param/loadparm.c: Removed StrCpy from Samba - last use.

lib/util_str.c: Removed StrCpy - added alpha_strcpy().
smbd/message.c: Fix for buffer overrun issues.
include/proto.h: Removed StrCpy.
Jeremy.

4 files changed, 48 insertions, 26 deletions

diff --git a/source/include/proto.h b/source/include/proto.h
index 0f9ce0aa7bf..62bc6f06469 100644
--- a/source/include/proto.h
+++ b/source/include/proto.h
@@ -374,7 +374,7 @@ BOOL strhaslower(const char *s);
 size_t count_chars(const char *s,char c);
 char *safe_strcpy(char *dest,const char *src, size_t maxlength);
 char *safe_strcat(char *dest, const char *src, size_t maxlength);
-char *StrCpy(char *dest,const char *src);
+char *alpha_strcpy(char *dest, const char *src, size_t maxlength);
 char *StrnCpy(char *dest,const char *src,size_t n);
 char *strncpyn(char *dest, const char *src,size_t n, char c);
 size_t strhex_to_str(char *p, size_t len, const char *strhex);
diff --git a/source/lib/util_str.c b/source/lib/util_str.c
index 4a3ae017b86..32232a09e58 100644
--- a/source/lib/util_str.c
+++ b/source/lib/util_str.c
@@ -797,23 +797,40 @@ char *safe_strcat(char *dest, const char *src, size_t maxlength)
     return dest;
 }
 
-/****************************************************************************
-this is a safer strcpy(), meant to prevent core dumps when nasty things happen
-****************************************************************************/
-char *StrCpy(char *dest,const char *src)
+/*******************************************************************
+ Paranoid strcpy into a buffer of given length (includes terminating
+ zero. Strips out all but 'a-Z0-9' and replaces with '_'. Deliberately
+ does *NOT* check for multibyte characters. Don't change it !
+********************************************************************/
+
+char *alpha_strcpy(char *dest, const char *src, size_t maxlength)
 {
-  char *d = dest;
+    size_t len, i;
 
-  /* I don't want to get lazy with these ... */
-  SMB_ASSERT(dest && src);
+    if (!dest) {
+        DEBUG(0,("ERROR: NULL dest in alpha_strcpy\n"));
+        return NULL;
+    }
 
-  if (!dest) return(NULL);
-  if (!src) {
-    *dest = 0;
-    return(dest);
-  }
-  while ((*d++ = *src++)) ;
-  return(dest);
+    if (!src) {
+        *dest = 0;
+        return dest;
+    }
+
+    len = strlen(src);
+    if (len >= maxlength)
+        len = maxlength - 1;
+
+    for(i = 0; i < len; i++) {
+        if(isupper(src[i]) ||islower(src[i]) || isdigit(src[i]))
+            dest[i] = src[i];
+        else
+            dest[i] = '_';
+    }
+
+    dest[i] = '\0';
+
+    return dest;
 }
 
 /****************************************************************************
diff --git a/source/param/loadparm.c b/source/param/loadparm.c
index 9b377cc428c..5271433041a 100644
--- a/source/param/loadparm.c
+++ b/source/param/loadparm.c
@@ -1055,14 +1055,14 @@ convenience routine to grab string parameters into a rotating buffer,
 and run standard_sub_basic on them. The buffers can be written to by
 callers without affecting the source string.
 ********************************************************************/
-static char *lp_string(char *s)
+static char *lp_string(const char *s)
 {
   static char *bufs[10];
-  static int buflen[10];
+  static size_t buflen[10];
   static int next = -1;  
   char *ret;
   int i;
-  int len = s?strlen(s):0;
+  size_t len = s?strlen(s):0;
 
   if (next == -1) {
     /* initialisation */
@@ -1078,7 +1078,8 @@ static char *lp_string(char *s)
 
   if (buflen[next] != len) {
     buflen[next] = len;
-    if (bufs[next]) free(bufs[next]);
+    if (bufs[next])
+      free(bufs[next]);
     bufs[next] = (char *)malloc(len);
     if (!bufs[next]) {
       DEBUG(0,("out of memory in lp_string()"));
@@ -1092,7 +1093,7 @@ static char *lp_string(char *s)
   if (!s) 
     *ret = 0;
   else
-    StrCpy(ret,s);
+    StrnCpy(ret,s,len-1);
 
   trim_string(ret, "\"", "\"");
 
diff --git a/source/smbd/message.c b/source/smbd/message.c
index d13dfda1e02..e60e3d9ed1a 100644
--- a/source/smbd/message.c
+++ b/source/smbd/message.c
@@ -74,10 +74,13 @@ static void msg_deliver(void)
   /* run the command */
   if (*lp_msg_command())
     {
+      fstring alpha_msgfrom;
+      fstring alpha_msgto;
+
       pstrcpy(s,lp_msg_command());
       string_sub(s,"%s",name);
-      string_sub(s,"%f",msgfrom);
-      string_sub(s,"%t",msgto);
+      string_sub(s,"%f",alpha_strcpy(alpha_msgfrom,msgfrom,sizeof(alpha_msgfrom)));
+      string_sub(s,"%t",alpha_strcpy(alpha_msgto,msgto,sizeof(alpha_msgto)));
       standard_sub_basic(s);
       smbrun(s,NULL,False);
     }
@@ -99,7 +102,6 @@ int reply_sends(connection_struct *conn,
 
   msgpos = 0;
 
-
   if (! (*lp_msg_command()))
     return(ERROR(ERRSRV,ERRmsgoff));
 
@@ -113,7 +115,9 @@ int reply_sends(connection_struct *conn,
   fstrcpy(msgto,dest);
 
   len = SVAL(msg,0);
-  len = MIN(len,1600-msgpos);
+  len = MIN(len,sizeof(msgbuf)-msgpos);
+
+  memset(msgbuf,'\0',sizeof(msgbuf));
 
   memcpy(&msgbuf[msgpos],msg+2,len);
   msgpos += len;
@@ -140,6 +144,7 @@ int reply_sendstrt(connection_struct *conn,
 
   outsize = set_message(outbuf,1,0,True);
 
+  memset(msgbuf,'\0',sizeof(msgbuf));
   msgpos = 0;
 
   orig = smb_buf(inbuf)+1;
@@ -172,7 +177,7 @@ int reply_sendtxt(connection_struct *conn,
   msg = smb_buf(inbuf) + 1;
 
   len = SVAL(msg,0);
-  len = MIN(len,1600-msgpos);
+  len = MIN(len,sizeof(msgbuf)-msgpos);
 
   memcpy(&msgbuf[msgpos],msg+2,len);
   msgpos += len;
@@ -202,4 +207,3 @@ int reply_sendend(connection_struct *conn,
 
   return(outsize);
 }
-