diff options
author | emax <emax@FreeBSD.org> | 2003-12-19 18:15:56 +0000 |
---|---|---|
committer | emax <emax@FreeBSD.org> | 2003-12-19 18:15:56 +0000 |
commit | caca8e2d8a466f4192a1daad8283891ac11a4f2d (patch) | |
tree | 9e41c208f01caa9304e9886adcb35abc47dd1e5d | |
parent | c5924298abb44b80ff5a9a6eb0c7f3b28a553b94 (diff) | |
download | FreeBSD-src-caca8e2d8a466f4192a1daad8283891ac11a4f2d.zip FreeBSD-src-caca8e2d8a466f4192a1daad8283891ac11a4f2d.tar.gz |
Fix uncontrolled access to the buffer in rfcomm_sppd(1).
Fix typo in hcsecd(8) man page.
Submitted by: Guido Falsi <mad@madpilot.net>
Reviewed by: imp (mentor)
Approved by: imp (mentor)
-rw-r--r-- | usr.bin/bluetooth/rfcomm_sppd/rfcomm_sppd.c | 25 | ||||
-rw-r--r-- | usr.sbin/bluetooth/hcsecd/hcsecd.8 | 4 |
2 files changed, 23 insertions, 6 deletions
diff --git a/usr.bin/bluetooth/rfcomm_sppd/rfcomm_sppd.c b/usr.bin/bluetooth/rfcomm_sppd/rfcomm_sppd.c index ee689be..15709ed 100644 --- a/usr.bin/bluetooth/rfcomm_sppd/rfcomm_sppd.c +++ b/usr.bin/bluetooth/rfcomm_sppd/rfcomm_sppd.c @@ -36,6 +36,7 @@ #include <fcntl.h> #include <grp.h> #include <limits.h> +#include <paths.h> #include <sdp.h> #include <signal.h> #include <stdarg.h> @@ -99,7 +100,10 @@ main(int argc, char *argv[]) break; case 't': /* Slave TTY name */ - tty = optarg; + if (optarg[0] != '/') + asprintf(&tty, "%s%s", _PATH_DEV, optarg); + else + tty = optarg; break; case 'h': @@ -255,18 +259,31 @@ main(int argc, char *argv[]) static int sppd_ttys_open(char const *tty, int *amaster, int *aslave) { - char pty[PATH_MAX]; + char pty[PATH_MAX], *slash = NULL; struct group *gr = NULL; gid_t ttygid; struct termios tio; /* - * Master PTY + * Construct master PTY name. The slave tty name must be less then + * PATH_MAX characters in length, must contain '/' character and + * must not end with '/'. */ + if (strlen(tty) >= sizeof(pty)) { + syslog(LOG_ERR, "Slave tty name is too long"); + return (-1); + } + strlcpy(pty, tty, sizeof(pty)); - pty[5] = 'p'; + slash = strrchr(pty, '/'); + if (slash == NULL || slash[1] == 0) { + syslog(LOG_ERR, "Invalid slave tty name (%s)", tty); + return (-1); + } + slash[1] = 'p'; + if (strcmp(pty, tty) == 0) { syslog(LOG_ERR, "Master and slave tty are the same (%s)", tty); return (-1); diff --git a/usr.sbin/bluetooth/hcsecd/hcsecd.8 b/usr.sbin/bluetooth/hcsecd/hcsecd.8 index 1a3bb09..b7c2322 100644 --- a/usr.sbin/bluetooth/hcsecd/hcsecd.8 +++ b/usr.sbin/bluetooth/hcsecd/hcsecd.8 @@ -115,8 +115,8 @@ PIN codes. .Sh FILES .Bl -tag -width ".Pa /etc/bluetooth/hcsecd.conf" -compact .It Pa /etc/bluetooth/hcsecd.conf -.It Pa /var/db/hcsecd.pid -.It Pa /var/run/hcsecd.keys +.It Pa /var/db/hcsecd.keys +.It Pa /var/run/hcsecd.pid .El .Sh SEE ALSO .Xr ng_btsocket 4 , |