Check snprintf() return values even if we preallocated the correct amount.

There are no remaining unchecked snprintf() that can actually overflow.

plugins/sudoers/iolog.c

@@ -612,32 +612,26 @@ sudoers_io_open_local(struct timespec *now)
 {
     struct eventlog *evlog = iolog_details.evlog;
     int i, ret = -1;
-    size_t len;
     debug_decl(sudoers_io_open_local, SUDOERS_DEBUG_PLUGIN);
 
     /* If no I/O log path defined we need to figure it out ourselves. */
     if (evlog->iolog_path == NULL) {
+	int len;
+
 	/* Get next session ID and convert it into a path. */
-	const size_t pathlen = sizeof(_PATH_SUDO_IO_LOGDIR "/00/00/00");
-	if ((evlog->iolog_path = malloc(pathlen)) == NULL) {
-	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
-	    goto done;
-	}
-	len = strlcpy(evlog->iolog_path, _PATH_SUDO_IO_LOGDIR, pathlen);
-	if (len + strlen("/00/00/00") >= pathlen) {
-	    sudo_warnx(U_("internal error, %s overflow"), __func__);
-	    goto done;
-	}
-	if (!iolog_nextid(evlog->iolog_path, evlog->sessid)) {
+	if (!iolog_nextid(_PATH_SUDO_IO_LOGDIR, evlog->sessid)) {
 	    log_warning(SLOG_SEND_MAIL, N_("unable to update sequence file"));
 	    warned = true;
 	    goto done;
 	}
-	(void)snprintf(evlog->iolog_path + strlen(_PATH_SUDO_IO_LOGDIR),
-	    pathlen - strlen(_PATH_SUDO_IO_LOGDIR),
-	    "/%c%c/%c%c/%c%c", evlog->sessid[0], evlog->sessid[1],
-	    evlog->sessid[2], evlog->sessid[3], evlog->sessid[4],
-	    evlog->sessid[5]);
+	len = asprintf(&evlog->iolog_path, "%s/%c%c/%c%c/%c%c",
+	    _PATH_SUDO_IO_LOGDIR,
+	    evlog->sessid[0], evlog->sessid[1], evlog->sessid[2],
+	    evlog->sessid[3], evlog->sessid[4], evlog->sessid[5]);
+	if (len == -1) {
+	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+	    goto done;
+	}
     }
 
     /*

plugins/sudoers/ldap.c

@@ -1339,7 +1339,7 @@ sudo_krb5_copy_cc_file(const char *old_ccname)
 {
     int nfd, ofd = -1;
     ssize_t nread, nwritten = -1;
-    static char new_ccname[sizeof(_PATH_TMP) + sizeof("sudocc_XXXXXXXX") - 1];
+    static char new_ccname[] = _PATH_TMP "sudocc_XXXXXXXX";
     char buf[10240], *ret = NULL;
     debug_decl(sudo_krb5_copy_cc_file, SUDOERS_DEBUG_LDAP);
 
@@ -1355,8 +1355,6 @@ sudo_krb5_copy_cc_file(const char *old_ccname)
 	if (ofd != -1) {
 	    (void) fcntl(ofd, F_SETFL, 0);
 	    if (sudo_lock_file(ofd, SUDO_LOCK)) {
-		(void)snprintf(new_ccname, sizeof(new_ccname), "%s%s",
-		    _PATH_TMP, "sudocc_XXXXXXXX");
 		nfd = mkstemp(new_ccname);
 		if (nfd != -1) {
 		    sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,

plugins/sudoers/toke.c

@@ -5116,7 +5116,11 @@ read_dir_files(const char *dirpath, struct path_list ***pathsp)
 	len = dirlen + 1 + namelen;
 	if ((path = sudo_rcstr_alloc(len)) == NULL)
 	    goto oom;
-	(void)snprintf(path, len + 1, "%s/%s", dirpath, dent->d_name);
+	if ((size_t)snprintf(path, len + 1, "%s/%s", dirpath, dent->d_name) != len) {
+	    sudo_warnx(U_("internal error, %s overflow"), __func__);
+	    sudo_rcstr_delref(path);
+	    goto bad;
+	}
 	if (stat(path, &sb) != 0 || !S_ISREG(sb.st_mode)) {
 	    sudo_rcstr_delref(path);
 	    continue;

plugins/sudoers/toke.l

@@ -903,7 +903,11 @@ read_dir_files(const char *dirpath, struct path_list ***pathsp)
 	len = dirlen + 1 + namelen;
 	if ((path = sudo_rcstr_alloc(len)) == NULL)
 	    goto oom;
-	(void)snprintf(path, len + 1, "%s/%s", dirpath, dent->d_name);
+	if ((size_t)snprintf(path, len + 1, "%s/%s", dirpath, dent->d_name) != len) {
+	    sudo_warnx(U_("internal error, %s overflow"), __func__);
+	    sudo_rcstr_delref(path);
+	    goto bad;
+	}
 	if (stat(path, &sb) != 0 || !S_ISREG(sb.st_mode)) {
 	    sudo_rcstr_delref(path);
 	    continue;