Buffer overflow in wall(1).
Revert r286102 and apply a cleaner fix. Tested for overflows by FORTIFY_SOURCE GSoC (with clang). Suggested by: bde Reviewed by: Oliver Pinter Tested by: Oliver Pinter MFC after: 3 days
This commit is contained in:
parent
afd010c196
commit
fc9ce3812d
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=286144
@ -62,7 +62,7 @@ ttymsg(struct iovec *iov, int iovcnt, const char *line, int tmout)
|
|||||||
struct iovec localiov[7];
|
struct iovec localiov[7];
|
||||||
ssize_t left, wret;
|
ssize_t left, wret;
|
||||||
int cnt, fd;
|
int cnt, fd;
|
||||||
char device[MAXNAMLEN] = _PATH_DEV;
|
char device[MAXNAMLEN];
|
||||||
static char errbuf[1024];
|
static char errbuf[1024];
|
||||||
char *p;
|
char *p;
|
||||||
int forked;
|
int forked;
|
||||||
@ -71,8 +71,9 @@ ttymsg(struct iovec *iov, int iovcnt, const char *line, int tmout)
|
|||||||
if (iovcnt > (int)(sizeof(localiov) / sizeof(localiov[0])))
|
if (iovcnt > (int)(sizeof(localiov) / sizeof(localiov[0])))
|
||||||
return ("too many iov's (change code in wall/ttymsg.c)");
|
return ("too many iov's (change code in wall/ttymsg.c)");
|
||||||
|
|
||||||
strlcat(device, line, sizeof(device));
|
strlcpy(device, _PATH_DEV, sizeof(device));
|
||||||
p = device + sizeof(_PATH_DEV) - 1;
|
p = device + sizeof(_PATH_DEV) - 1;
|
||||||
|
strlcpy(p, line, sizeof(device) - sizeof(_PATH_DEV));
|
||||||
if (strncmp(p, "pts/", 4) == 0)
|
if (strncmp(p, "pts/", 4) == 0)
|
||||||
p += 4;
|
p += 4;
|
||||||
if (strchr(p, '/') != NULL) {
|
if (strchr(p, '/') != NULL) {
|
||||||
|
Loading…
Reference in New Issue
Block a user