I've found a few unchecked sprintf and strcat. They don't look very dangerous, but you may want to fix them. crypt-gpgme.c: sizeof(helpstr) < sizeof(buf) | helpstr[0] = 0; | mutt_make_help (buf, sizeof (buf), _("Exit "), menu_to_use, OP_EXIT); |- strcat (helpstr, buf); /* __STRCAT_CHECKED__ */ |+ safe_strcat (helpstr, sizeof (helpstr), buf); pgpkeys.c: ditto keymap.c: unchecked sprintf | else if (c >= KEY_F0 && c < KEY_F(256)) /* this maximum is just a guess */ |- sprintf (buf, "<F%d>", c - KEY_F0); |+ snprintf (buf, sizeof (buf), "<F%d>", c - KEY_F0); pop_auth.c: ditto |- sprintf (hash + 2 * i, "%02x", digest[i]); |+ snprintf (hash + 2 * i, sizeof (hash) - (2 * i), "%02x", digest[i]); rfc2231.c: ditto |- sprintf (t, "%%%02X", (unsigned char)*s); |+ snprintf (t, elen - (t - e), "%%%02X", (unsigned char)*s); smime.c: no problem | fname = safe_malloc(13); /* Hash + '.' + Suffix + \0 */ |- sprintf(fname, "%.8x.%i", Table[cur].hash, Table[cur].suffix); |+ snprintf(fname, 13, "%.8x.%i", Table[cur].hash, Table[cur].suffix); imap/imap.c: |- sprintf (uidbuf, "/%u", HEADER_DATA(h)->uid); |+ snprintf (uidbuf, sizeof (uidbuf), "/%u", HEADER_DATA(h)->uid); |- sprintf (uidbuf, "/%u", HEADER_DATA(h)->uid); |+ snprintf (uidbuf, sizeof (uidbuf), "/%u", HEADER_DATA(h)->uid); imap/message.c: |- sprintf(uid_buf, "/%u", h.data->uid); /* XXX --tg 21:41 04-07-11 */ |+ snprintf(uid_buf, sizeof (uid_buf), "/%u", h.data->uid); /* XXX --tg 21:41 04-07-11 */ |- sprintf(uid_buf, "/%u", h.data->uid); |+ snprintf(uid_buf, sizeof (uid_buf), "/%u", h.data->uid); -- tamo
Attachment:
patch-1.5.11cvs.tamo.secwarnings.1.gz
Description: application/gunzip
Index: browser.c =================================================================== RCS file: /home/roessler/cvs/mutt/browser.c,v retrieving revision 3.19 diff -p -u -r3.19 browser.c --- browser.c 6 Oct 2005 06:15:00 -0000 3.19 +++ browser.c 20 May 2006 13:51:42 -0000 @@ -695,7 +695,7 @@ void _mutt_select_file (char *f, size_t if (mutt_strcmp (state.entry[menu->current].name, "..") == 0) { if (mutt_strcmp ("..", LastDir + mutt_strlen (LastDir) - 2) == 0) - strcat (LastDir, "/.."); /* __STRCAT_CHECKED__ */ + safe_strcat (LastDir, sizeof (LastDir), "/.."); else { char *p = strrchr (LastDir + 1, '/'); @@ -707,7 +707,7 @@ void _mutt_select_file (char *f, size_t if (LastDir[0] == '/') LastDir[1] = 0; else - strcat (LastDir, "/.."); /* __STRCAT_CHECKED__ */ + safe_strcat (LastDir, sizeof (LastDir), "/.."); } } } Index: crypt-gpgme.c =================================================================== RCS file: /home/roessler/cvs/mutt/crypt-gpgme.c,v retrieving revision 3.10 diff -p -u -r3.10 crypt-gpgme.c --- crypt-gpgme.c 21 Oct 2005 04:35:37 -0000 3.10 +++ crypt-gpgme.c 20 May 2006 13:51:45 -0000 @@ -3560,15 +3562,15 @@ static crypt_key_t *crypt_select_key (cr helpstr[0] = 0; mutt_make_help (buf, sizeof (buf), _("Exit "), menu_to_use, OP_EXIT); - strcat (helpstr, buf); /* __STRCAT_CHECKED__ */ + safe_strcat (helpstr, sizeof (helpstr), buf); mutt_make_help (buf, sizeof (buf), _("Select "), menu_to_use, OP_GENERIC_SELECT_ENTRY); - strcat (helpstr, buf); /* __STRCAT_CHECKED__ */ + safe_strcat (helpstr, sizeof (helpstr), buf); mutt_make_help (buf, sizeof (buf), _("Check key "), menu_to_use, OP_VERIFY_KEY); - strcat (helpstr, buf); /* __STRCAT_CHECKED__ */ + safe_strcat (helpstr, sizeof (helpstr), buf); mutt_make_help (buf, sizeof (buf), _("Help"), menu_to_use, OP_HELP); - strcat (helpstr, buf); /* __STRCAT_CHECKED__ */ + safe_strcat (helpstr, sizeof (helpstr), buf); menu = mutt_new_menu (); menu->max = i; Index: keymap.c =================================================================== RCS file: /home/roessler/cvs/mutt/keymap.c,v retrieving revision 3.17 diff -p -u -r3.17 keymap.c --- keymap.c 17 Sep 2005 20:46:10 -0000 3.17 +++ keymap.c 20 May 2006 13:51:49 -0000 @@ -508,7 +508,7 @@ char *km_keyname (int c) snprintf (buf, sizeof (buf), "\\%d%d%d", c >> 6, (c >> 3) & 7, c & 7); } else if (c >= KEY_F0 && c < KEY_F(256)) /* this maximum is just a guess */ - sprintf (buf, "<F%d>", c - KEY_F0); + snprintf (buf, sizeof (buf), "<F%d>", c - KEY_F0); else if (IsPrint (c)) snprintf (buf, sizeof (buf), "%c", (unsigned char) c); else Index: pgpkey.c =================================================================== RCS file: /home/roessler/cvs/mutt/pgpkey.c,v retrieving revision 3.11 diff -p -u -r3.11 pgpkey.c --- pgpkey.c 17 Sep 2005 20:46:11 -0000 3.11 +++ pgpkey.c 20 May 2006 13:51:52 -0000 @@ -512,14 +512,14 @@ static pgp_key_t pgp_select_key (pgp_key helpstr[0] = 0; mutt_make_help (buf, sizeof (buf), _("Exit "), MENU_PGP, OP_EXIT); - strcat (helpstr, buf); /* __STRCAT_CHECKED__ */ + safe_strcat (helpstr, sizeof (helpstr), buf); mutt_make_help (buf, sizeof (buf), _("Select "), MENU_PGP, OP_GENERIC_SELECT_ENTRY); - strcat (helpstr, buf); /* __STRCAT_CHECKED__ */ + safe_strcat (helpstr, sizeof (helpstr), buf); mutt_make_help (buf, sizeof (buf), _("Check key "), MENU_PGP, OP_VERIFY_KEY); - strcat (helpstr, buf); /* __STRCAT_CHECKED__ */ + safe_strcat (helpstr, sizeof (helpstr), buf); mutt_make_help (buf, sizeof (buf), _("Help"), MENU_PGP, OP_HELP); - strcat (helpstr, buf); /* __STRCAT_CHECKED__ */ + safe_strcat (helpstr, sizeof (helpstr), buf); menu = mutt_new_menu (); menu->max = i; Index: pop_auth.c =================================================================== RCS file: /home/roessler/cvs/mutt/pop_auth.c,v retrieving revision 3.7 diff -p -u -r3.7 pop_auth.c --- pop_auth.c 17 Sep 2005 20:46:11 -0000 3.7 +++ pop_auth.c 20 May 2006 13:51:52 -0000 @@ -192,7 +192,7 @@ static pop_auth_res_t pop_auth_apop (POP MD5Final (digest, &mdContext); for (i = 0; i < sizeof (digest); i++) - sprintf (hash + 2 * i, "%02x", digest[i]); + snprintf (hash + 2 * i, sizeof (hash) - (2 * i), "%02x", digest[i]); /* Send APOP command to server */ snprintf (buf, sizeof (buf), "APOP %s %s\r\n", pop_data->conn->account.user, hash); Index: rfc2231.c =================================================================== RCS file: /home/roessler/cvs/mutt/rfc2231.c,v retrieving revision 3.8 diff -p -u -r3.8 rfc2231.c --- rfc2231.c 18 May 2006 17:35:30 -0000 3.8 +++ rfc2231.c 20 May 2006 13:51:53 -0000 @@ -348,14 +348,15 @@ int rfc2231_encode_string (char **pd) if (encode) { - e = safe_malloc (dlen + 2*ext + strlen (charset) + 3); - sprintf (e, "%s''", charset); /* __SPRINTF_CHECKED__ */ + size_t elen = dlen + 2*ext + strlen (charset) + 3; + e = safe_malloc (elen); + snprintf (e, elen, "%s''", charset); t = e + strlen (e); for (s = d, slen = dlen; slen; s++, slen--) if (*s < 0x20 || *s >= 0x7f || strchr (MimeSpecials, *s) || strchr ("*'%", *s)) { - sprintf (t, "%%%02X", (unsigned char)*s); + snprintf (t, elen - (t - e), "%%%02X", (unsigned char)*s); t += 3; } else Index: smime.c =================================================================== RCS file: /home/roessler/cvs/mutt/smime.c,v retrieving revision 3.48 diff -p -u -r3.48 smime.c --- smime.c 16 Dec 2005 18:49:40 -0000 3.48 +++ smime.c 20 May 2006 13:51:57 -0000 @@ -465,7 +465,7 @@ char* smime_ask_for_key (char *prompt, c } if (hash) { fname = safe_malloc(13); /* Hash + '.' + Suffix + \0 */ - sprintf(fname, "%.8x.%i", Table[cur].hash, Table[cur].suffix); + snprintf(fname, 13, "%.8x.%i", Table[cur].hash, Table[cur].suffix); } else fname = NULL; Index: imap/imap.c =================================================================== RCS file: /home/roessler/cvs/mutt/imap/imap.c,v retrieving revision 3.81 diff -p -u -r3.81 imap.c --- imap/imap.c 18 May 2006 18:35:10 -0000 3.81 +++ imap/imap.c 20 May 2006 13:51:58 -0000 @@ -262,7 +262,7 @@ void imap_expunge_mailbox (IMAP_DATA* id #if USE_HCACHE if (hc) { - sprintf (uidbuf, "/%u", HEADER_DATA(h)->uid); + snprintf (uidbuf, sizeof (uidbuf), "/%u", HEADER_DATA(h)->uid); mutt_hcache_delete (hc, uidbuf, imap_hcache_keylen); } #endif @@ -1148,7 +1148,7 @@ int imap_sync_mailbox (CONTEXT* ctx, int #if USE_HCACHE if (hc && h->deleted) { - sprintf (uidbuf, "/%u", HEADER_DATA(h)->uid); + snprintf (uidbuf, sizeof (uidbuf), "/%u", HEADER_DATA(h)->uid); mutt_hcache_delete (hc, uidbuf, imap_hcache_keylen); } #endif Index: imap/message.c =================================================================== RCS file: /home/roessler/cvs/mutt/imap/message.c,v retrieving revision 3.50 diff -p -u -r3.50 message.c --- imap/message.c 18 May 2006 18:35:10 -0000 3.50 +++ imap/message.c 20 May 2006 13:51:59 -0000 @@ -158,7 +158,7 @@ int imap_read_headers (IMAP_DATA* idata, else if (mfhrc < 0) break; - sprintf(uid_buf, "/%u", h.data->uid); /* XXX --tg 21:41 04-07-11 */ + snprintf(uid_buf, sizeof (uid_buf), "/%u", h.data->uid); /* XXX --tg 21:41 04-07-11 */ uid_validity = (unsigned int*)mutt_hcache_fetch (hc, uid_buf, &imap_hcache_keylen); if (uid_validity != NULL && *uid_validity == idata->uid_validity) @@ -287,7 +287,7 @@ int imap_read_headers (IMAP_DATA* idata, ctx->hdrs[msgno]->content->length = h.content_length; #if USE_HCACHE - sprintf(uid_buf, "/%u", h.data->uid); + snprintf(uid_buf, sizeof (uid_buf), "/%u", h.data->uid); mutt_hcache_store(hc, uid_buf, ctx->hdrs[msgno], idata->uid_validity, &imap_hcache_keylen); #endif /* USE_HCACHE */