diff options
| author | kris <kris@FreeBSD.org> | 2000-08-05 04:56:43 +0000 |
|---|---|---|
| committer | kris <kris@FreeBSD.org> | 2000-08-05 04:56:43 +0000 |
| commit | 04e6eba710d557b79bc9378f660a31bb68b1e525 (patch) | |
| tree | 635ee00b22781e6d3531eccb70f2fcf13b43c914 /lib/libc | |
| parent | 7ec758080b907d46febe5826c1a9032b736c3427 (diff) | |
| download | FreeBSD-src-04e6eba710d557b79bc9378f660a31bb68b1e525.zip FreeBSD-src-04e6eba710d557b79bc9378f660a31bb68b1e525.tar.gz | |
Prevent internal buffer overflow due to expansion of $LANG and/or name
argument in catopen().
Reviewed by: chris, -audit
Diffstat (limited to 'lib/libc')
| -rw-r--r-- | lib/libc/nls/msgcat.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/lib/libc/nls/msgcat.c b/lib/libc/nls/msgcat.c index f1355df..ee97058 100644 --- a/lib/libc/nls/msgcat.c +++ b/lib/libc/nls/msgcat.c @@ -91,8 +91,9 @@ int type; __const char *catpath = NULL; char *nlspath; char *lang; - long len; char *base, *cptr, *pathP; + int spcleft; + long len; struct stat sbuf; if (!name || !*name) { @@ -129,13 +130,20 @@ int type; *cptr = '\0'; for (pathP = path; *nlspath; ++nlspath) { if (*nlspath == '%') { + spcleft = sizeof(path) - (pathP - path); if (*(nlspath + 1) == 'L') { ++nlspath; - strcpy(pathP, lang); + if (strlcpy(pathP, lang, spcleft) >= spcleft) { + errno = ENAMETOOLONG; + return(NLERR); + } pathP += strlen(lang); } else if (*(nlspath + 1) == 'N') { ++nlspath; - strcpy(pathP, name); + if (strlcpy(pathP, name, spcleft) >= spcleft) { + errno = ENAMETOOLONG; + return(NLERR); + } pathP += strlen(name); } else *(pathP++) = *nlspath; } else *(pathP++) = *nlspath; |
