Merge pull request #134 from jhunkeler/sprintf-to-snprintf

String safety

2 files changed, 21 insertions, 19 deletions

diff --git a/src/cli/stasis/args.c b/src/cli/stasis/args.c
index dbc9c2f..98b4479 100644
--- a/src/cli/stasis/args.c
+++ b/src/cli/stasis/args.c
@@ -85,28 +85,30 @@ void usage(char *progname) {
     int width = get_option_max_width(long_options);
     for (int x = 0; long_options[x].name != 0; x++) {
         char tmp[STASIS_NAME_MAX] = {0};
-        char output[sizeof(tmp)] = {0};
+        char output[STASIS_NAME_MAX] = {0};
         char opt_long[50] = {0};        // --? [ARG]?
         char opt_short[50] = {0};        // -? [ARG]?
 
-        strcat(opt_long, "--");
-        strcat(opt_long, long_options[x].name);
+        strncat(opt_long, "--", sizeof(opt_long) - strlen(opt_long) - 1);
+        strncat(opt_long, long_options[x].name, sizeof(opt_long) - strlen(opt_long) - 1);
         if (long_options[x].has_arg) {
-            strcat(opt_long, " ARG");
+            strncat(opt_long, " ARG", sizeof(opt_long) - strlen(opt_long) - 1);
         }
 
         if (long_options[x].val <= 'z') {
-            strcat(opt_short, "-");
+            strncat(opt_short, "-", sizeof(opt_short) - strlen(opt_short) - 1);
             opt_short[1] = (char) long_options[x].val;
             if (long_options[x].has_arg) {
-                strcat(opt_short, " ARG");
+                strncat(opt_short, " ARG", sizeof(opt_short) - strlen(opt_short) - 1);
             }
         } else {
-            strcat(opt_short, "  ");
+            strncat(opt_short, "  ", sizeof(opt_short) - strlen(opt_short) - 1);
         }
 
-        sprintf(tmp, "  %%-%ds\t%%s\t\t%%s", width + 4);
-        sprintf(output, tmp, opt_long, opt_short, long_options_help[x]);
+        const char *opt_fmt = "  %%-%ds\t%%s\t\t%%s";
+        size_t opt_fmt_len = snprintf(NULL, 0, opt_fmt, width);
+        snprintf(tmp, sizeof(tmp) - opt_fmt_len, opt_fmt, width + 4);
+        snprintf(output, sizeof(output), tmp, opt_long, opt_short, long_options_help[x]);
         puts(output);
     }
 }
diff --git a/src/cli/stasis/stasis_main.c b/src/cli/stasis/stasis_main.c
index 44efc4a..328d825 100644
--- a/src/cli/stasis/stasis_main.c
+++ b/src/cli/stasis/stasis_main.c
@@ -45,7 +45,7 @@ static void configure_stasis_ini(struct Delivery *ctx, char **config_input) {
     if (!*config_input) {
         SYSDEBUG("%s", "No configuration passed by argument. Using basic config.");
         char cfgfile[PATH_MAX * 2];
-        sprintf(cfgfile, "%s/%s", globals.sysconfdir, "stasis.ini");
+        snprintf(cfgfile, sizeof(cfgfile), "%s/%s", globals.sysconfdir, "stasis.ini");
         SYSDEBUG("cfgfile: %s", cfgfile);
         if (!access(cfgfile, F_OK | R_OK)) {
             *config_input = strdup(cfgfile);
@@ -161,9 +161,9 @@ static void check_conda_prefix_length(const struct Delivery *ctx) {
     }
 }
 
-static void setup_conda(struct Delivery *ctx, char *installer_url) {
+static void setup_conda(struct Delivery *ctx, char *installer_url, const size_t maxlen) {
     msg(STASIS_MSG_L1, "Conda setup\n");
-    delivery_get_conda_installer_url(ctx, installer_url);
+    delivery_get_conda_installer_url(ctx, installer_url, maxlen);
     msg(STASIS_MSG_L2, "Downloading: %s\n", installer_url);
     if (delivery_get_conda_installer(ctx, installer_url)) {
         msg(STASIS_MSG_ERROR, "download failed: %s\n", installer_url);
@@ -429,7 +429,7 @@ static void build_docker(struct Delivery *ctx, const int disabled) {
             msg(STASIS_MSG_L1 | STASIS_MSG_WARN, "Docker image building is disabled by CLI argument\n");
         } else {
             char dockerfile[PATH_MAX] = {0};
-            sprintf(dockerfile, "%s/%s", ctx->storage.build_docker_dir, "Dockerfile");
+            snprintf(dockerfile, sizeof(dockerfile), "%s/%s", ctx->storage.build_docker_dir, "Dockerfile");
             if (globals.enable_docker) {
                 if (!access(dockerfile, F_OK)) {
                     msg(STASIS_MSG_L1, "Building Docker image\n");
@@ -461,7 +461,7 @@ static void generate_release(struct Delivery *ctx, char *env_name, char *env_nam
     delivery_export(ctx, (char *[]) {env_name, env_name_testing, NULL});
 
     char specfile[PATH_MAX];
-    sprintf(specfile, "%s/%s.yml", ctx->storage.delivery_dir, env_name);
+    snprintf(specfile, sizeof(specfile), "%s/%s.yml", ctx->storage.delivery_dir, env_name);
 
     delivery_rewrite_stage1(ctx, specfile);
     build_docker(ctx, disable_docker);
@@ -532,7 +532,7 @@ int main(int argc, char *argv[]) {
                 globals.continue_on_error = true;
                 break;
             case 'p':
-                strcpy(python_override_version, optarg);
+                strncpy(python_override_version, optarg, sizeof(python_override_version) - 1);
                 break;
             case 'l':
                 globals.cpu_limit = strtol(optarg, NULL, 10);
@@ -652,9 +652,9 @@ int main(int argc, char *argv[]) {
     configure_jfrog_cli(&ctx);
 
     runtime_apply(ctx.runtime.environ);
-    strcpy(env_name, ctx.info.release_name);
-    strcpy(env_name_testing, env_name);
-    strcat(env_name_testing, "-test");
+    strncpy(env_name, ctx.info.release_name, sizeof(env_name) - 1);
+    strncpy(env_name_testing, env_name, sizeof(env_name_testing) - 1);
+    strncat(env_name_testing, "-test", sizeof(env_name_testing) - strlen(env_name_testing) - 1);
     char *envs[] = {
         "release", env_name,
         "testing", env_name_testing,
@@ -666,7 +666,7 @@ int main(int argc, char *argv[]) {
 
     check_conda_install_prefix(&ctx);
     check_conda_prefix_length(&ctx);
-    setup_conda(&ctx, installer_url);
+    setup_conda(&ctx, installer_url, sizeof(installer_url));
     configure_conda_base(&ctx, envs);
     configure_conda_purge(&ctx, envs);
     setup_activate_test_env(&ctx, env_name_testing);