldclt.c
index 95b0982f..f4114c7c 100644
--- a/ldap/servers/slapd/tools/ldclt/ldclt.c
+++ b/ldap/servers/slapd/tools/ldclt/ldclt.c
@@ -3060,6 +3060,8 @@ main (
     ldcltExit (EXIT_OTHER);					/*JLS 25-08-00*/
 
   ldcltExit (mctx.exitStatus);					/*JLS 25-08-00*/
+
+  return mctx.exitStatus;
 }
 
 
diff --git a/ldap/servers/slapd/tools/ldclt/repcheck.c b/ldap/servers/slapd/tools/ldclt/repcheck.c
index 6967e708..8851f7fe 100644
--- a/ldap/servers/slapd/tools/ldclt/repcheck.c
+++ b/ldap/servers/slapd/tools/ldclt/repcheck.c
@@ -111,6 +111,7 @@ main(int argc, char**argv)
  char **tmp;
  struct hostent *serveraddr;
  struct sockaddr_in srvsaddr;
+ char *p;
 
  while((i=getopt(argc,argv,"p:"))!=EOF){
 	switch(i){
@@ -125,7 +126,10 @@ main(int argc, char**argv)
  maxop=npend=0;
  pendops=(Optype*)malloc(sizeof(Optype)*20);
  sigset(SIGPIPE,SIG_IGN);
- while(gets(logline)){
+ while(fgets(logline, sizeof(logline), stdin)){
+	 if (p = strchr(logline, '\n')) {
+		 *p = 0;
+	 }
 	 if(!connected){
 		if((sockfd=socket(AF_INET,SOCK_STREAM,0))==-1){
 			perror(argv[0]);
diff --git a/ldap/servers/slapd/tools/ldclt/repslave.c b/ldap/servers/slapd/tools/ldclt/repslave.c
index 952d91a3..3e892f66 100644
--- a/ldap/servers/slapd/tools/ldclt/repslave.c
+++ b/ldap/servers/slapd/tools/ldclt/repslave.c
@@ -314,8 +314,11 @@ main(int argc, char**argv)
   * Ignore SIGPIPE during write()
   */
   sigset(SIGPIPE,SIG_IGN);
-  while(gets(logline))
+  while(fgets(logline, sizeof(logline), stdin))
   {
+	if (p = strchr(logline, '\n')) {
+	  *p = 0;
+	}
 	if(log)
 		puts(logline);
 	for(tmp=ldap_ops,i=0;tmp[i];i++)
diff --git a/ldap/servers/slapd/tools/migratecred.c b/ldap/servers/slapd/tools/migratecred.c
index d898889a..b8543b0f 100644
--- a/ldap/servers/slapd/tools/migratecred.c
+++ b/ldap/servers/slapd/tools/migratecred.c
@@ -172,7 +172,8 @@ main( int argc, char **argv)
 #endif
 #endif
 
-	sprintf(libpath, "%s/../lib/des-plugin%s", newpath, shared_lib);
+	snprintf(libpath, sizeof(libpath), "%s/../lib/des-plugin%s", newpath, shared_lib);
+	libpath[sizeof(libpath)-1] = 0;
 
 	fct = (migrate_fn_type)sym_load(libpath, "migrateCredentials",
 			"DES Plugin", 1 /* report errors */ );
diff --git a/ldap/servers/slapd/tools/pwenc.c b/ldap/servers/slapd/tools/pwenc.c
index 350f7111..c87e0f64 100644
--- a/ldap/servers/slapd/tools/pwenc.c
+++ b/ldap/servers/slapd/tools/pwenc.c
@@ -129,7 +129,7 @@ main( argc, argv )
     struct pw_scheme	*pwsp, *cmppwsp;
     extern int		optind;
     char 		*cpwd = NULL;	/* candidate password for comparison */
-	char errorbuf[BUFSIZ];
+	char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
 	slapdFrontendConfig_t *slapdFrontendConfig =  NULL;
 
 	char *opts = "Hs:c:D:";