Pedro F. Giffuni a8126b4c70 Revert r286144 leaving the original fix to the buffer overflow.
Some developers consider the new code unnecessarily obfuscated.
There was also a benign off-by-one.

Discussed with:	bde, vangyzen, jmallett
2015-08-04 02:56:31 +00:00

168 lines
4.7 KiB
C

/*
* Copyright (c) 1989, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#ifndef lint
static const char sccsid[] = "@(#)ttymsg.c 8.2 (Berkeley) 11/16/93";
#endif
#include <sys/types.h>
#include <sys/uio.h>
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <paths.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include "ttymsg.h"
/*
* Display the contents of a uio structure on a terminal. Used by wall(1),
* syslogd(8), and talkd(8). Forks and finishes in child if write would block,
* waiting up to tmout seconds. Returns pointer to error string on unexpected
* error; string is not newline-terminated. Various "normal" errors are
* ignored (exclusive-use, lack of permission, etc.).
*/
const char *
ttymsg(struct iovec *iov, int iovcnt, const char *line, int tmout)
{
struct iovec localiov[7];
ssize_t left, wret;
int cnt, fd;
char device[MAXNAMLEN] = _PATH_DEV;
static char errbuf[1024];
char *p;
int forked;
forked = 0;
if (iovcnt > (int)(sizeof(localiov) / sizeof(localiov[0])))
return ("too many iov's (change code in wall/ttymsg.c)");
strlcat(device, line, sizeof(device));
p = device + sizeof(_PATH_DEV) - 1;
if (strncmp(p, "pts/", 4) == 0)
p += 4;
if (strchr(p, '/') != NULL) {
/* A slash is an attempt to break security... */
(void) snprintf(errbuf, sizeof(errbuf),
"Too many '/' in \"%s\"", device);
return (errbuf);
}
/*
* open will fail on slip lines or exclusive-use lines
* if not running as root; not an error.
*/
if ((fd = open(device, O_WRONLY|O_NONBLOCK, 0)) < 0) {
if (errno == EBUSY || errno == EACCES)
return (NULL);
(void) snprintf(errbuf, sizeof(errbuf), "%s: %s", device,
strerror(errno));
return (errbuf);
}
for (cnt = 0, left = 0; cnt < iovcnt; ++cnt)
left += iov[cnt].iov_len;
for (;;) {
wret = writev(fd, iov, iovcnt);
if (wret >= left)
break;
if (wret >= 0) {
left -= wret;
if (iov != localiov) {
bcopy(iov, localiov,
iovcnt * sizeof(struct iovec));
iov = localiov;
}
for (cnt = 0; (size_t)wret >= iov->iov_len; ++cnt) {
wret -= iov->iov_len;
++iov;
--iovcnt;
}
if (wret) {
iov->iov_base = (char *)iov->iov_base + wret;
iov->iov_len -= wret;
}
continue;
}
if (errno == EWOULDBLOCK) {
int cpid;
if (forked) {
(void) close(fd);
_exit(1);
}
cpid = fork();
if (cpid < 0) {
(void) snprintf(errbuf, sizeof(errbuf),
"fork: %s", strerror(errno));
(void) close(fd);
return (errbuf);
}
if (cpid) { /* parent */
(void) close(fd);
return (NULL);
}
forked++;
/* wait at most tmout seconds */
(void) signal(SIGALRM, SIG_DFL);
(void) signal(SIGTERM, SIG_DFL); /* XXX */
(void) sigsetmask(0);
(void) alarm((u_int)tmout);
(void) fcntl(fd, F_SETFL, 0); /* clear O_NONBLOCK */
continue;
}
/*
* We get ENODEV on a slip line if we're running as root,
* and EIO if the line just went away.
*/
if (errno == ENODEV || errno == EIO)
break;
(void) close(fd);
if (forked)
_exit(1);
(void) snprintf(errbuf, sizeof(errbuf),
"%s: %s", device, strerror(errno));
return (errbuf);
}
(void) close(fd);
if (forked)
_exit(0);
return (NULL);
}