diff options
| author | imp <imp@FreeBSD.org> | 1997-03-23 23:31:50 +0000 |
|---|---|---|
| committer | imp <imp@FreeBSD.org> | 1997-03-23 23:31:50 +0000 |
| commit | b7a55510a333496f08800a8437f838c5cb5d95bc (patch) | |
| tree | 107420f8e0742f2992318a8658425c3adcd5b6a8 /lib/libc | |
| parent | c2a7cee0eee6c5ae03b13f08f2778809ed41c44b (diff) | |
| download | FreeBSD-src-b7a55510a333496f08800a8437f838c5cb5d95bc.zip FreeBSD-src-b7a55510a333496f08800a8437f838c5cb5d95bc.tar.gz | |
Buffer overflow. Similar, but different, to the fix that Julian A submitted
in PR 2580.
Obtained from: BSDi by way of Keith Bostic
Should be in 2.2 and 2.1.x. I'll merge into 2.2.
Diffstat (limited to 'lib/libc')
| -rw-r--r-- | lib/libc/gen/glob.c | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/lib/libc/gen/glob.c b/lib/libc/gen/glob.c index 1c55dc0..5355f69 100644 --- a/lib/libc/gen/glob.c +++ b/lib/libc/gen/glob.c @@ -142,7 +142,7 @@ static int glob1 __P((Char *, glob_t *)); static int glob2 __P((Char *, Char *, Char *, glob_t *)); static int glob3 __P((Char *, Char *, Char *, Char *, glob_t *)); static int globextend __P((const Char *, glob_t *)); -static const Char * globtilde __P((const Char *, Char *, glob_t *)); +static const Char * globtilde __P((const Char *, Char *, size_t, glob_t *)); static int globexp1 __P((const Char *, glob_t *)); static int globexp2 __P((const Char *, const Char *, glob_t *, int *)); static int match __P((Char *, Char *, Char *)); @@ -332,22 +332,26 @@ static int globexp2(ptr, pattern, pglob, rv) * expand tilde from the passwd file. */ static const Char * -globtilde(pattern, patbuf, pglob) +globtilde(pattern, patbuf, patbuf_len, pglob) const Char *pattern; Char *patbuf; + size_t patbuf_len; glob_t *pglob; { struct passwd *pwd; char *h; const Char *p; - Char *b; + Char *b, *eb; if (*pattern != TILDE || !(pglob->gl_flags & GLOB_TILDE)) return pattern; - /* Copy up to the end of the string or / */ - for (p = pattern + 1, h = (char *) patbuf; *p && *p != SLASH; - *h++ = *p++) + /* + * Copy up to the end of the string or / + */ + eb = &patbuf[patbuf_len - 1]; + for (p = pattern + 1, h = (char *) patbuf; + h < (char *)eb && *p && *p != SLASH; *h++ = *p++) continue; *h = EOS; @@ -375,12 +379,13 @@ globtilde(pattern, patbuf, pglob) } /* Copy the home directory */ - for (b = patbuf; *h; *b++ = *h++) + for (b = patbuf; b < eb && *h; *b++ = *h++) continue; /* Append the rest of the pattern */ - while ((*b++ = *p++) != EOS) + while (b < eb && (*b++ = *p++) != EOS) continue; + *b = EOS; return patbuf; } @@ -402,7 +407,8 @@ glob0(pattern, pglob) int c, err, oldpathc; Char *bufnext, patbuf[MAXPATHLEN+1]; - qpatnext = globtilde(pattern, patbuf, pglob); + qpatnext = globtilde(pattern, patbuf, sizeof(patbuf) / sizeof(Char), + pglob); oldpathc = pglob->gl_pathc; bufnext = patbuf; |
