2006-04-22 Enrico Scholz * extra/buzzme/buzzme.c, libpcap-0.9.1-kis/fad-glifc.c, libpcap-0.9.1-kis/pcap-nit.c, libpcap-0.9.1-kis/pcap-snoop.c, libpcap-0.9.1-kis/fad-gifc.c, libpcap-0.9.1-kis/pcap-linux.c, pcapsource.cc, tcpclient.cc, gpsmap_cache.cc, ifcontrol.cc: ensure, that strings copied by 'strncpy()' will be terminated by '\0'. The following replacements are used for | strncpy(buf, 0, buf_len); a) when 'buf[buf_len-1] == '\0' can be guaranteed (e.g. by a previous memset()): | strncpy(buf, 0, buf_len - 1); b) when 'buf[buf_len-1] == '\0' can not be guaranteed: | strncpy(buf, 0, buf_len); | buf[buf_len-1] = '\0'; on first glance it seems to be more efficient to use | strncpy(buf, 0, buf_len-1); But most 'buf_len' are multiples of 2 or 4 allowing the compiler to generate more efficient code. At same places, | strncpy(buf, 0, sizeof buf); will be used where applicable. Perhaps, it would be a good idea to use BSD's strlcpy() there? * panelfront_display.cc most hunks fixes some oddnesses in the assignment/range-check for 'print_width'. A range-check was added in PanelFront::StatsPrinter() which was missing before. --- kismet-2006-04-R1/extra/buzzme/buzzme.c.strop 2002-07-22 17:01:26.000000000 +0200 +++ kismet-2006-04-R1/extra/buzzme/buzzme.c 2006-04-22 21:08:37.000000000 +0200 @@ -94,6 +94,7 @@ main(int argc, char **argv) // Figure out program name. Remove path if needed. strncpy(pname,argv[0],sizeof(pname)); + pname[sizeof(pname)-1] = '\0'; if ((progname = rindex(pname,'/')) != NULL) { progname++; // skip slash. } --- kismet-2006-04-R1/libpcap-0.9.1-kis/fad-glifc.c.strop 2005-06-21 02:58:08.000000000 +0200 +++ kismet-2006-04-R1/libpcap-0.9.1-kis/fad-glifc.c 2006-04-22 21:08:37.000000000 +0200 @@ -213,6 +213,7 @@ pcap_findalldevs(pcap_if_t **alldevsp, c */ strncpy(ifrflags.lifr_name, ifrp->lifr_name, sizeof(ifrflags.lifr_name)); + ifrflags.lifr_name[sizeof(ifrflags.lifr_name)-1] = '\0'; if (ioctl(fd, SIOCGLIFFLAGS, (char *)&ifrflags) < 0) { if (errno == ENXIO) continue; @@ -232,6 +233,7 @@ pcap_findalldevs(pcap_if_t **alldevsp, c */ strncpy(ifrnetmask.lifr_name, ifrp->lifr_name, sizeof(ifrnetmask.lifr_name)); + ifrnetmask.lifr_name[sizeof(ifrnetmask.lifr_name)-1] = '\0'; memcpy(&ifrnetmask.lifr_addr, &ifrp->lifr_addr, sizeof(ifrnetmask.lifr_addr)); if (ioctl(fd, SIOCGLIFNETMASK, (char *)&ifrnetmask) < 0) { @@ -259,6 +261,7 @@ pcap_findalldevs(pcap_if_t **alldevsp, c if (ifrflags.lifr_flags & IFF_BROADCAST) { strncpy(ifrbroadaddr.lifr_name, ifrp->lifr_name, sizeof(ifrbroadaddr.lifr_name)); + ifrbroadaddr.lifr_name[sizeof(ifrbroadaddr.lifr_name)-1] = '\0'; memcpy(&ifrbroadaddr.lifr_addr, &ifrp->lifr_addr, sizeof(ifrbroadaddr.lifr_addr)); if (ioctl(fd, SIOCGLIFBRDADDR, @@ -294,6 +297,7 @@ pcap_findalldevs(pcap_if_t **alldevsp, c if (ifrflags.lifr_flags & IFF_POINTOPOINT) { strncpy(ifrdstaddr.lifr_name, ifrp->lifr_name, sizeof(ifrdstaddr.lifr_name)); + ifrdstaddr.lifr_name[sizeof(ifrdstaddr.lifr_name)-1] = '\0'; memcpy(&ifrdstaddr.lifr_addr, &ifrp->lifr_addr, sizeof(ifrdstaddr.lifr_addr)); if (ioctl(fd, SIOCGLIFDSTADDR, --- kismet-2006-04-R1/libpcap-0.9.1-kis/pcap-nit.c.strop 2005-06-21 02:58:08.000000000 +0200 +++ kismet-2006-04-R1/libpcap-0.9.1-kis/pcap-nit.c 2006-04-22 21:08:37.000000000 +0200 @@ -199,7 +199,7 @@ pcap_inject_nit(pcap_t *p, const void *b int ret; memset(&sa, 0, sizeof(sa)); - strncpy(sa.sa_data, device, sizeof(sa.sa_data)); + strncpy(sa.sa_data, device, sizeof(sa.sa_data)-1); ret = sendto(p->fd, buf, size, 0, &sa, sizeof(sa)); if (ret == -1) { snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "send: %s", @@ -273,8 +273,9 @@ pcap_open_live(const char *device, int s "socket: %s", pcap_strerror(errno)); goto bad; } + memset(&snit, 0, sizeof snit); snit.snit_family = AF_NIT; - (void)strncpy(snit.snit_ifname, device, NITIFSIZ); + (void)strncpy(snit.snit_ifname, device, sizeof(snit.snit_ifname)-1); if (bind(fd, (struct sockaddr *)&snit, sizeof(snit))) { snprintf(ebuf, PCAP_ERRBUF_SIZE, --- kismet-2006-04-R1/libpcap-0.9.1-kis/pcap-snoop.c.strop 2005-06-21 02:58:08.000000000 +0200 +++ kismet-2006-04-R1/libpcap-0.9.1-kis/pcap-snoop.c 2006-04-22 21:08:37.000000000 +0200 @@ -223,7 +223,7 @@ pcap_open_live(const char *device, int s p->fd = fd; memset(&sr, 0, sizeof(sr)); sr.sr_family = AF_RAW; - (void)strncpy(sr.sr_ifname, device, sizeof(sr.sr_ifname)); + (void)strncpy(sr.sr_ifname, device, sizeof(sr.sr_ifname)-1); if (bind(fd, (struct sockaddr *)&sr, sizeof(sr))) { snprintf(ebuf, PCAP_ERRBUF_SIZE, "snoop bind: %s", pcap_strerror(errno)); @@ -316,6 +316,7 @@ pcap_open_live(const char *device, int s * to be no greater than the MTU. */ (void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); + ifr.ifr_name[sizeof(ifr.ifr_name)-1] = '\0'; if (ioctl(fd, SIOCGIFMTU, (char *)&ifr) < 0) { snprintf(ebuf, PCAP_ERRBUF_SIZE, "SIOCGIFMTU: %s", pcap_strerror(errno)); --- kismet-2006-04-R1/libpcap-0.9.1-kis/fad-gifc.c.strop 2005-06-21 02:58:08.000000000 +0200 +++ kismet-2006-04-R1/libpcap-0.9.1-kis/fad-gifc.c 2006-04-22 21:08:37.000000000 +0200 @@ -188,6 +188,7 @@ scan_proc_net_dev(pcap_if_t **devlistp, * it's not up. */ strncpy(ifrflags.ifr_name, name, sizeof(ifrflags.ifr_name)); + ifrflags.ifr_name[sizeof(ifrflags.ifr_name)-1] = '\0'; if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifrflags) < 0) { if (errno == ENXIO) continue; @@ -354,6 +355,7 @@ pcap_findalldevs(pcap_if_t **alldevsp, c */ strncpy(ifrflags.ifr_name, ifrp->ifr_name, sizeof(ifrflags.ifr_name)); + ifrflags.ifr_name[sizeof(ifrflags.ifr_name)-1] = '\0'; if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifrflags) < 0) { if (errno == ENXIO) continue; @@ -373,6 +375,7 @@ pcap_findalldevs(pcap_if_t **alldevsp, c */ strncpy(ifrnetmask.ifr_name, ifrp->ifr_name, sizeof(ifrnetmask.ifr_name)); + ifrnetmask.ifr_name[sizeof(ifrnetmask.ifr_name)-1] = '\0'; memcpy(&ifrnetmask.ifr_addr, &ifrp->ifr_addr, sizeof(ifrnetmask.ifr_addr)); if (ioctl(fd, SIOCGIFNETMASK, (char *)&ifrnetmask) < 0) { @@ -403,6 +406,7 @@ pcap_findalldevs(pcap_if_t **alldevsp, c if (ifrflags.ifr_flags & IFF_BROADCAST) { strncpy(ifrbroadaddr.ifr_name, ifrp->ifr_name, sizeof(ifrbroadaddr.ifr_name)); + ifrbroadaddr.ifr_name[sizeof(ifrbroadaddr.ifr_name)-1] = '\0'; memcpy(&ifrbroadaddr.ifr_addr, &ifrp->ifr_addr, sizeof(ifrbroadaddr.ifr_addr)); if (ioctl(fd, SIOCGIFBRDADDR, @@ -442,6 +446,7 @@ pcap_findalldevs(pcap_if_t **alldevsp, c if (ifrflags.ifr_flags & IFF_POINTOPOINT) { strncpy(ifrdstaddr.ifr_name, ifrp->ifr_name, sizeof(ifrdstaddr.ifr_name)); + ifrdstaddr.ifr_name[sizeof(ifrdstaddr.ifr_name)-1] = '\0'; memcpy(&ifrdstaddr.ifr_addr, &ifrp->ifr_addr, sizeof(ifrdstaddr.ifr_addr)); if (ioctl(fd, SIOCGIFDSTADDR, --- kismet-2006-04-R1/libpcap-0.9.1-kis/pcap-linux.c.strop 2005-07-19 22:06:52.000000000 +0200 +++ kismet-2006-04-R1/libpcap-0.9.1-kis/pcap-linux.c 2006-04-22 21:08:37.000000000 +0200 @@ -1496,7 +1496,7 @@ iface_get_id(int fd, const char *device, struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); + strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)-1); if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) { snprintf(ebuf, PCAP_ERRBUF_SIZE, @@ -1598,7 +1598,7 @@ static void pcap_close_linux( pcap_t *ha * kernels. */ memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, handle->md.device, sizeof(ifr.ifr_name)); + strncpy(ifr.ifr_name, handle->md.device, sizeof(ifr.ifr_name)-1); if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) { fprintf(stderr, "Can't restore interface flags (SIOCGIFFLAGS failed: %s).\n" @@ -1714,7 +1714,7 @@ live_open_old(pcap_t *handle, const char if (promisc) { memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); + strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)-1); if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) { snprintf(ebuf, PCAP_ERRBUF_SIZE, "ioctl: %s", pcap_strerror(errno)); @@ -1792,7 +1792,7 @@ iface_bind_old(int fd, const char *devic socklen_t errlen = sizeof(err); memset(&saddr, 0, sizeof(saddr)); - strncpy(saddr.sa_data, device, sizeof(saddr.sa_data)); + strncpy(saddr.sa_data, device, sizeof(saddr.sa_data)-1); if (bind(fd, &saddr, sizeof(saddr)) == -1) { snprintf(ebuf, PCAP_ERRBUF_SIZE, "bind: %s", pcap_strerror(errno)); @@ -1831,7 +1831,7 @@ iface_get_mtu(int fd, const char *device return BIGGER_THAN_ALL_MTUS; memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); + strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)-1); if (ioctl(fd, SIOCGIFMTU, &ifr) == -1) { snprintf(ebuf, PCAP_ERRBUF_SIZE, @@ -1851,7 +1851,7 @@ iface_get_arptype(int fd, const char *de struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); + strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)-1); if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) { snprintf(ebuf, PCAP_ERRBUF_SIZE, --- kismet-2006-04-R1/panelfront_display.cc.strop 2005-08-15 17:52:16.000000000 +0200 +++ kismet-2006-04-R1/panelfront_display.cc 2006-04-22 21:08:37.000000000 +0200 @@ -19,6 +19,7 @@ #include "config.h" #include +#include #include "panelfront.h" #include "displaynetworksort.h" @@ -1475,9 +1476,8 @@ int PanelFront::DetailsPrinter(void *in_ char output[1024]; kwin->text.clear(); - int print_width = kwin->print_width; - if (print_width > 1024) - print_width = 1023; + size_t const print_width = MIN(static_cast(kwin->print_width), + sizeof(output)); if (details_network == NULL) { kwin->text.push_back("The network or group being displayed"); @@ -1918,9 +1918,8 @@ int PanelFront::GpsPrinter(void *in_wind wireless_network *dnet = details_network->virtnet; - int print_width = kwin->print_width; - if (print_width > 1024) - print_width = 1023; + size_t const print_width = MIN(static_cast(kwin->print_width), + sizeof(output)); if (print_width < 32) { kwin->text.push_back("Display not wide enough"); @@ -2603,7 +2602,8 @@ int PanelFront::StatsPrinter(void *in_wi vector details_text; char output[1024]; - const int print_width = kwin->print_width; + const size_t print_width = MIN(static_cast(kwin->print_width), + sizeof(output)); snprintf(output, print_width, "Start : %.24s", ctime((const time_t *) &start_time)); details_text.push_back(output); @@ -2921,9 +2921,8 @@ int PanelFront::DetailsClientPrinter(voi char temp[1024]; kwin->text.clear(); - int print_width = kwin->print_width; - if (print_width > 1024) - print_width = 1023; + size_t const print_width = MIN(static_cast(kwin->print_width), + sizeof(output)); switch (details_client->type) { case client_fromds: --- kismet-2006-04-R1/pcapsource.cc.strop 2006-04-22 21:08:37.000000000 +0200 +++ kismet-2006-04-R1/pcapsource.cc 2006-04-22 21:08:37.000000000 +0200 @@ -2756,7 +2756,7 @@ bool RadiotapBSD::getmediaopt(int& optio return false; memset(&ifmr, 0, sizeof(ifmr)); - strncpy(ifmr.ifm_name, ifname.c_str(), sizeof(ifmr.ifm_name)); + strncpy(ifmr.ifm_name, ifname.c_str(), sizeof(ifmr.ifm_name)-1); /* * We must go through the motions of reading all @@ -2781,7 +2781,7 @@ bool RadiotapBSD::setmediaopt(int option return false; memset(&ifmr, 0, sizeof(ifmr)); - strncpy(ifmr.ifm_name, ifname.c_str(), sizeof(ifmr.ifm_name)); + strncpy(ifmr.ifm_name, ifname.c_str(), sizeof(ifmr.ifm_name)-1); /* * We must go through the motions of reading all @@ -2809,7 +2809,7 @@ bool RadiotapBSD::setmediaopt(int option delete mwords; memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, ifname.c_str(), sizeof(ifr.ifr_name)); + strncpy(ifr.ifr_name, ifname.c_str(), sizeof(ifr.ifr_name)-1); ifr.ifr_media = (ifmr.ifm_current &~ IFM_OMASK) | options; ifr.ifr_media = (ifr.ifr_media &~ IFM_MMASK) | IFM_MAKEMODE(mode); @@ -2863,7 +2863,7 @@ bool RadiotapBSD::get80211(int type, int if (!checksocket()) return false; memset(&ireq, 0, sizeof(ireq)); - strncpy(ireq.i_name, ifname.c_str(), sizeof(ireq.i_name)); + strncpy(ireq.i_name, ifname.c_str(), sizeof(ireq.i_name)-1); ireq.i_type = type; ireq.i_len = len; ireq.i_data = data; @@ -2881,7 +2881,7 @@ bool RadiotapBSD::set80211(int type, int if (!checksocket()) return false; memset(&ireq, 0, sizeof(ireq)); - strncpy(ireq.i_name, ifname.c_str(), sizeof(ireq.i_name)); + strncpy(ireq.i_name, ifname.c_str(), sizeof(ireq.i_name)-1); ireq.i_type = type; ireq.i_val = val; ireq.i_len = len; @@ -2898,6 +2898,7 @@ bool RadiotapBSD::getifflags(int& flags) return false; strncpy(ifr.ifr_name, ifname.c_str(), sizeof (ifr.ifr_name)); + ifr.ifr_name[sizeof (ifr.ifr_name)-1] = '\0'; if (ioctl(s, SIOCGIFFLAGS, (caddr_t)&ifr) < 0) { perror("SIOCGIFFLAGS ioctl failed"); return false; --- kismet-2006-04-R1/tcpclient.cc.strop 2006-04-22 21:08:37.000000000 +0200 +++ kismet-2006-04-R1/tcpclient.cc 2006-04-22 21:08:37.000000000 +0200 @@ -107,6 +107,7 @@ int TcpClient::Connect(short int in_port } strncpy(hostname, in_host, MAXHOSTNAMELEN); + hostname[MAXHOSTNAMELEN-1] = '\0'; // Set up our socket //bzero(&client_sock, sizeof(client_sock)); --- kismet-2006-04-R1/gpsmap_cache.cc.strop 2005-03-10 17:49:34.000000000 +0100 +++ kismet-2006-04-R1/gpsmap_cache.cc 2006-04-22 21:08:37.000000000 +0200 @@ -174,6 +174,8 @@ int ReadGpsCacheFile(const char *in_gpsf strncpy(pt->bssid, cpt.bssid, MAC_STR_LEN); strncpy(pt->source, cpt.source, MAC_STR_LEN); + pt->bssid[MAC_STR_LEN-1] = '\0'; + pt->source[MAC_STR_LEN-1] = '\0'; pt->tv_sec = cpt.tv_sec; pt->tv_usec = cpt.tv_usec; pt->lat = cpt.lat; @@ -344,9 +346,10 @@ int WriteGpsCacheFile(const char *in_gps for (unsigned int nsam = 0; nsam < fheader.num_points; nsam++) { gpscache_point cpt; gps_point *pt = (*in_points)[nsam]; - - strncpy(cpt.bssid, pt->bssid, MAC_STR_LEN); - strncpy(cpt.source, pt->source, MAC_STR_LEN); + + memset(&cpt, 0, sizeof cpt); + strncpy(cpt.bssid, pt->bssid, sizeof(cpt.bssid)-1); + strncpy(cpt.source, pt->source, sizeof(cpt.source)-1); cpt.tv_sec = pt->tv_sec; cpt.tv_usec = pt->tv_usec; cpt.lat = pt->lat; --- kismet-2006-04-R1/ifcontrol.cc.strop 2004-08-09 06:36:01.000000000 +0200 +++ kismet-2006-04-R1/ifcontrol.cc 2006-04-22 21:08:37.000000000 +0200 @@ -32,7 +32,8 @@ int Ifconfig_Set_Flags(const char *in_de } // Fetch interface flags - strncpy(ifr.ifr_name, in_dev, IFNAMSIZ); + memset(&ifr, 0, sizeof ifr); + strncpy(ifr.ifr_name, in_dev, sizeof(ifr.ifr_name)-1); ifr.ifr_flags = flags; if (ioctl(skfd, SIOCSIFFLAGS, &ifr) < 0) { snprintf(errstr, STATUS_MAX, "SetIFFlags: Unknown interface %s: %s", @@ -58,7 +59,8 @@ int Ifconfig_Get_Flags(const char *in_de } // Fetch interface flags - strncpy(ifr.ifr_name, in_dev, IFNAMSIZ); + memset(&ifr, 0, sizeof ifr); + strncpy(ifr.ifr_name, in_dev, sizeof(ifr.ifr_name)-1); if (ioctl(skfd, SIOCGIFFLAGS, &ifr) < 0) { snprintf(errstr, STATUS_MAX, "GetIFFlags: interface %s: %s", in_dev, strerror(errno)); @@ -96,7 +98,8 @@ int Ifconfig_Get_Hwaddr(const char *in_d } // Fetch interface flags - strncpy(ifr.ifr_name, in_dev, IFNAMSIZ); + memset(&ifr, 0, sizeof ifr); + strncpy(ifr.ifr_name, in_dev, sizeof(ifr.ifr_name)-1); if (ioctl(skfd, SIOCGIFHWADDR, &ifr) < 0) { snprintf(errstr, STATUS_MAX, "Getting HWAddr: unknown interface %s: %s", in_dev, strerror(errno)); @@ -122,7 +125,8 @@ int Ifconfig_Set_Hwaddr(const char *in_d return -1; } - strncpy(ifr.ifr_name, in_dev, IFNAMSIZ); + memset(&ifr, 0, sizeof ifr); + strncpy(ifr.ifr_name, in_dev, sizeof(ifr.ifr_name)-1); memcpy(ifr.ifr_hwaddr.sa_data, in_hwaddr, 6); ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; @@ -151,7 +155,8 @@ int Ifconfig_Set_MTU(const char *in_dev, } // Fetch interface flags - strncpy(ifr.ifr_name, in_dev, IFNAMSIZ); + memset(&ifr, 0, sizeof ifr); + strncpy(ifr.ifr_name, in_dev, sizeof(ifr.ifr_name)-1); ifr.ifr_mtu = in_mtu; if (ioctl(skfd, SIOCSIFMTU, &ifr) < 0) { snprintf(errstr, STATUS_MAX, "Setting MTU: unknown interface %s: %s",