diff options
-rw-r--r-- | audio/audio.c | 18 | ||||
-rw-r--r-- | block-vmdk.c | 17 | ||||
-rw-r--r-- | block-vvfat.c | 10 | ||||
-rw-r--r-- | dis-asm.h | 1 | ||||
-rw-r--r-- | gdbstub.c | 29 | ||||
-rw-r--r-- | hw/sun4m.c | 15 | ||||
-rw-r--r-- | hw/sun4u.c | 15 | ||||
-rw-r--r-- | hw/usb-net.c | 8 | ||||
-rw-r--r-- | hw/vga.c | 8 | ||||
-rw-r--r-- | i386-dis.c | 94 | ||||
-rw-r--r-- | monitor.c | 10 | ||||
-rw-r--r-- | qemu-malloc.c | 5 | ||||
-rw-r--r-- | slirp/misc.c | 5 | ||||
-rw-r--r-- | slirp/slirp.c | 2 | ||||
-rw-r--r-- | slirp/tcp_subr.c | 44 | ||||
-rw-r--r-- | slirp/tftp.c | 7 | ||||
-rw-r--r-- | vl.c | 19 |
17 files changed, 170 insertions, 137 deletions
diff --git a/audio/audio.c b/audio/audio.c index 84eaa83..20bb2fc 100644 --- a/audio/audio.c +++ b/audio/audio.c @@ -211,8 +211,8 @@ static char *audio_alloc_prefix (const char *s) size_t i; char *u = r + sizeof (qemu_prefix) - 1; - strcpy (r, qemu_prefix); - strcat (r, s); + pstrcpy (r, len + sizeof (qemu_prefix), qemu_prefix); + pstrcat (r, len, s); for (i = 0; i < len; ++i) { u[i] = toupper (u[i]); @@ -430,7 +430,7 @@ static void audio_process_options (const char *prefix, { char *optname; const char qemu_prefix[] = "QEMU_"; - size_t preflen; + size_t preflen, optlen; if (audio_bug (AUDIO_FUNC, !prefix)) { dolog ("prefix = NULL\n"); @@ -458,21 +458,25 @@ static void audio_process_options (const char *prefix, /* len of opt->name + len of prefix + size of qemu_prefix * (includes trailing zero) + zero + underscore (on behalf of * sizeof) */ - optname = qemu_malloc (len + preflen + sizeof (qemu_prefix) + 1); + optlen = len + preflen + sizeof (qemu_prefix) + 1; + optname = qemu_malloc (optlen); if (!optname) { dolog ("Could not allocate memory for option name `%s'\n", opt->name); continue; } - strcpy (optname, qemu_prefix); + pstrcpy (optname, optlen, qemu_prefix); + optlen -= preflen; /* copy while upper-casing, including trailing zero */ for (i = 0; i <= preflen; ++i) { optname[i + sizeof (qemu_prefix) - 1] = toupper (prefix[i]); } - strcat (optname, "_"); - strcat (optname, opt->name); + pstrcat (optname, optlen, "_"); + optlen--; + pstrcat (optname, optlen, opt->name); + optlen -= len; def = 1; switch (opt->tag) { diff --git a/block-vmdk.c b/block-vmdk.c index 7eb9c3c..e85bd42 100644 --- a/block-vmdk.c +++ b/block-vmdk.c @@ -153,11 +153,11 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid) return -1; tmp_str = strstr(desc,"parentCID"); - strcpy(tmp_desc, tmp_str); + pstrcpy(tmp_desc, sizeof(tmp_desc), tmp_str); if ((p_name = strstr(desc,"CID")) != 0) { p_name += sizeof("CID"); - sprintf(p_name,"%x\n",cid); - strcat(desc,tmp_desc); + snprintf(p_name, sizeof(desc) - (p_name - desc), "%x\n", cid); + pstrcat(desc, sizeof(desc), tmp_desc); } if (bdrv_pwrite(s->hd, 0x200, desc, DESC_SIZE) != DESC_SIZE) @@ -252,8 +252,8 @@ static int vmdk_snapshot_create(const char *filename, const char *backing_file) if ((temp_str = strrchr(real_filename, ':')) != NULL) real_filename = temp_str + 1; - sprintf(s_desc, desc_template, p_cid, p_cid, backing_file - , (uint32_t)header.capacity, real_filename); + snprintf(s_desc, sizeof(s_desc), desc_template, p_cid, p_cid, backing_file, + (uint32_t)header.capacity, real_filename); /* write the descriptor */ if (lseek(snp_fd, 0x200, SEEK_SET) == -1) @@ -349,7 +349,8 @@ static int vmdk_parent_open(BlockDriverState *bs, const char * filename) path_combine(parent_img_name, sizeof(parent_img_name), filename, s->hd->backing_file); } else { - strcpy(parent_img_name, s->hd->backing_file); + pstrcpy(parent_img_name, sizeof(parent_img_name), + s->hd->backing_file); } s->hd->backing_hd = bdrv_new(""); @@ -790,8 +791,8 @@ static int vmdk_create(const char *filename, int64_t total_size, real_filename = temp_str + 1; if ((temp_str = strrchr(real_filename, ':')) != NULL) real_filename = temp_str + 1; - sprintf(desc, desc_template, time(NULL), (unsigned long)total_size, - real_filename, (flags & BLOCK_FLAG_COMPAT6 ? 6 : 4), total_size / (63 * 16)); + snprintf(desc, sizeof(desc), desc_template, time(NULL), (unsigned long)total_size, + real_filename, (flags & BLOCK_FLAG_COMPAT6 ? 6 : 4), total_size / (63 * 16)); /* write the descriptor */ lseek(fd, le64_to_cpu(header.desc_offset) << 9, SEEK_SET); diff --git a/block-vvfat.c b/block-vvfat.c index 6de76c6..79804a7 100644 --- a/block-vvfat.c +++ b/block-vvfat.c @@ -1733,7 +1733,7 @@ static int check_directory_consistency(BDRVVVFATState *s, char path2[PATH_MAX]; assert(path_len < PATH_MAX); /* len was tested before! */ - strcpy(path2, path); + pstrcpy(path2, sizeof(path2), path); path2[path_len] = '/'; path2[path_len + 1] = '\0'; @@ -1807,7 +1807,8 @@ DLOG(fprintf(stderr, "check direntry %d: \n", i); print_direntry(direntries + i) fprintf(stderr, "Name too long: %s/%s\n", path, lfn.name); goto fail; } - strcpy(path2 + path_len + 1, (char*)lfn.name); + pstrcpy(path2 + path_len + 1, sizeof(path2) - path_len - 1, + (char*)lfn.name); if (is_directory(direntries + i)) { if (begin_of_direntry(direntries + i) == 0) { @@ -2372,8 +2373,9 @@ static int handle_renames_and_mkdirs(BDRVVVFATState* s) assert(!strncmp(m->path, mapping->path, l2)); - strcpy(new_path, mapping->path); - strcpy(new_path + l1, m->path + l2); + pstrcpy(new_path, l + diff + 1, mapping->path); + pstrcpy(new_path + l1, l + diff + 1 - l1, + m->path + l2); schedule_rename(s, m->begin, new_path); } @@ -20,6 +20,7 @@ typedef uint64_t bfd_vma; typedef int64_t bfd_signed_vma; typedef uint8_t bfd_byte; #define sprintf_vma(s,x) sprintf (s, "%0" PRIx64, x) +#define snprintf_vma(s,ss,x) snprintf (s, ss, "%0" PRIx64, x) #define BFD64 @@ -1173,10 +1173,10 @@ static int gdb_handle_packet(GDBState *s, CPUState *env, const char *line_buf) /* parse any 'q' packets here */ if (!strcmp(p,"qemu.sstepbits")) { /* Query Breakpoint bit definitions */ - sprintf(buf,"ENABLE=%x,NOIRQ=%x,NOTIMER=%x", - SSTEP_ENABLE, - SSTEP_NOIRQ, - SSTEP_NOTIMER); + snprintf(buf, sizeof(buf), "ENABLE=%x,NOIRQ=%x,NOTIMER=%x", + SSTEP_ENABLE, + SSTEP_NOIRQ, + SSTEP_NOTIMER); put_packet(s, buf); break; } else if (strncmp(p,"qemu.sstep",10) == 0) { @@ -1184,7 +1184,7 @@ static int gdb_handle_packet(GDBState *s, CPUState *env, const char *line_buf) p += 10; if (*p != '=') { /* Display current setting */ - sprintf(buf,"0x%x", sstep_flags); + snprintf(buf, sizeof(buf), "0x%x", sstep_flags); put_packet(s, buf); break; } @@ -1198,12 +1198,12 @@ static int gdb_handle_packet(GDBState *s, CPUState *env, const char *line_buf) else if (strncmp(p, "Offsets", 7) == 0) { TaskState *ts = env->opaque; - sprintf(buf, - "Text=" TARGET_ABI_FMT_lx ";Data=" TARGET_ABI_FMT_lx - ";Bss=" TARGET_ABI_FMT_lx, - ts->info->code_offset, - ts->info->data_offset, - ts->info->data_offset); + snprintf(buf, sizeof(buf), + "Text=" TARGET_ABI_FMT_lx ";Data=" TARGET_ABI_FMT_lx + ";Bss=" TARGET_ABI_FMT_lx, + ts->info->code_offset, + ts->info->data_offset, + ts->info->data_offset); put_packet(s, buf); break; } @@ -1286,17 +1286,18 @@ void gdb_do_syscall(gdb_syscall_complete_cb cb, char *fmt, ...) switch (*fmt++) { case 'x': addr = va_arg(va, target_ulong); - p += sprintf(p, TARGET_FMT_lx, addr); + p += snprintf(p, &buf[sizeof(buf)] - p, TARGET_FMT_lx, addr); break; case 'l': if (*(fmt++) != 'x') goto bad_format; i64 = va_arg(va, uint64_t); - p += sprintf(p, "%" PRIx64, i64); + p += snprintf(p, &buf[sizeof(buf)] - p, "%" PRIx64, i64); break; case 's': addr = va_arg(va, target_ulong); - p += sprintf(p, TARGET_FMT_lx "/%x", addr, va_arg(va, int)); + p += snprintf(p, &buf[sizeof(buf)] - p, TARGET_FMT_lx "/%x", + addr, va_arg(va, int)); break; default: bad_format: @@ -159,7 +159,8 @@ static int nvram_boot_set(void *opaque, const char *boot_device) for (i = 0; i < sizeof(image); i++) image[i] = m48t59_read(nvram, i) & 0xff; - strcpy((char *)header->boot_devices, boot_device); + pstrcpy((char *)header->boot_devices, sizeof(header->boot_devices), + boot_device); header->nboot_devices = strlen(boot_device) & 0xff; header->crc = cpu_to_be16(OHW_compute_crc(header, 0x00, 0xF8)); @@ -187,17 +188,19 @@ static void nvram_init(m48t59_t *nvram, uint8_t *macaddr, const char *cmdline, memset(image, '\0', sizeof(image)); // Try to match PPC NVRAM - strcpy((char *)header->struct_ident, "QEMU_BIOS"); + pstrcpy((char *)header->struct_ident, sizeof(header->struct_ident), + "QEMU_BIOS"); header->struct_version = cpu_to_be32(3); /* structure v3 */ header->nvram_size = cpu_to_be16(0x2000); header->nvram_arch_ptr = cpu_to_be16(sizeof(ohwcfg_v3_t)); header->nvram_arch_size = cpu_to_be16(sizeof(struct sparc_arch_cfg)); - strcpy((char *)header->arch, arch); + pstrcpy((char *)header->arch, sizeof(header->arch), arch); header->nb_cpus = smp_cpus & 0xff; header->RAM0_base = 0; header->RAM0_size = cpu_to_be64((uint64_t)RAM_size); - strcpy((char *)header->boot_devices, boot_devices); + pstrcpy((char *)header->boot_devices, sizeof(header->boot_devices), + boot_devices); header->nboot_devices = strlen(boot_devices) & 0xff; header->kernel_image = cpu_to_be64((uint64_t)KERNEL_LOAD_ADDR); header->kernel_size = cpu_to_be64((uint64_t)kernel_size); @@ -225,7 +228,7 @@ static void nvram_init(m48t59_t *nvram, uint8_t *macaddr, const char *cmdline, // Variable partition part_header = (struct OpenBIOS_nvpart_v1 *)&image[start]; part_header->signature = OPENBIOS_PART_SYSTEM; - strcpy(part_header->name, "system"); + pstrcpy(part_header->name, sizeof(part_header->name), "system"); end = start + sizeof(struct OpenBIOS_nvpart_v1); for (i = 0; i < nb_prom_envs; i++) @@ -241,7 +244,7 @@ static void nvram_init(m48t59_t *nvram, uint8_t *macaddr, const char *cmdline, start = end; part_header = (struct OpenBIOS_nvpart_v1 *)&image[start]; part_header->signature = OPENBIOS_PART_FREE; - strcpy(part_header->name, "free"); + pstrcpy(part_header->name, sizeof(part_header->name), "free"); end = 0x1fd0; OpenBIOS_finish_partition(part_header, end - start); @@ -82,7 +82,8 @@ static int nvram_boot_set(void *opaque, const char *boot_device) for (i = 0; i < sizeof(image); i++) image[i] = m48t59_read(nvram, i) & 0xff; - strcpy((char *)header->boot_devices, boot_device); + pstrcpy((char *)header->boot_devices, sizeof(header->boot_devices), + boot_device); header->nboot_devices = strlen(boot_device) & 0xff; header->crc = cpu_to_be16(OHW_compute_crc(header, 0x00, 0xF8)); @@ -115,17 +116,19 @@ static int sun4u_NVRAM_set_params (m48t59_t *nvram, uint16_t NVRAM_size, memset(image, '\0', sizeof(image)); // Try to match PPC NVRAM - strcpy((char *)header->struct_ident, "QEMU_BIOS"); + pstrcpy((char *)header->struct_ident, sizeof(header->struct_ident), + "QEMU_BIOS"); header->struct_version = cpu_to_be32(3); /* structure v3 */ header->nvram_size = cpu_to_be16(NVRAM_size); header->nvram_arch_ptr = cpu_to_be16(sizeof(ohwcfg_v3_t)); header->nvram_arch_size = cpu_to_be16(sizeof(struct sparc_arch_cfg)); - strcpy((char *)header->arch, arch); + pstrcpy((char *)header->arch, sizeof(header->arch), arch); header->nb_cpus = smp_cpus & 0xff; header->RAM0_base = 0; header->RAM0_size = cpu_to_be64((uint64_t)RAM_size); - strcpy((char *)header->boot_devices, boot_devices); + pstrcpy((char *)header->boot_devices, sizeof(header->boot_devices), + boot_devices); header->nboot_devices = strlen(boot_devices) & 0xff; header->kernel_image = cpu_to_be64((uint64_t)kernel_image); header->kernel_size = cpu_to_be64((uint64_t)kernel_size); @@ -156,7 +159,7 @@ static int sun4u_NVRAM_set_params (m48t59_t *nvram, uint16_t NVRAM_size, // Variable partition part_header = (struct OpenBIOS_nvpart_v1 *)&image[start]; part_header->signature = OPENBIOS_PART_SYSTEM; - strcpy(part_header->name, "system"); + pstrcpy(part_header->name, sizeof(part_header->name), "system"); end = start + sizeof(struct OpenBIOS_nvpart_v1); for (i = 0; i < nb_prom_envs; i++) @@ -172,7 +175,7 @@ static int sun4u_NVRAM_set_params (m48t59_t *nvram, uint16_t NVRAM_size, start = end; part_header = (struct OpenBIOS_nvpart_v1 *)&image[start]; part_header->signature = OPENBIOS_PART_FREE; - strcpy(part_header->name, "free"); + pstrcpy(part_header->name, sizeof(part_header->name), "free"); end = 0x1fd0; OpenBIOS_finish_partition(part_header, end - start); diff --git a/hw/usb-net.c b/hw/usb-net.c index 7c25f3d..27dea10 100644 --- a/hw/usb-net.c +++ b/hw/usb-net.c @@ -625,7 +625,8 @@ typedef struct USBNetState { } USBNetState; static int ndis_query(USBNetState *s, uint32_t oid, - uint8_t *inbuf, unsigned int inlen, uint8_t *outbuf) + uint8_t *inbuf, unsigned int inlen, uint8_t *outbuf, + size_t outlen) { unsigned int i, count; @@ -680,7 +681,7 @@ static int ndis_query(USBNetState *s, uint32_t oid, /* mandatory */ case OID_GEN_VENDOR_DESCRIPTION: - strcpy(outbuf, "QEMU USB RNDIS Net"); + pstrcpy(outbuf, outlen, "QEMU USB RNDIS Net"); return strlen(outbuf) + 1; case OID_GEN_VENDOR_DRIVER_VERSION: @@ -882,7 +883,8 @@ static int rndis_query_response(USBNetState *s, return USB_RET_STALL; infobuflen = ndis_query(s, le32_to_cpu(buf->OID), - bufoffs + (uint8_t *) buf, buflen, infobuf); + bufoffs + (uint8_t *) buf, buflen, infobuf, + sizeof(infobuf)); resplen = sizeof(rndis_query_cmplt_type) + ((infobuflen < 0) ? 0 : infobuflen); resp = rndis_queue_response(s, resplen); @@ -1726,7 +1726,8 @@ static void vga_update_text(void *opaque, console_ch_t *chardata) if (!full_update) return; - sprintf(msg_buffer, "%i x %i Text mode", width, height); + snprintf(msg_buffer, sizeof(msg_buffer), "%i x %i Text mode", + width, height); break; } @@ -1799,14 +1800,15 @@ static void vga_update_text(void *opaque, console_ch_t *chardata) return; s->get_resolution(s, &width, &height); - sprintf(msg_buffer, "%i x %i Graphic mode", width, height); + snprintf(msg_buffer, sizeof(msg_buffer), "%i x %i Graphic mode", + width, height); break; case GMODE_BLANK: default: if (!full_update) return; - sprintf(msg_buffer, "VGA Blank mode"); + snprintf(msg_buffer, sizeof(msg_buffer), "VGA Blank mode"); break; } @@ -37,6 +37,7 @@ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #include <stdlib.h> #include "dis-asm.h" +#include "qemu-common.h" #define MAXLEN 20 @@ -59,7 +60,8 @@ static int putop PARAMS ((const char *, int)); static void oappend PARAMS ((const char *)); static void append_seg PARAMS ((void)); static void OP_indirE PARAMS ((int, int)); -static void print_operand_value PARAMS ((char *, int, bfd_vma)); +static void print_operand_value (char *buf, size_t bufsize, int hex, + bfd_vma disp); static void OP_E PARAMS ((int, int)); static void OP_G PARAMS ((int, int)); static bfd_vma get64 PARAMS ((void)); @@ -2512,7 +2514,7 @@ dofloat (sizeflag) /* Instruction fnstsw is only one with strange arg. */ if (floatop == 0xdf && codep[-1] == 0xe0) - strcpy (op1out, names16[0]); + pstrcpy (op1out, sizeof(op1out), names16[0]); } else { @@ -2540,7 +2542,7 @@ OP_STi (bytemode, sizeflag) int bytemode; int sizeflag; { - sprintf (scratchbuf, "%%st(%d)", rm); + snprintf (scratchbuf, sizeof(scratchbuf), "%%st(%d)", rm); oappend (scratchbuf + intel_syntax); } @@ -2573,7 +2575,7 @@ putop (template, sizeflag) if (*p == '}') { /* Alternative not valid. */ - strcpy (obuf, "(bad)"); + pstrcpy (obuf, sizeof(obuf), "(bad)"); obufp = obuf + 5; return 1; } @@ -2824,7 +2826,7 @@ static void oappend (s) const char *s; { - strcpy (obufp, s); + pstrcpy (obufp, (size_t)(obufp - obuf), s); obufp += strlen (s); } @@ -2874,10 +2876,7 @@ OP_indirE (bytemode, sizeflag) } static void -print_operand_value (buf, hex, disp) - char *buf; - int hex; - bfd_vma disp; +print_operand_value (char *buf, size_t bufsize, int hex, bfd_vma disp) { if (mode_64bit) { @@ -2887,9 +2886,9 @@ print_operand_value (buf, hex, disp) int i; buf[0] = '0'; buf[1] = 'x'; - sprintf_vma (tmp, disp); + snprintf_vma (tmp, sizeof(tmp), disp); for (i = 0; tmp[i] == '0' && tmp[i + 1]; i++); - strcpy (buf + 2, tmp + i); + pstrcpy (buf + 2, bufsize - 2, tmp + i); } else { @@ -2903,13 +2902,13 @@ print_operand_value (buf, hex, disp) /* Check for possible overflow on 0x8000000000000000. */ if (v < 0) { - strcpy (buf, "9223372036854775808"); + pstrcpy (buf, bufsize, "9223372036854775808"); return; } } if (!v) { - strcpy (buf, "0"); + pstrcpy (buf, bufsize, "0"); return; } @@ -2921,15 +2920,15 @@ print_operand_value (buf, hex, disp) v /= 10; i++; } - strcpy (buf, tmp + 29 - i); + pstrcpy (buf, bufsize, tmp + 29 - i); } } else { if (hex) - sprintf (buf, "0x%x", (unsigned int) disp); + snprintf (buf, bufsize, "0x%x", (unsigned int) disp); else - sprintf (buf, "%d", (int) disp); + snprintf (buf, bufsize, "%d", (int) disp); } } @@ -3054,7 +3053,7 @@ OP_E (bytemode, sizeflag) if (!intel_syntax) if (mod != 0 || (base & 7) == 5) { - print_operand_value (scratchbuf, !riprel, disp); + print_operand_value (scratchbuf, sizeof(scratchbuf), !riprel, disp); oappend (scratchbuf); if (riprel) { @@ -3115,14 +3114,14 @@ OP_E (bytemode, sizeflag) *obufp++ = separator_char; *obufp = '\0'; } - sprintf (scratchbuf, "%s", - mode_64bit && (sizeflag & AFLAG) - ? names64[index] : names32[index]); + snprintf (scratchbuf, sizeof(scratchbuf), "%s", + mode_64bit && (sizeflag & AFLAG) + ? names64[index] : names32[index]); } else - sprintf (scratchbuf, ",%s", - mode_64bit && (sizeflag & AFLAG) - ? names64[index] : names32[index]); + snprintf (scratchbuf, sizeof(scratchbuf), ",%s", + mode_64bit && (sizeflag & AFLAG) + ? names64[index] : names32[index]); oappend (scratchbuf); } if (!intel_syntax @@ -3133,7 +3132,7 @@ OP_E (bytemode, sizeflag) { *obufp++ = scale_char; *obufp = '\0'; - sprintf (scratchbuf, "%d", 1 << scale); + snprintf (scratchbuf, sizeof(scratchbuf), "%d", 1 << scale); oappend (scratchbuf); } } @@ -3149,7 +3148,8 @@ OP_E (bytemode, sizeflag) *obufp = '\0'; } - print_operand_value (scratchbuf, 0, disp); + print_operand_value (scratchbuf, sizeof(scratchbuf), 0, + disp); oappend (scratchbuf); } } @@ -3169,7 +3169,7 @@ OP_E (bytemode, sizeflag) oappend (names_seg[ds_reg - es_reg]); oappend (":"); } - print_operand_value (scratchbuf, 1, disp); + print_operand_value (scratchbuf, sizeof(scratchbuf), 1, disp); oappend (scratchbuf); } } @@ -3202,7 +3202,7 @@ OP_E (bytemode, sizeflag) if (!intel_syntax) if (mod != 0 || (rm & 7) == 6) { - print_operand_value (scratchbuf, 0, disp); + print_operand_value (scratchbuf, sizeof(scratchbuf), 0, disp); oappend (scratchbuf); } @@ -3504,7 +3504,7 @@ OP_I (bytemode, sizeflag) op &= mask; scratchbuf[0] = '$'; - print_operand_value (scratchbuf + 1, 1, op); + print_operand_value (scratchbuf + 1, sizeof(scratchbuf) - 1, 1, op); oappend (scratchbuf + intel_syntax); scratchbuf[0] = '\0'; } @@ -3557,7 +3557,7 @@ OP_I64 (bytemode, sizeflag) op &= mask; scratchbuf[0] = '$'; - print_operand_value (scratchbuf + 1, 1, op); + print_operand_value (scratchbuf + 1, sizeof(scratchbuf) - 1, 1, op); oappend (scratchbuf + intel_syntax); scratchbuf[0] = '\0'; } @@ -3609,7 +3609,7 @@ OP_sI (bytemode, sizeflag) } scratchbuf[0] = '$'; - print_operand_value (scratchbuf + 1, 1, op); + print_operand_value (scratchbuf + 1, sizeof(scratchbuf) - 1, 1, op); oappend (scratchbuf + intel_syntax); } @@ -3647,7 +3647,7 @@ OP_J (bytemode, sizeflag) } disp = (start_pc + codep - start_codep + disp) & mask; set_op (disp, 0); - print_operand_value (scratchbuf, 1, disp); + print_operand_value (scratchbuf, sizeof(scratchbuf), 1, disp); oappend (scratchbuf); } @@ -3678,9 +3678,9 @@ OP_DIR (dummy, sizeflag) } used_prefixes |= (prefixes & PREFIX_DATA); if (intel_syntax) - sprintf (scratchbuf, "0x%x,0x%x", seg, offset); + snprintf (scratchbuf, sizeof(scratchbuf), "0x%x,0x%x", seg, offset); else - sprintf (scratchbuf, "$0x%x,$0x%x", seg, offset); + snprintf (scratchbuf, sizeof(scratchbuf), "$0x%x,$0x%x", seg, offset); oappend (scratchbuf); } @@ -3707,7 +3707,7 @@ OP_OFF (bytemode, sizeflag) oappend (":"); } } - print_operand_value (scratchbuf, 1, off); + print_operand_value (scratchbuf, sizeof(scratchbuf), 1, off); oappend (scratchbuf); } @@ -3737,7 +3737,7 @@ OP_OFF64 (bytemode, sizeflag) oappend (":"); } } - print_operand_value (scratchbuf, 1, off); + print_operand_value (scratchbuf, sizeof(scratchbuf), 1, off); oappend (scratchbuf); } @@ -3806,7 +3806,7 @@ OP_C (dummy, sizeflag) USED_REX (REX_EXTX); if (rex & REX_EXTX) add = 8; - sprintf (scratchbuf, "%%cr%d", reg + add); + snprintf (scratchbuf, sizeof(scratchbuf), "%%cr%d", reg + add); oappend (scratchbuf + intel_syntax); } @@ -3820,9 +3820,9 @@ OP_D (dummy, sizeflag) if (rex & REX_EXTX) add = 8; if (intel_syntax) - sprintf (scratchbuf, "db%d", reg + add); + snprintf (scratchbuf, sizeof(scratchbuf), "db%d", reg + add); else - sprintf (scratchbuf, "%%db%d", reg + add); + snprintf (scratchbuf, sizeof(scratchbuf), "%%db%d", reg + add); oappend (scratchbuf); } @@ -3831,7 +3831,7 @@ OP_T (dummy, sizeflag) int dummy; int sizeflag; { - sprintf (scratchbuf, "%%tr%d", reg); + snprintf (scratchbuf, sizeof(scratchbuf), "%%tr%d", reg); oappend (scratchbuf + intel_syntax); } @@ -3857,9 +3857,9 @@ OP_MMX (bytemode, sizeflag) add = 8; used_prefixes |= (prefixes & PREFIX_DATA); if (prefixes & PREFIX_DATA) - sprintf (scratchbuf, "%%xmm%d", reg + add); + snprintf (scratchbuf, sizeof(scratchbuf), "%%xmm%d", reg + add); else - sprintf (scratchbuf, "%%mm%d", reg + add); + snprintf (scratchbuf, sizeof(scratchbuf), "%%mm%d", reg + add); oappend (scratchbuf + intel_syntax); } @@ -3872,7 +3872,7 @@ OP_XMM (bytemode, sizeflag) USED_REX (REX_EXTX); if (rex & REX_EXTX) add = 8; - sprintf (scratchbuf, "%%xmm%d", reg + add); + snprintf (scratchbuf, sizeof(scratchbuf), "%%xmm%d", reg + add); oappend (scratchbuf + intel_syntax); } @@ -3896,9 +3896,9 @@ OP_EM (bytemode, sizeflag) codep++; used_prefixes |= (prefixes & PREFIX_DATA); if (prefixes & PREFIX_DATA) - sprintf (scratchbuf, "%%xmm%d", rm + add); + snprintf (scratchbuf, sizeof(scratchbuf), "%%xmm%d", rm + add); else - sprintf (scratchbuf, "%%mm%d", rm + add); + snprintf (scratchbuf, sizeof(scratchbuf), "%%mm%d", rm + add); oappend (scratchbuf + intel_syntax); } @@ -3920,7 +3920,7 @@ OP_EX (bytemode, sizeflag) /* Skip mod/rm byte. */ MODRM_CHECK; codep++; - sprintf (scratchbuf, "%%xmm%d", rm + add); + snprintf (scratchbuf, sizeof(scratchbuf), "%%xmm%d", rm + add); oappend (scratchbuf + intel_syntax); } @@ -4079,8 +4079,8 @@ OP_SIMD_Suffix (bytemode, sizeflag) suffix1 = 's', suffix2 = 'd'; } } - sprintf (scratchbuf, "cmp%s%c%c", - simd_cmp_op[cmp_type], suffix1, suffix2); + snprintf (scratchbuf, sizeof(scratchbuf), "cmp%s%c%c", + simd_cmp_op[cmp_type], suffix1, suffix2); used_prefixes |= (prefixes & PREFIX_REPZ); oappend (scratchbuf); } @@ -2251,7 +2251,7 @@ static void monitor_handle_command(const char *cmdline) goto fail; } str = qemu_malloc(strlen(buf) + 1); - strcpy(str, buf); + pstrcpy(str, sizeof(buf), buf); str_allocated[nb_args] = str; add_str: if (nb_args >= MAX_ARGS) { @@ -2518,7 +2518,7 @@ static void file_completion(const char *input) if (!p) { input_path_len = 0; pstrcpy(file_prefix, sizeof(file_prefix), input); - strcpy(path, "."); + pstrcpy(path, sizeof(path), "."); } else { input_path_len = p - input + 1; memcpy(path, input, input_path_len); @@ -2540,13 +2540,15 @@ static void file_completion(const char *input) break; if (strstart(d->d_name, file_prefix, NULL)) { memcpy(file, input, input_path_len); - strcpy(file + input_path_len, d->d_name); + if (input_path_len < sizeof(file)) + pstrcpy(file + input_path_len, sizeof(file) - input_path_len, + d->d_name); /* stat the file to find out if it's a directory. * In that case add a slash to speed up typing long paths */ stat(file, &sb); if(S_ISDIR(sb.st_mode)) - strcat(file, "/"); + pstrcat(file, sizeof(file), "/"); add_completion(file); } } diff --git a/qemu-malloc.c b/qemu-malloc.c index 606eda6..8ad6168 100644 --- a/qemu-malloc.c +++ b/qemu-malloc.c @@ -56,9 +56,10 @@ void *qemu_mallocz(size_t size) char *qemu_strdup(const char *str) { char *ptr; - ptr = qemu_malloc(strlen(str) + 1); + size_t len = strlen(str); + ptr = qemu_malloc(len + 1); if (!ptr) return NULL; - strcpy(ptr, str); + pstrcpy(ptr, len, str); return ptr; } diff --git a/slirp/misc.c b/slirp/misc.c index 337f8a8..032a1f7 100644 --- a/slirp/misc.c +++ b/slirp/misc.c @@ -417,8 +417,9 @@ fork_exec(struct socket *so, const char *ex, int do_pty) { char buff[256]; - sprintf(buff, "Error: execvp of %s failed: %s\n", - argv[0], strerror(errno)); + snprintf(buff, sizeof(buff), + "Error: execvp of %s failed: %s\n", + argv[0], strerror(errno)); write(2, buff, strlen(buff)+1); } close(0); close(1); close(2); /* XXX */ diff --git a/slirp/slirp.c b/slirp/slirp.c index 158fd7d..a975b3e 100644 --- a/slirp/slirp.c +++ b/slirp/slirp.c @@ -84,7 +84,7 @@ static int get_dns_addr(struct in_addr *pdns_addr) static int get_dns_addr(struct in_addr *pdns_addr) { char buff[512]; - char buff2[256]; + char buff2[257]; FILE *f; int found = 0; struct in_addr tmp_addr; diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c index ba1296d..ec423b7 100644 --- a/slirp/tcp_subr.c +++ b/slirp/tcp_subr.c @@ -629,7 +629,7 @@ tcp_emu(so, m) struct mbuf *m; { u_int n1, n2, n3, n4, n5, n6; - char buff[256]; + char buff[257]; u_int32_t laddr; u_int lport; char *bptr; @@ -673,7 +673,9 @@ tcp_emu(so, m) } } } - so_rcv->sb_cc = sprintf(so_rcv->sb_data, "%d,%d\r\n", n1, n2); + so_rcv->sb_cc = snprintf(so_rcv->sb_data, + so_rcv->sb_datalen, + "%d,%d\r\n", n1, n2); so_rcv->sb_rptr = so_rcv->sb_data; so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc; } @@ -1007,8 +1009,9 @@ do_prompt: n4 = (laddr & 0xff); m->m_len = bptr - m->m_data; /* Adjust length */ - m->m_len += sprintf(bptr,"ORT %d,%d,%d,%d,%d,%d\r\n%s", - n1, n2, n3, n4, n5, n6, x==7?buff:""); + m->m_len += snprintf(bptr, m->m_hdr.mh_size - m->m_len, + "ORT %d,%d,%d,%d,%d,%d\r\n%s", + n1, n2, n3, n4, n5, n6, x==7?buff:""); return 1; } else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) { /* @@ -1038,8 +1041,9 @@ do_prompt: n4 = (laddr & 0xff); m->m_len = bptr - m->m_data; /* Adjust length */ - m->m_len += sprintf(bptr,"27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", - n1, n2, n3, n4, n5, n6, x==7?buff:""); + m->m_len += snprintf(bptr, m->m_hdr.mh_size - m->m_len, + "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", + n1, n2, n3, n4, n5, n6, x==7?buff:""); return 1; } @@ -1062,7 +1066,8 @@ do_prompt: } if (m->m_data[m->m_len-1] == '\0' && lport != 0 && (so = solisten(0, so->so_laddr.s_addr, htons(lport), SS_FACCEPTONCE)) != NULL) - m->m_len = sprintf(m->m_data, "%d", ntohs(so->so_fport))+1; + m->m_len = snprintf(m->m_data, m->m_hdr.mh_size, "%d", + ntohs(so->so_fport)) + 1; return 1; case EMU_IRC: @@ -1079,25 +1084,28 @@ do_prompt: return 1; m->m_len = bptr - m->m_data; /* Adjust length */ - m->m_len += sprintf(bptr, "DCC CHAT chat %lu %u%c\n", - (unsigned long)ntohl(so->so_faddr.s_addr), - ntohs(so->so_fport), 1); + m->m_len += snprintf(bptr, m->m_hdr.mh_size, + "DCC CHAT chat %lu %u%c\n", + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), 1); } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) { if ((so = solisten(0, htonl(laddr), htons(lport), SS_FACCEPTONCE)) == NULL) return 1; m->m_len = bptr - m->m_data; /* Adjust length */ - m->m_len += sprintf(bptr, "DCC SEND %s %lu %u %u%c\n", - buff, (unsigned long)ntohl(so->so_faddr.s_addr), - ntohs(so->so_fport), n1, 1); + m->m_len += snprintf(bptr, m->m_hdr.mh_size, + "DCC SEND %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) { if ((so = solisten(0, htonl(laddr), htons(lport), SS_FACCEPTONCE)) == NULL) return 1; m->m_len = bptr - m->m_data; /* Adjust length */ - m->m_len += sprintf(bptr, "DCC MOVE %s %lu %u %u%c\n", - buff, (unsigned long)ntohl(so->so_faddr.s_addr), - ntohs(so->so_fport), n1, 1); + m->m_len += snprintf(bptr, m->m_hdr.mh_size, + "DCC MOVE %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); } return 1; @@ -1285,8 +1293,8 @@ tcp_ctl(so) /* FALLTHROUGH */ case CTL_ALIAS: - sb->sb_cc = sprintf(sb->sb_wptr, - "Error: No application configured.\r\n"); + sb->sb_cc = snprintf(sb->sb_wptr, sb->sb_datalen - (sb->sb_wptr - sb->sb_data), + "Error: No application configured.\r\n"); sb->sb_wptr += sb->sb_cc; return(0); diff --git a/slirp/tftp.c b/slirp/tftp.c index 562ae89..8c01268 100644 --- a/slirp/tftp.c +++ b/slirp/tftp.c @@ -23,6 +23,7 @@ */ #include <slirp.h> +#include "qemu-common.h" // for pstrcpy struct tftp_session { int in_use; @@ -148,8 +149,8 @@ static int tftp_send_oack(struct tftp_session *spt, m->m_data += sizeof(struct udpiphdr); tp->tp_op = htons(TFTP_OACK); - n += sprintf(tp->x.tp_buf + n, "%s", key) + 1; - n += sprintf(tp->x.tp_buf + n, "%u", value) + 1; + n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", key) + 1; + n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u", value) + 1; saddr.sin_addr = recv_tp->ip.ip_dst; saddr.sin_port = recv_tp->udp.uh_dport; @@ -189,7 +190,7 @@ static int tftp_send_error(struct tftp_session *spt, tp->tp_op = htons(TFTP_ERROR); tp->x.tp_error.tp_error_code = htons(errorcode); - strcpy(tp->x.tp_error.tp_msg, msg); + pstrcpy(tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg), msg); saddr.sin_addr = recv_tp->ip.ip_dst; saddr.sin_port = recv_tp->udp.uh_dport; @@ -1915,11 +1915,12 @@ static void mux_print_help(CharDriverState *chr) char cbuf[50] = "\n\r"; if (term_escape_char > 0 && term_escape_char < 26) { - sprintf(cbuf,"\n\r"); - sprintf(ebuf,"C-%c", term_escape_char - 1 + 'a'); + snprintf(cbuf, sizeof(cbuf), "\n\r"); + snprintf(ebuf, sizeof(ebuf), "C-%c", term_escape_char - 1 + 'a'); } else { - sprintf(cbuf,"\n\rEscape-Char set to Ascii: 0x%02x\n\r\n\r", - term_escape_char); + snprintf(cbuf, sizeof(cbuf), + "\n\rEscape-Char set to Ascii: 0x%02x\n\r\n\r", + term_escape_char); } chr->chr_write(chr, (uint8_t *)cbuf, strlen(cbuf)); for (i = 0; mux_help[i] != NULL; i++) { @@ -4385,7 +4386,7 @@ static int tap_open(char *ifname, int ifname_size) * Allocate TAP device, returns opened fd. * Stores dev name in the first arg(must be large enough). */ -int tap_alloc(char *dev) +int tap_alloc(char *dev, size_t dev_size) { int tap_fd, if_fd, ppa = -1; static int ip_fd = 0; @@ -4498,7 +4499,7 @@ int tap_alloc(char *dev) syslog (LOG_ERR, "Can't set multiplexor id"); } - sprintf(dev, "tap%d", ppa); + snprintf(dev, dev_size, "tap%d", ppa); return tap_fd; } @@ -4506,7 +4507,7 @@ static int tap_open(char *ifname, int ifname_size) { char dev[10]=""; int fd; - if( (fd = tap_alloc(dev)) < 0 ){ + if( (fd = tap_alloc(dev, sizeof(dev))) < 0 ){ fprintf(stderr, "Cannot allocate TAP device\n"); return -1; } @@ -5461,11 +5462,11 @@ static int drive_init(struct drive_opt *arg, int snapshot, !strcmp(machine->name, "versatileab")) { type = IF_SCSI; max_devs = MAX_SCSI_DEVS; - strcpy(devname, "scsi"); + pstrcpy(devname, sizeof(devname), "scsi"); } else { type = IF_IDE; max_devs = MAX_IDE_DEVS; - strcpy(devname, "ide"); + pstrcpy(devname, sizeof(devname), "ide"); } media = MEDIA_DISK; |