From fc9ce3812df40730cbf17cfcd4ce64bf9387fadb Mon Sep 17 00:00:00 2001 From: "Pedro F. Giffuni" Date: Sat, 1 Aug 2015 01:29:55 +0000 Subject: [PATCH] Buffer overflow in wall(1). Revert r286102 and apply a cleaner fix. Tested for overflows by FORTIFY_SOURCE GSoC (with clang). Suggested by: bde Reviewed by: Oliver Pinter Tested by: Oliver Pinter MFC after: 3 days --- usr.bin/wall/ttymsg.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/usr.bin/wall/ttymsg.c b/usr.bin/wall/ttymsg.c index 1317a4b0cb60..afa3d266ad3a 100644 --- a/usr.bin/wall/ttymsg.c +++ b/usr.bin/wall/ttymsg.c @@ -62,7 +62,7 @@ ttymsg(struct iovec *iov, int iovcnt, const char *line, int tmout) struct iovec localiov[7]; ssize_t left, wret; int cnt, fd; - char device[MAXNAMLEN] = _PATH_DEV; + char device[MAXNAMLEN]; static char errbuf[1024]; char *p; int forked; @@ -71,8 +71,9 @@ ttymsg(struct iovec *iov, int iovcnt, const char *line, int tmout) if (iovcnt > (int)(sizeof(localiov) / sizeof(localiov[0]))) return ("too many iov's (change code in wall/ttymsg.c)"); - strlcat(device, line, sizeof(device)); + strlcpy(device, _PATH_DEV, sizeof(device)); p = device + sizeof(_PATH_DEV) - 1; + strlcpy(p, line, sizeof(device) - sizeof(_PATH_DEV)); if (strncmp(p, "pts/", 4) == 0) p += 4; if (strchr(p, '/') != NULL) {