diff options
| author |   millert <millert@openbsd.org> | 2001-08-29 21:43:18 +0000 |
|---|---|---|
| committer | millert <millert@openbsd.org> | 2001-08-29 21:43:18 +0000 |
| commit | c71c16a0777ddee63063649a50c00ef4cc6aea7f (patch) | |
| tree | 0e807fdcc67a7eaf7ad629f44a99e184723ecacc | |
| parent | clear the malloc'd buffer, otherwise source() will leak malloc'd memory; ok theo@ (diff) | |
| download | wireguard-openbsd-c71c16a0777ddee63063649a50c00ef4cc6aea7f.tar.xz wireguard-openbsd-c71c16a0777ddee63063649a50c00ef4cc6aea7f.zip | |
Fix buffer oflow reading from queue file. While we are at it, crank
the size of buffers that can hold filenames to MAXPATHLEN.
| -rw-r--r-- | usr.sbin/lpr/common_source/displayq.c | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/usr.sbin/lpr/common_source/displayq.c b/usr.sbin/lpr/common_source/displayq.c index 6524a759d39..960e3dab113 100644 --- a/usr.sbin/lpr/common_source/displayq.c +++ b/usr.sbin/lpr/common_source/displayq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: displayq.c,v 1.11 2001/06/22 15:27:19 lebel Exp $ */ +/* $OpenBSD: displayq.c,v 1.12 2001/08/29 21:43:18 millert Exp $ */ /* * Copyright (c) 1983, 1993 @@ -37,7 +37,7 @@ #if 0 static char sccsid[] = "@(#)displayq.c 8.4 (Berkeley) 4/28/95"; #else -static char rcsid[] = "$OpenBSD: displayq.c,v 1.11 2001/06/22 15:27:19 lebel Exp $"; +static char rcsid[] = "$OpenBSD: displayq.c,v 1.12 2001/08/29 21:43:18 millert Exp $"; #endif #endif /* not lint */ @@ -75,8 +75,8 @@ extern int users; /* # of users in user array */ extern uid_t uid, euid; static int col; /* column on screen */ -static char current[40]; /* current file being printed */ -static char file[132]; /* print file name */ +static char current[MAXPATHLEN]; /* current file being printed */ +static char file[MAXPATHLEN]; /* print file name */ static int first; /* first file in ``files'' column? */ static int garbage; /* # of garbage cf files */ static int lflag; /* long output option */ @@ -95,7 +95,7 @@ displayq(format) { register struct queue *q; register int i, nitems, fd, ret, len; - register char *cp; + register char *cp, *ecp; struct queue **queue; struct stat statb; FILE *fp; @@ -168,8 +168,11 @@ displayq(format) else { /* get daemon pid */ cp = current; - while ((i = getc(fp)) != EOF && i != '\n') - *cp++ = i; + ecp = cp + sizeof(current) - 1; + while ((i = getc(fp)) != EOF && i != '\n') { + if (cp < ecp) + *cp++ = i; + } *cp = '\0'; i = atoi(current); if (i <= 0) { @@ -184,8 +187,11 @@ displayq(format) } else { /* read current file name */ cp = current; - while ((i = getc(fp)) != EOF && i != '\n') - *cp++ = i; + ecp = cp + sizeof(current) - 1; + while ((i = getc(fp)) != EOF && i != '\n') { + if (cp < ecp) + *cp++ = i; + } *cp = '\0'; /* * Print the status file. |