Fix buffer overflow copying the ``kernel'' command-line argument into

buffers. The buffers have been resized from the irrelevant BUFSIZ to the more relevant MAXPATHLEN + 1. Reported by: Mike Heffner <spock@techfour.net>
author: sheldonh <sheldonh@FreeBSD.org> 2000-03-29 17:22:10 +0000
committer: sheldonh <sheldonh@FreeBSD.org> 2000-03-29 17:22:10 +0000
commit: 21bd5ff01f78858e662621cfeb51bc437364f8f8 (patch)
tree: fed962481a6629a57d1f552b221f177a228b28d1
parent: 5f599b5670452586443602616c34d91d90198c73 (diff)
download: FreeBSD-src-21bd5ff01f78858e662621cfeb51bc437364f8f8.zip
FreeBSD-src-21bd5ff01f78858e662621cfeb51bc437364f8f8.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/usr.bin/kzip/kzip.c b/usr.bin/kzip/kzip.c
index 430dcc3..97e1a4d 100644
--- a/usr.bin/kzip/kzip.c
+++ b/usr.bin/kzip/kzip.c
@@ -51,8 +51,8 @@ main(int argc, char **argv)
 	struct stat st;
 	u_long forceaddr = 0, entry;
 	char *kernname;
-	char obj[BUFSIZ];
-	char out[BUFSIZ];
+	char obj[MAXPATHLEN + 1];
+	char out[MAXPATHLEN + 1];
 	char base[32];
 	
 	while ((c = getopt(argc, argv, "l:v")) != -1) {
@@ -78,6 +78,8 @@ main(int argc, char **argv)
 
 	kernname = argv[0];
 			
+	if (strlen(kernname) > MAXPATHLEN - 3)
+		errx(1, "%s: File name too long", kernname);
 	strcpy(obj, kernname); strcat(obj,".o");
 	strcpy(out, kernname); strcat(out,".kz");
author	sheldonh <sheldonh@FreeBSD.org>	2000-03-29 17:22:10 +0000
committer	sheldonh <sheldonh@FreeBSD.org>	2000-03-29 17:22:10 +0000
commit	21bd5ff01f78858e662621cfeb51bc437364f8f8 (patch)
tree	fed962481a6629a57d1f552b221f177a228b28d1
parent	5f599b5670452586443602616c34d91d90198c73 (diff)
download	FreeBSD-src-21bd5ff01f78858e662621cfeb51bc437364f8f8.zip FreeBSD-src-21bd5ff01f78858e662621cfeb51bc437364f8f8.tar.gz