diff options
author | imp <imp@FreeBSD.org> | 1997-03-24 06:41:30 +0000 |
---|---|---|
committer | imp <imp@FreeBSD.org> | 1997-03-24 06:41:30 +0000 |
commit | fee23970ec725a60e9a15f560d58eced8d13ae41 (patch) | |
tree | bf315129818b913344fca7c2b9ee1adafa55117c /lib | |
parent | 6b885ecb71f8782d8ebec25b7e57b7e7436c8c97 (diff) | |
download | FreeBSD-src-fee23970ec725a60e9a15f560d58eced8d13ae41.zip FreeBSD-src-fee23970ec725a60e9a15f560d58eced8d13ae41.tar.gz |
Don't overflow buffers, and only open alternative termcap files if we're
not running setuid or setgid.
Fixes PR 2586
Submitted by: Julian Assange
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libtermcap/pathnames.h | 1 | ||||
-rw-r--r-- | lib/libtermcap/termcap.c | 9 |
2 files changed, 8 insertions, 2 deletions
diff --git a/lib/libtermcap/pathnames.h b/lib/libtermcap/pathnames.h index db3ccf7..e77bab8 100644 --- a/lib/libtermcap/pathnames.h +++ b/lib/libtermcap/pathnames.h @@ -34,3 +34,4 @@ */ #define _PATH_DEF ".termcap /usr/share/misc/termcap" +#define _PATH_DEF_SEC "/usr/share/misc/termcap" diff --git a/lib/libtermcap/termcap.c b/lib/libtermcap/termcap.c index 38cb1a2..d8966ec 100644 --- a/lib/libtermcap/termcap.c +++ b/lib/libtermcap/termcap.c @@ -105,8 +105,9 @@ tgetent(char *bp, const char *name) strncpy(pathbuf, termpath, PBUFSIZ); else { if ( (home = getenv("HOME")) ) {/* set up default */ - p += strlen(home); /* path, looking in */ - strcpy(pathbuf, home); /* $HOME first */ + strncpy(pathbuf, home, PBUFSIZ - 1); /* $HOME first */ + pathbuf[PBUFSIZ - 2] = '\0'; /* -2 because we add a slash */ + p += strlen(pathbuf); /* path, looking in */ *p++ = '/'; } /* if no $HOME look in current directory */ strncpy(p, _PATH_DEF, PBUFSIZ - (p - pathbuf)); @@ -114,7 +115,11 @@ tgetent(char *bp, const char *name) } else /* user-defined name in TERMCAP */ strncpy(pathbuf, cp, PBUFSIZ); /* still can be tokenized */ + pathbuf[PBUFSIZ - 1] = '\0'; + /* XXX Should really be issetguid(), but we don't have that */ + if (getuid() != geteuid() || getgid() != getegid()) + strcpy(pathbuf, _PATH_DEF_SEC); *fname++ = pathbuf; /* tokenize path into vector of names */ while (*++p) if (*p == ' ' || *p == ':') { |