changed to use slprintf() instead of sprintf() just about

everywhere. I've implemented slprintf() as a bounds checked sprintf()
using mprotect() and a non-writeable page.

This should prevent any sprintf based security holes.

1 files changed, 4 insertions, 3 deletions

diff --git a/source/libsmb/clientgen.c b/source/libsmb/clientgen.c
index d72040505f1..8b4001827c0 100644
--- a/source/libsmb/clientgen.c
+++ b/source/libsmb/clientgen.c
@@ -343,8 +343,8 @@ BOOL cli_api_pipe(struct cli_state *cli, char *pipe_name, int pipe_name_len,
                  data, data_count, max_data_count);
 
   return (cli_receive_trans(cli, SMBtrans, 
-                            rparam, rparam_count,
-                            rdata, rdata_count));
+                            rparam, (int *)rparam_count,
+                            rdata, (int *)rdata_count));
 }
 
 /****************************************************************************
@@ -714,7 +714,8 @@ BOOL cli_send_tconX(struct cli_state *cli,
 		memcpy(pword, pass, passlen);
 	}
 
-	sprintf(fullshare, "\\\\%s\\%s", cli->desthost, share);
+	slprintf(fullshare, sizeof(fullshare)-1,
+		 "\\\\%s\\%s", cli->desthost, share);
 
 	set_message(cli->outbuf,4,
 		    2 + strlen(fullshare) + passlen + strlen(dev),True);