check buffer size

[netatalk.git] / etc / papd / queries.c

diff --git a/etc/papd/queries.c b/etc/papd/queries.c
index 4c41b6344e2d47d01f188c7bfd778cc447d12efb..658caa02a87f8baf9612aec6d83ff8351cd92f4a 100644 (file)
--- a/etc/papd/queries.c
+++ b/etc/papd/queries.c
@@ -1,5 +1,5 @@
 /*
- * $Id: queries.c,v 1.18 2005-04-28 20:49:49 bfernhomberg Exp $
+ * $Id: queries.c,v 1.20 2009-02-02 12:46:45 didg Exp $
  *
  * Copyright (c) 1990,1994 Regents of The University of Michigan.
  * All Rights Reserved.  See COPYRIGHT.
@@ -71,6 +71,9 @@ int cq_default( in, out )
 
        case -1 :
            return( CH_MORE );
+
+        case -2 :
+            return( CH_ERROR );
        }
 
        stop = start+linelength;
@@ -130,6 +133,9 @@ int cq_k4login( in, out )
 
     case -1 :
        return( CH_MORE );
+
+    case -2 :
+        return( CH_ERROR );
     }
 
     p = start + strlen( comment->c_begin );
@@ -180,6 +186,9 @@ int cq_uameth( in, out )
 
        case -1 :
            return( CH_MORE );
+
+        case -2 :
+            return( CH_ERROR );
        }
 
        if ( comgetflags() == 0 ) {     /* start */
@@ -326,6 +335,9 @@ int cq_query( in, out )
 
        case -1 :
            return( CH_MORE );
+
+        case -2 :
+            return( CH_ERROR );
        }
 
        stop = start+linelength;
@@ -386,14 +398,16 @@ void cq_font_answer( start, stop, out )
 
     p = start;
     while ( p < stop ) {
+        unsigned int count = 0;
        while (( *p == ' ' || *p == '\t' ) && p < stop ) {
            p++;
        }
 
        q = buf;
        while ( *p != ' ' && *p != '\t' &&
-               *p != '\n' && *p != '\r' && p < stop ) {
+               *p != '\n' && *p != '\r' && p < stop && count < sizeof(buf)) {
            *q++ = *p++;
+           count++;
        }
 
        if ( q != buf ) {
@@ -428,6 +442,9 @@ int cq_font( in, out )
 
        case -1 :
            return( CH_MORE );
+
+        case -2 :
+            return( CH_ERROR );
        }
 
        stop = start + linelength;
@@ -486,6 +503,9 @@ int cq_feature( in, out )
 
        case -1 :
            return( CH_MORE );
+
+        case -2 :
+            return( CH_ERROR );
        }
 
        stop = start + linelength;
@@ -544,6 +564,9 @@ int cq_printer( in, out )
 
        case -1 :
            return( CH_MORE );
+
+        case -2 :
+            return( CH_ERROR );
        }
 
        if ( comgetflags() == 0 ) {
@@ -620,6 +643,9 @@ int cq_rmjob( in, out )
 
     case -1 :
        return( CH_MORE );
+
+    case -2 :
+        return( CH_ERROR );
     }
 
     stop = start + linelength;
@@ -660,6 +686,9 @@ int cq_listq( in, out )
 
     case -1 :
        return( CH_MORE );
+
+    case -2 :
+        return( CH_ERROR );
     }
 
     if ( lp_queue( out )) {
@@ -692,7 +721,7 @@ int cq_rbilogin( in, out )
     int                        linelength, crlflength;
     char               username[UAM_USERNAMELEN + 1] = "\0";
     struct papd_comment        *comment = compeek();
-    char               uamtype[20] = "\0";
+    char               uamtype[20];
 
     for (;;) {
         switch ( markline( in, &start, &linelength, &crlflength )) {
@@ -701,6 +730,9 @@ int cq_rbilogin( in, out )
 
         case -1 :
             return( CH_MORE );
+
+        case -2 :
+            return( CH_ERROR );
         }
 
        stop = start + linelength;
@@ -709,13 +741,16 @@ int cq_rbilogin( in, out )
            begin = start + strlen(comment->c_begin);
            p = begin;
 
-           while (*p != ' ') {
+           while (*p != ' ' && p < stop) {
                p++;
            }
 
-           strncat(uamtype, begin, p - begin);
+           memset(uamtype, 0, sizeof(uamtype));
+           if ((size_t)(p -begin) <= sizeof(uamtype) -1) {
+               strncpy(uamtype, begin, p - begin);
+            }
 
-           if ((papd_uam = auth_uamfind(UAM_SERVER_PRINTAUTH,
+           if ( !*uamtype || (papd_uam = auth_uamfind(UAM_SERVER_PRINTAUTH,
                                uamtype, strlen(uamtype))) == NULL) {
                LOG(log_info, logtype_papd, "Could not find uam: %s", uamtype);
                append(out, rbiloginbad, strlen(rbiloginbad));