d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix potential buffer overflow and undefined behavior.

Browse Source 
The buffer allocated in read_chat() could be 1 element too short, if the
chatstr parameter passed in is 1 or 3 charachters long (e.g. "a" or "a b").
The allocation of the pointer array does not account for the terminating
NULL pointer in that case.

Overlapping source and destination strings are undefined in strcpy().
Instead of moving a string to the left by one character just increment the
char pointer before it is assigned to the results array.

MFC after:	2 weeks
This commit is contained in:
Stefan Eßer 2019-01-26 20:43:28 +00:00
parent 030a1f8ba2
commit 71bc4af6ed
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libexec/getty/chat.c
View File

@ -141,7 +141,7 @@ read_chat(char **chatstr)
int l;
if ((l=strlen(str)) > 0 && (tmp=malloc(l + 1)) != NULL &&
(res=malloc((l / 2 + 1) * sizeof(char *))) != NULL) {
(res=malloc(((l + 1) / 2 + 1) * sizeof(char *))) != NULL) {
static char ws[] = " \t";
char * p;
@ -216,7 +216,7 @@ read_chat(char **chatstr)
q = strrchr(p+1, *p);
if (q != NULL && *q == *p && q[1] == '\0') {
*q = '\0';
strcpy(p, p+1);
p++;
}
}