Prevent internal buffer overflow due to expansion of $LANG and/or name

argument in catopen(). Reviewed by: chris, -audit
svn path=/head/; revision=64274
2000-08-05 04:56:43 +00:00 · 2000-08-05 04:56:43 +00:00 · 84b578d562 · 2020-12-20 02:59:44 +00:00
commit 84b578d562
parent ab9e9f9d2d
1 changed files with 11 additions and 3 deletions
--- a/lib/libc/nls/msgcat.c
+++ b/lib/libc/nls/msgcat.c
@ -91,8 +91,9 @@ int type;
    __const char *catpath = NULL;
    char        *nlspath;
    char	*lang;
-    long	len;
    char	*base, *cptr, *pathP;
+    int		spcleft;
+    long	len;
    struct stat	sbuf;

    if (!name || !*name) {
@ -129,13 +130,20 @@ int type;
 		*cptr = '\0';
 		for (pathP = path; *nlspath; ++nlspath) {
 		    if (*nlspath == '%') {
+		        spcleft = sizeof(path) - (pathP - path);
 			if (*(nlspath + 1) == 'L') {
 			    ++nlspath;
-			    strcpy(pathP, lang);
+			    if (strlcpy(pathP, lang, spcleft) >= spcleft) {
+				errno = ENAMETOOLONG;
+				return(NLERR);
+			    }
 			    pathP += strlen(lang);
 			} else if (*(nlspath + 1) == 'N') {
 			    ++nlspath;
-			    strcpy(pathP, name);
+			    if (strlcpy(pathP, name, spcleft) >= spcleft) {
+			        errno = ENAMETOOLONG;
+				return(NLERR);
+			    }
 			    pathP += strlen(name);
 			} else *(pathP++) = *nlspath;
 		    } else *(pathP++) = *nlspath;