From e1ae7d3be6faa710b3a711ed317cfe45d90f28bc Mon Sep 17 00:00:00 2001
From: "Ali H. Fardan" <raiz@firemail.cc>
Date: Sun, 21 Aug 2016 00:00:23 +0300
Subject: [PATCH] added bounds checking via secure strl*() routines

---
 slstatus.c | 34 +++++++++++++++++++--------------
 strlcat.h  | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 strlcpy.h  | 50 +++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 125 insertions(+), 14 deletions(-)
 create mode 100644 strlcat.h
 create mode 100644 strlcpy.h

diff --git a/slstatus.c b/slstatus.c
index 0dee744..823b8eb 100644
--- a/slstatus.c
+++ b/slstatus.c
@@ -24,6 +24,12 @@
 #include <unistd.h>
 #include <X11/Xlib.h>
 
+#undef strlcat
+#undef strlcpy
+
+#include "strlcat.h"
+#include "strlcpy.h"
+
 /* statusbar configuration type and struct */
 typedef char *(*op_fun) (const char *);
 struct arg {
@@ -101,16 +107,16 @@ battery_perc(const char *battery)
 	FILE *fp;
 
 	/* generate battery nowfile path */
-	strcat(batterynowfile, batterypath);
-	strcat(batterynowfile, battery);
-	strcat(batterynowfile, "/");
-	strcat(batterynowfile, batterynow);
+	strlcat(batterynowfile, batterypath, sizeof(batterynowfile));
+	strlcat(batterynowfile, battery, sizeof(batterynowfile));
+	strlcat(batterynowfile, "/", sizeof(batterynowfile));
+	strlcat(batterynowfile, batterynow, sizeof(batterynowfile));
 
 	/* generate battery fullfile path */
-	strcat(batteryfullfile, batterypath);
-	strcat(batteryfullfile, battery);
-	strcat(batteryfullfile, "/");
-	strcat(batteryfullfile, batteryfull);
+	strlcat(batteryfullfile, batterypath, sizeof(batteryfullfile));
+	strlcat(batteryfullfile, battery, sizeof(batteryfullfile));
+	strlcat(batteryfullfile, "/", sizeof(batteryfullfile));
+	strlcat(batteryfullfile, batteryfull, sizeof(batteryfullfile));
 
 	/* open battery now file */
 	if (!(fp = fopen(batterynowfile, "r"))) {
@@ -688,9 +694,9 @@ wifi_perc(const char *wificard)
 
 	/* generate the path name */
 	memset(path, 0, sizeof path);
-	strcat(path, "/sys/class/net/");
-	strcat(path, wificard);
-	strcat(path, "/operstate");
+	strlcat(path, "/sys/class/net/", sizeof(path));
+	strlcat(path, wificard, sizeof(path));
+	strlcat(path, "/operstate", sizeof(path));
 
 	/* open wifi file */
 	if(!(fp = fopen(path, "r"))) {
@@ -716,8 +722,8 @@ wifi_perc(const char *wificard)
 	}
 
 	/* extract the signal strength */
-	strcpy(needle, wificard);
-	strcat(needle, ":");
+	strlcpy(needle, wificard, sizeof(needle));
+	strlcat(needle, ":", sizeof(needle));
 	fgets(buf, bufsize, fp);
 	fgets(buf, bufsize, fp);
 	fgets(buf, bufsize, fp);
@@ -794,7 +800,7 @@ main(void)
 				element = smprintf(unknowntext);
 				fprintf(stderr, "Failed to format output.\n");
 			}
-			strcat(status_string, element);
+			strlcat(status_string, element, sizeof(status_string));
 			free(res);
 			free(element);
 		}
diff --git a/strlcat.h b/strlcat.h
new file mode 100644
index 0000000..2596420
--- /dev/null
+++ b/strlcat.h
@@ -0,0 +1,55 @@
+/*	$OpenBSD: strlcat.c,v 1.16 2015/08/31 02:53:57 guenther Exp $	*/
+
+/*
+ * Copyright (c) 1998, 2015 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <string.h>
+
+/*
+ * Appends src to string dst of size dsize (unlike strncat, dsize is the
+ * full size of dst, not space left).  At most dsize-1 characters
+ * will be copied.  Always NUL terminates (unless dsize <= strlen(dst)).
+ * Returns strlen(src) + MIN(dsize, strlen(initial dst)).
+ * If retval >= dsize, truncation occurred.
+ */
+size_t
+strlcat(char *dst, const char *src, size_t dsize)
+{
+	const char *odst = dst;
+	const char *osrc = src;
+	size_t n = dsize;
+	size_t dlen;
+
+	/* Find the end of dst and adjust bytes left but don't go past end. */
+	while (n-- != 0 && *dst != '\0')
+		dst++;
+	dlen = dst - odst;
+	n = dsize - dlen;
+
+	if (n-- == 0)
+		return(dlen + strlen(src));
+	while (*src != '\0') {
+		if (n != 0) {
+			*dst++ = *src;
+			n--;
+		}
+		src++;
+	}
+	*dst = '\0';
+
+	return(dlen + (src - osrc));	/* count does not include NUL */
+}
diff --git a/strlcpy.h b/strlcpy.h
new file mode 100644
index 0000000..6301674
--- /dev/null
+++ b/strlcpy.h
@@ -0,0 +1,50 @@
+/*	$OpenBSD: strlcpy.c,v 1.13 2015/08/31 02:53:57 guenther Exp $	*/
+
+/*
+ * Copyright (c) 1998, 2015 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <string.h>
+
+/*
+ * Copy string src to buffer dst of size dsize.  At most dsize-1
+ * chars will be copied.  Always NUL terminates (unless dsize == 0).
+ * Returns strlen(src); if retval >= dsize, truncation occurred.
+ */
+size_t
+strlcpy(char *dst, const char *src, size_t dsize)
+{
+	const char *osrc = src;
+	size_t nleft = dsize;
+
+	/* Copy as many bytes as will fit. */
+	if (nleft != 0) {
+		while (--nleft != 0) {
+			if ((*dst++ = *src++) == '\0')
+				break;
+		}
+	}
+
+	/* Not enough room in dst, add NUL and traverse rest of src. */
+	if (nleft == 0) {
+		if (dsize != 0)
+			*dst = '\0';		/* NUL-terminate dst */
+		while (*src++)
+			;
+	}
+
+	return(src - osrc - 1);	/* count does not include NUL */
+}