6 files changed, 27 insertions, 40 deletions

diff --git a/src/appl/bsd/krsh.c b/src/appl/bsd/krsh.c
index b12e25325..6441891ee 100644
--- a/src/appl/bsd/krsh.c
+++ b/src/appl/bsd/krsh.c
@@ -128,7 +128,7 @@ main(argc, argv0)
      char **argv0;
 {
     int rem, pid = 0;
-    char *host=0, *cp, **ap, buf[RCMD_BUFSIZ], *args, **argv = argv0, *user = 0;
+    char *host=0, **ap, buf[RCMD_BUFSIZ], *args, **argv = argv0, *user = 0;
     register int cc;
     struct passwd *pwd;
     fd_set readfrom, ready;
@@ -320,17 +320,13 @@ main(argc, argv0)
       cc += strlen(*ap) + 1;
     if (encrypt_flag)
       cc += 3;
-    cp = args = (char *) malloc((unsigned) cc);
-    if (encrypt_flag) {
-      strcpy(args, "-x ");
-      cp += 3;
-    }
+    args = (char *) malloc((unsigned) cc);
+    if (encrypt_flag)
+      strlcpy(args, "-x ", cc);
     for (ap = argv; *ap; ap++) {
-	(void) strcpy(cp, *ap);
-	while (*cp)
-	  cp++;
+      (void) strlcat(args, *ap, cc);
 	if (ap[1])
-	  *cp++ = ' ';
+	  strlcat(args, " ", cc);
     }
 
     if(debug_port == 0) {
diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c
index 0c2c82eab..2b4c383bf 100644
--- a/src/appl/bsd/krshd.c
+++ b/src/appl/bsd/krshd.c
@@ -1522,19 +1522,18 @@ void doit(f, fromp)
 		offst = 3;
 	}
 
-        strcpy((char *) cmdbuf + offst, kprogdir);
+        strlcpy(cmdbuf + offst, kprogdir, sizeof(cmdbuf) - offst);
 	cp = copy + 3 + offst;
 
-	cmdbuf[sizeof(cmdbuf) - 1] = '\0';
-	if (auth_sys == KRB5_RECVAUTH_V4) {
-	  strncat(cmdbuf, "/v4rcp", sizeof(cmdbuf) - 1 - strlen(cmdbuf));
-	} else {
-	  strncat(cmdbuf, "/rcp", sizeof(cmdbuf) - 1 - strlen(cmdbuf));
-	}
+	if (auth_sys == KRB5_RECVAUTH_V4)
+	  strlcat(cmdbuf, "/v4rcp", sizeof(cmdbuf));
+	else
+	  strlcat(cmdbuf, "/rcp", sizeof(cmdbuf));
+
 	if (stat((char *)cmdbuf + offst, &s2) >= 0)
-	  strncat(cmdbuf, cp, sizeof(cmdbuf) - 1 - strlen(cmdbuf));
+	  strlcat(cmdbuf, cp, sizeof(cmdbuf));
 	else
-	  strncpy(cmdbuf, copy, sizeof(cmdbuf) - 1 - strlen(cmdbuf));
+	  strlcpy(cmdbuf, copy, sizeof(cmdbuf));
 	free(copy);
     }
 #endif
@@ -1948,27 +1947,17 @@ recvauth(netfd, peersin, valid_checksum)
 	struct sockaddr_storage adr;
 	unsigned int adr_length = sizeof(adr);
 	int e;
-	unsigned int buflen = strlen(cmdbuf)+strlen(locuser)+32;
-	char * chksumbuf = (char *) malloc(buflen);
+	char namebuf[32], *chksumbuf = NULL;
 
-	if (chksumbuf == 0)
-	    goto error_cleanup;
 	if (getsockname(netfd, (struct sockaddr *) &adr, &adr_length) != 0)
 	    goto error_cleanup;
 
 	e = getnameinfo((struct sockaddr *)&adr, adr_length, 0, 0,
-			chksumbuf, buflen, NI_NUMERICSERV);
-	if (e) {
-	    free(chksumbuf);
+			namebuf, sizeof(namebuf), NI_NUMERICSERV);
+	if (e)
 	    fatal(netfd, "local error: can't examine port number");
-	}
-	if (strlen(chksumbuf) > 30) {
-	    free(chksumbuf);
-	    fatal(netfd, "wacky local port number?!");
-	}
-	strcat(chksumbuf, ":");
-	strcat(chksumbuf,cmdbuf);
-	strcat(chksumbuf,locuser);
+	if (asprintf(&chksumbuf, "%s:%s%s", namebuf, cmdbuf, locuser) < 0)
+	    goto error_cleanup;
 
 	status = krb5_verify_checksum(bsd_context,
 				      authenticator->checksum->checksum_type,
diff --git a/src/appl/gssftp/ftp/ftp.c b/src/appl/gssftp/ftp/ftp.c
index 1e4a0dcb4..af5732c58 100644
--- a/src/appl/gssftp/ftp/ftp.c
+++ b/src/appl/gssftp/ftp/ftp.c
@@ -719,7 +719,8 @@ int getreply(int expecteof)
 				if(msg_data.app_length < sizeof(ibuf) - 2) {
 				    memmove(ibuf, msg_data.app_data,
 					    msg_data.app_length);
-				    strcpy(&ibuf[msg_data.app_length], "\r\n");
+				    memcpy(&ibuf[msg_data.app_length], "\r\n",
+					   3);
 				} else {
 			            printf("Message too long!");
 				}
@@ -747,7 +748,7 @@ int getreply(int expecteof)
 				  if(msg_buf.length < sizeof(ibuf) - 2 - 1) {
 				    memcpy(ibuf, msg_buf.value, 
 					   msg_buf.length);
-				    strcpy(&ibuf[msg_buf.length], "\r\n");
+				    memcpy(&ibuf[msg_buf.length], "\r\n", 3);
 				  } else {
 				    user_gss_error(maj_stat, min_stat, 
 						   "reply was too long");
diff --git a/src/appl/gssftp/ftp/glob.c b/src/appl/gssftp/ftp/glob.c
index 2b7839205..bbbcb4457 100644
--- a/src/appl/gssftp/ftp/glob.c
+++ b/src/appl/gssftp/ftp/glob.c
@@ -213,7 +213,8 @@ expand(as)
 				*gpathp = 0;
 				if (gethdir(gpath + 1))
 					globerr = "Unknown user name after ~";
-				(void) strcpy(gpath, gpath + 1);
+				(void) memmove(gpath, gpath + 1,
+					       strlen(gpath));
 			} else
 				(void) strncpy(gpath, home, FTP_BUFSIZ - 1);
 			gpath[FTP_BUFSIZ - 1] = '\0';
diff --git a/src/appl/gssftp/ftpd/ftpcmd.y b/src/appl/gssftp/ftpd/ftpcmd.y
index f304541a9..73655a4aa 100644
--- a/src/appl/gssftp/ftpd/ftpcmd.y
+++ b/src/appl/gssftp/ftpd/ftpcmd.y
@@ -1108,7 +1108,7 @@ ftpd_getline(s, n, iop)
 		    return(s);
 		}
 		(void) memcpy(s, msg_data.app_data, msg_data.app_length);
-		(void) strcpy(s+msg_data.app_length, "\r\n");
+		(void) memcpy(s+msg_data.app_length, "\r\n", 3);
 	    }
 #endif /* KRB5_KRB4_COMPAT */
 #ifdef GSSAPI
@@ -1140,7 +1140,7 @@ ftpd_getline(s, n, iop)
 		}
 
 		memcpy(s, msg_buf.value, msg_buf.length);
-		strcpy(s+msg_buf.length-(s[msg_buf.length-1]?0:1), "\r\n");
+		memcpy(s+msg_buf.length-(s[msg_buf.length-1]?0:1), "\r\n", 3);
 		gss_release_buffer(&min_stat, &msg_buf);
 	    }
 #endif /* GSSAPI */
diff --git a/src/appl/telnet/libtelnet/gettytab.c b/src/appl/telnet/libtelnet/gettytab.c
index aaad43aad..d50f8797e 100644
--- a/src/appl/telnet/libtelnet/gettytab.c
+++ b/src/appl/telnet/libtelnet/gettytab.c
@@ -117,7 +117,7 @@ nchktc()
 		write(2, "Gettytab entry too long\n", 24);
 		q[TABBUFSIZ - (p-tbuf)] = 0;
 	}
-	strcpy(p, q+1);
+	strlcpy(p, q+1, TABBUFSIZ - (p-tbuf));
 	tbuf = holdtbuf;
 	return(1);
 }