Buffer overflow in wall(1).
This affected syslogd, wall and talkd. Detected by FORTIFY_SOURCE GSoC (with clang). Submitted by: Oliver Pinter Differential Revision: https://reviews.freebsd.org/D3254 Reviewed by: delphij, jmg MFC after: 3 days
This commit is contained in:
parent
42e5fcbf2b
commit
479184e919
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=286102
@ -62,7 +62,7 @@ ttymsg(struct iovec *iov, int iovcnt, const char *line, int tmout)
|
|||||||
struct iovec localiov[7];
|
struct iovec localiov[7];
|
||||||
ssize_t left, wret;
|
ssize_t left, wret;
|
||||||
int cnt, fd;
|
int cnt, fd;
|
||||||
static char device[MAXNAMLEN] = _PATH_DEV;
|
char device[MAXNAMLEN] = _PATH_DEV;
|
||||||
static char errbuf[1024];
|
static char errbuf[1024];
|
||||||
char *p;
|
char *p;
|
||||||
int forked;
|
int forked;
|
||||||
@ -71,8 +71,8 @@ ttymsg(struct iovec *iov, int iovcnt, const char *line, int tmout)
|
|||||||
if (iovcnt > (int)(sizeof(localiov) / sizeof(localiov[0])))
|
if (iovcnt > (int)(sizeof(localiov) / sizeof(localiov[0])))
|
||||||
return ("too many iov's (change code in wall/ttymsg.c)");
|
return ("too many iov's (change code in wall/ttymsg.c)");
|
||||||
|
|
||||||
|
strlcat(device, line, sizeof(device));
|
||||||
p = device + sizeof(_PATH_DEV) - 1;
|
p = device + sizeof(_PATH_DEV) - 1;
|
||||||
strlcpy(p, line, sizeof(device));
|
|
||||||
if (strncmp(p, "pts/", 4) == 0)
|
if (strncmp(p, "pts/", 4) == 0)
|
||||||
p += 4;
|
p += 4;
|
||||||
if (strchr(p, '/') != NULL) {
|
if (strchr(p, '/') != NULL) {
|
||||||
|
Loading…
Reference in New Issue
Block a user