d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix potential buffer overflow and undefined behavior.

Browse Source 
The buffer allocated in read_chat() could be 1 element too short, if the
chatstr parameter passed in is 1 or 3 charachters long (e.g. "a" or "a b").
The allocation of the pointer array does not account for the terminating
NULL pointer in that case.

Overlapping source and destination strings are undefined in strcpy().
Instead of moving a string to the left by one character just increment the
char pointer before it is assigned to the results array.

MFC after:	2 weeks
This commit is contained in:
se 2019-01-26 20:43:28 +00:00
parent 2af21b0f61
commit 4a8a970d5e
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libexec/getty/chat.c
View File

@ -141,7 +141,7 @@ read_chat(char **chatstr)
int l;
if ((l=strlen(str)) > 0 && (tmp=malloc(l + 1)) != NULL &&
(res=malloc((l / 2 + 1) * sizeof(char *))) != NULL) {
(res=malloc(((l + 1) / 2 + 1) * sizeof(char *))) != NULL) {
static char ws[] = " \t";
char * p;
@ -216,7 +216,7 @@ read_chat(char **chatstr)
q = strrchr(p+1, *p);
if (q != NULL && *q == *p && q[1] == '\0') {
*q = '\0';
strcpy(p, p+1);
p++;
}
}