Fix a buffer overflow due to sending strings >1k in length. This is unlikely

to be a security problem, but it's not totally impossible. OpenBSD take note

Reviewed by:	imp

1 files changed, 9 insertions, 7 deletions

diff --git a/usr.bin/chat/chat.c b/usr.bin/chat/chat.c
index 217dc30..fd71405 100644
--- a/usr.bin/chat/chat.c
+++ b/usr.bin/chat/chat.c
@@ -655,7 +655,8 @@ int sending;  /* set to 1 when sending (putting) this string. */
 #define isoctal(chr) (((chr) >= '0') && ((chr) <= '7'))
 
     s1 = temp;
-    while (*s) {
+    /* Don't overflow buffer, leave room for chars we append later */
+    while (*s && s1 - temp < sizeof(temp) - 2 - add_return) {
 	cur_chr = *s++;
 	if (cur_chr == '^') {
 	    cur_chr = *s++;
@@ -1275,6 +1276,13 @@ register char *string;
     char *logged = temp;
 
     fail_reason = (char *)0;
+
+    if (strlen(string) > STR_LEN) {
+	logf("expect string is too long");
+	exit_code = 1;
+	return 0;
+    }
+
     string = clean(string, 0);
     len = strlen(string);
     minlen = (len > sizeof(fail_buffer)? len: sizeof(fail_buffer)) - 1;
@@ -1282,12 +1290,6 @@ register char *string;
     if (verbose)
 	logf("expect (%v)", string);
 
-    if (len > STR_LEN) {
-	logf("expect string is too long");
-	exit_code = 1;
-	return 0;
-    }
-
     if (len == 0) {
 	if (verbose)
 	    logf("got it");