From 29ae2e935b1d446e9bf94dee2810a06dde2b0e56 Mon Sep 17 00:00:00 2001 From: Warner Losh Date: Fri, 22 Aug 1997 22:14:16 +0000 Subject: [PATCH] Fix buffer overflow. prompt didn't get a size for its buffer, so it could overflow it. Also made some filenames MAXPATHLEN long rather than 80 long. --- usr.bin/tip/tip/cmds.c | 26 +++++++++++++------------- usr.bin/tip/tip/tip.c | 9 +++++---- usr.bin/tip/tip/tip.h | 10 +++++++--- 3 files changed, 25 insertions(+), 20 deletions(-) diff --git a/usr.bin/tip/tip/cmds.c b/usr.bin/tip/tip/cmds.c index aecd0baaee6..335763ebebf 100644 --- a/usr.bin/tip/tip/cmds.c +++ b/usr.bin/tip/tip/cmds.c @@ -36,7 +36,7 @@ static char sccsid[] = "@(#)cmds.c 8.1 (Berkeley) 6/6/93"; #endif static const char rcsid[] = - "$Id$"; + "$Id: cmds.c,v 1.3 1997/08/18 07:16:00 charnier Exp $"; #endif /* not lint */ #include "tipconf.h" @@ -137,7 +137,7 @@ getfl(c) /* * get the UNIX receiving file's name */ - if (prompt("Local file name? ", copyname)) + if (prompt("Local file name? ", copyname, sizeof(copyname))) return; cp = expand(copyname); if ((sfd = creat(cp, 0666)) < 0) { @@ -148,7 +148,7 @@ getfl(c) /* * collect parameters */ - if (prompt("List command for remote system? ", buf)) { + if (prompt("List command for remote system? ", buf, sizeof(buf))) { unlink(copyname); return; } @@ -165,7 +165,7 @@ cu_take(cc) int fd, argc; char line[BUFSIZ], *expand(), *cp; - if (prompt("[take] ", copyname)) + if (prompt("[take] ", copyname, sizeof(copyname))) return; if ((argc = args(copyname, argv)) < 1 || argc > 2) { printf("usage: from [to]\r\n"); @@ -348,7 +348,7 @@ pipefile() int status, p; extern int errno; - if (prompt("Local command? ", buf)) + if (prompt("Local command? ", buf, sizeof(buf))) return; if (pipe(pdes)) { @@ -360,7 +360,7 @@ pipefile() printf("can't fork!\r\n"); return; } else if (cpid) { - if (prompt("List command for remote system? ", buf)) { + if (prompt("List command for remote system? ", buf, sizeof(buf))) { close(pdes[0]), close(pdes[1]); kill (cpid, SIGKILL); } else { @@ -412,7 +412,7 @@ sendfile(cc) /* * get file name */ - if (prompt("Local file name? ", fname)) + if (prompt("Local file name? ", fname, sizeof(fname))) return; /* @@ -539,7 +539,7 @@ cu_put(cc) char *expand(); char *copynamex; - if (prompt("[put] ", copyname)) + if (prompt("[put] ", copyname, sizeof(copyname))) return; if ((argc = args(copyname, argv)) < 1 || argc > 2) { printf("usage: from [to]\r\n"); @@ -616,7 +616,7 @@ pipeout(c) time_t start; putchar(c); - if (prompt("Local command? ", buf)) + if (prompt("Local command? ", buf, sizeof(buf))) return; kill(pid, SIGIOT); /* put TIPOUT into a wait state */ signal(SIGINT, SIG_IGN); @@ -717,7 +717,7 @@ consh(c) { char buf[256]; putchar(c); - if (prompt("Local command? ", buf)) + if (prompt("Local command? ", buf, sizeof(buf))) return; tiplink (buf, TL_SIGNAL_TIPOUT | TL_VERBOSE); } @@ -787,10 +787,10 @@ setscript() void chdirectory() { - char dirname[80]; + char dirname[MAXPATHLEN]; register char *cp = dirname; - if (prompt("[cd] ", dirname)) { + if (prompt("[cd] ", dirname, sizeof(dirname))) { if (stoprompt) return; cp = value(HOME); @@ -904,7 +904,7 @@ variable() { char buf[256]; - if (prompt("[set] ", buf)) + if (prompt("[set] ", buf, sizeof(buf))) return; vlex(buf); if (vtable[BEAUTIFY].v_access&CHANGED) { diff --git a/usr.bin/tip/tip/tip.c b/usr.bin/tip/tip/tip.c index 5f597634e6f..1ddaa641899 100644 --- a/usr.bin/tip/tip/tip.c +++ b/usr.bin/tip/tip/tip.c @@ -42,7 +42,7 @@ static const char copyright[] = static char sccsid[] = "@(#)tip.c 8.1 (Berkeley) 6/6/93"; #endif static const char rcsid[] = - "$Id$"; + "$Id: tip.c,v 1.3 1997/08/18 07:16:06 charnier Exp $"; #endif /* not lint */ /* @@ -88,7 +88,7 @@ void setparity __P((char *)); void pwrite __P((int, char *, int)); char escape __P((void)); void tipin __P((void)); -int prompt __P((char *, char *)); +int prompt __P((char *, char *, int)); void unraw __P((void)); void shell_uid __P((void)); void daemon_uid __P((void)); @@ -377,9 +377,10 @@ static jmp_buf promptbuf; * normal erase and kill characters. */ int -prompt(s, p) +prompt(s, p, sz) char *s; register char *p; + int sz; { register char *b = p; sig_t oint, oquit; @@ -390,7 +391,7 @@ prompt(s, p) unraw(); printf("%s", s); if (setjmp(promptbuf) == 0) - while ((*p = getchar()) != EOF && *p != '\n') + while ((*p = getchar()) != EOF && *p != '\n' && --sz > 0) p++; *p = '\0'; diff --git a/usr.bin/tip/tip/tip.h b/usr.bin/tip/tip/tip.h index 18ec692267d..fb7e6dbd904 100644 --- a/usr.bin/tip/tip/tip.h +++ b/usr.bin/tip/tip/tip.h @@ -42,6 +42,7 @@ #include #include #include +#include #if HAVE_TERMIOS #include /* for TIOCHPCL */ @@ -253,6 +254,9 @@ void logent __P((char *, char *, char *, char*)); #define NOVAL ((value_t *)NULL) #define NOACU ((acu_t *)NULL) #define NOSTR ((char *)NULL) +#ifdef NOFILE +#undef NOFILE +#endif #define NOFILE ((FILE *)NULL) #define NOPWD ((struct passwd *)0) @@ -286,8 +290,8 @@ int stoprompt; /* for interrupting a prompt session */ int timedout; /* ~> transfer timedout */ int cumode; /* simulating the "cu" program */ -char fname[80]; /* file name buffer for ~< */ -char copyname[80]; /* file name buffer for ~> */ +char fname[MAXPATHLEN]; /* file name buffer for ~< */ +char copyname[MAXPATHLEN]; /* file name buffer for ~> */ char ccc; /* synchronization character */ char ch; /* for tipout */ char *uucplock; /* name of lock file for uucp's */ @@ -313,7 +317,7 @@ extern void disconnect __P((char *)); extern void shell_uid __P((void)); extern void unraw __P((void)); extern void pwrite __P((int, char *, int)); -extern int prompt __P((char *, char *)); +extern int prompt __P((char *, char *, int)); extern void consh __P((int)); extern void tipabort __P((char *));