Fix buffer overflow. prompt didn't get a size for its buffer,

so it could overflow it. Also made some filenames MAXPATHLEN long rather than 80 long.
1997-08-22 22:14:16 +00:00 · 1997-08-22 22:14:16 +00:00 · 29ae2e935b
commit 29ae2e935b
parent 2ebbbbc19a
3 changed files with 25 additions and 20 deletions
--- a/usr.bin/tip/tip/cmds.c
+++ b/usr.bin/tip/tip/cmds.c
@ -36,7 +36,7 @@
 static char sccsid[] = "@(#)cmds.c	8.1 (Berkeley) 6/6/93";
 #endif
 static const char rcsid[] =
-	"$Id$";
+	"$Id: cmds.c,v 1.3 1997/08/18 07:16:00 charnier Exp $";
 #endif /* not lint */

 #include "tipconf.h"
@ -137,7 +137,7 @@ getfl(c)
 	/*
 	 * get the UNIX receiving file's name
 	 */
-	if (prompt("Local file name? ", copyname))
+	if (prompt("Local file name? ", copyname, sizeof(copyname)))
 		return;
 	cp = expand(copyname);
 	if ((sfd = creat(cp, 0666)) < 0) {
@ -148,7 +148,7 @@ getfl(c)
 	/*
 	 * collect parameters
 	 */
-	if (prompt("List command for remote system? ", buf)) {
+	if (prompt("List command for remote system? ", buf, sizeof(buf))) {
 		unlink(copyname);
 		return;
 	}
@ -165,7 +165,7 @@ cu_take(cc)
 	int fd, argc;
 	char line[BUFSIZ], *expand(), *cp;

-	if (prompt("[take] ", copyname))
+	if (prompt("[take] ", copyname, sizeof(copyname)))
 		return;
 	if ((argc = args(copyname, argv)) < 1 || argc > 2) {
 		printf("usage: <take> from [to]\r\n");
@ -348,7 +348,7 @@ pipefile()
 	int status, p;
 	extern int errno;

-	if (prompt("Local command? ", buf))
+	if (prompt("Local command? ", buf, sizeof(buf)))
 		return;

 	if (pipe(pdes)) {
@ -360,7 +360,7 @@ pipefile()
 		printf("can't fork!\r\n");
 		return;
 	} else if (cpid) {
-		if (prompt("List command for remote system? ", buf)) {
+		if (prompt("List command for remote system? ", buf, sizeof(buf))) {
 			close(pdes[0]), close(pdes[1]);
 			kill (cpid, SIGKILL);
 		} else {
@ -412,7 +412,7 @@ sendfile(cc)
 	/*
 	 * get file name
 	 */
-	if (prompt("Local file name? ", fname))
+	if (prompt("Local file name? ", fname, sizeof(fname)))
 		return;

 	/*
@ -539,7 +539,7 @@ cu_put(cc)
 	char *expand();
 	char *copynamex;

-	if (prompt("[put] ", copyname))
+	if (prompt("[put] ", copyname, sizeof(copyname)))
 		return;
 	if ((argc = args(copyname, argv)) < 1 || argc > 2) {
 		printf("usage: <put> from [to]\r\n");
@ -616,7 +616,7 @@ pipeout(c)
 	time_t start;

 	putchar(c);
-	if (prompt("Local command? ", buf))
+	if (prompt("Local command? ", buf, sizeof(buf)))
 		return;
 	kill(pid, SIGIOT);	/* put TIPOUT into a wait state */
 	signal(SIGINT, SIG_IGN);
@ -717,7 +717,7 @@ consh(c)
 {
 	char buf[256];
 	putchar(c);
-	if (prompt("Local command? ", buf))
+	if (prompt("Local command? ", buf, sizeof(buf)))
 		return;
 	tiplink (buf, TL_SIGNAL_TIPOUT | TL_VERBOSE);
 }
@ -787,10 +787,10 @@ setscript()
 void
 chdirectory()
 {
-	char dirname[80];
+	char dirname[MAXPATHLEN];
 	register char *cp = dirname;

-	if (prompt("[cd] ", dirname)) {
+	if (prompt("[cd] ", dirname, sizeof(dirname))) {
 		if (stoprompt)
 			return;
 		cp = value(HOME);
@ -904,7 +904,7 @@ variable()
 {
 	char	buf[256];

-	if (prompt("[set] ", buf))
+	if (prompt("[set] ", buf, sizeof(buf)))
 		return;
 	vlex(buf);
 	if (vtable[BEAUTIFY].v_access&CHANGED) {
--- a/usr.bin/tip/tip/tip.c
+++ b/usr.bin/tip/tip/tip.c
@ -42,7 +42,7 @@ static const char copyright[] =
 static char sccsid[] = "@(#)tip.c	8.1 (Berkeley) 6/6/93";
 #endif
 static const char rcsid[] =
-	"$Id$";
+	"$Id: tip.c,v 1.3 1997/08/18 07:16:06 charnier Exp $";
 #endif /* not lint */

 /*
@ -88,7 +88,7 @@ void setparity __P((char *));
 void pwrite __P((int, char *, int));
 char escape __P((void));
 void tipin __P((void));
-int prompt __P((char *, char *));
+int prompt __P((char *, char *, int));
 void unraw __P((void));
 void shell_uid __P((void));
 void daemon_uid __P((void));
@ -377,9 +377,10 @@ static	jmp_buf promptbuf;
 *  normal erase and kill characters.
 */
 int
-prompt(s, p)
+prompt(s, p, sz)
 	char *s;
 	register char *p;
+	int sz;
 {
 	register char *b = p;
 	sig_t oint, oquit;
@ -390,7 +391,7 @@ prompt(s, p)
 	unraw();
 	printf("%s", s);
 	if (setjmp(promptbuf) == 0)
-		while ((*p = getchar()) != EOF && *p != '\n')
+		while ((*p = getchar()) != EOF && *p != '\n' && --sz > 0)
 			p++;
 	*p = '\0';

--- a/usr.bin/tip/tip/tip.h
+++ b/usr.bin/tip/tip/tip.h
@ -42,6 +42,7 @@
 #include <machine/endian.h>
 #include <sys/file.h>
 #include <sys/time.h>
+#include <sys/param.h>

 #if HAVE_TERMIOS
 #include <sys/ioctl.h>         /* for TIOCHPCL */
@ -253,6 +254,9 @@ void logent __P((char *, char *, char *, char*));
 #define NOVAL	((value_t *)NULL)
 #define NOACU	((acu_t *)NULL)
 #define NOSTR	((char *)NULL)
+#ifdef NOFILE
+#undef NOFILE
+#endif
 #define NOFILE	((FILE *)NULL)
 #define NOPWD	((struct passwd *)0)

@ -286,8 +290,8 @@ int	stoprompt;		/* for interrupting a prompt session */
 int	timedout;		/* ~> transfer timedout */
 int	cumode;			/* simulating the "cu" program */

-char	fname[80];		/* file name buffer for ~< */
-char	copyname[80];		/* file name buffer for ~> */
+char	fname[MAXPATHLEN];	/* file name buffer for ~< */
+char	copyname[MAXPATHLEN];	/* file name buffer for ~> */
 char	ccc;			/* synchronization character */
 char	ch;			/* for tipout */
 char	*uucplock;		/* name of lock file for uucp's */
@ -313,7 +317,7 @@ extern	void disconnect __P((char *));
 extern	void shell_uid __P((void));
 extern	void unraw __P((void));
 extern	void pwrite __P((int, char *, int));
-extern	int prompt __P((char *, char *));
+extern	int prompt __P((char *, char *, int));
 extern	void  consh __P((int));
 extern	void tipabort __P((char *));