Buffer overflow from OpenBSD:
Rev 1.4 deraadt: (partial from full commit, other files not done yet) proactive bounds checking; help from millert Rev 1.5 millert: Possible buf oflow. Plus minor style nits to keep the style police happy (I hope) Obtained from: OpenBSD
This commit is contained in:
parent
c50189d7ba
commit
d583a7c3cb
|
@ -199,13 +199,14 @@ displayq(format)
|
|||
*/
|
||||
if (nitems)
|
||||
putchar('\n');
|
||||
(void) sprintf(line, "%c%s", format + '\3', RP);
|
||||
(void) snprintf(line, sizeof(line), "%c%s", format + '\3', RP);
|
||||
cp = line;
|
||||
for (i = 0; i < requests; i++) {
|
||||
for (i = 0; i < requests && cp-line+10 < sizeof(line); i++) {
|
||||
cp += strlen(cp);
|
||||
(void) sprintf(cp, " %d", requ[i]);
|
||||
}
|
||||
for (i = 0; i < users; i++) {
|
||||
for (i = 0; i < users && cp - line + 1 + strlen(user[i]) <
|
||||
sizeof(line); i++) {
|
||||
cp += strlen(cp);
|
||||
*cp++ = ' ';
|
||||
(void) strcpy(cp, user[i]);
|
||||
|
@ -295,8 +296,10 @@ inform(cf)
|
|||
default: /* some format specifer and file name? */
|
||||
if (line[0] < 'a' || line[0] > 'z')
|
||||
continue;
|
||||
if (j == 0 || strcmp(file, line+1) != 0)
|
||||
(void) strcpy(file, line+1);
|
||||
if (j == 0 || strcmp(file, line+1) != 0) {
|
||||
(void) strncpy(file, line+1, sizeof(file) - 1);
|
||||
file[sizeof(file) - 1] = '\0';
|
||||
}
|
||||
j++;
|
||||
continue;
|
||||
case 'N':
|
||||
|
|
Loading…
Reference in New Issue