diff options
author | guido <guido@FreeBSD.org> | 1997-01-01 14:08:47 +0000 |
---|---|---|
committer | guido <guido@FreeBSD.org> | 1997-01-01 14:08:47 +0000 |
commit | 07e783bc3eb2bb61a692e734cf205be502266408 (patch) | |
tree | 9d2e2a69b3a8d19bb2eb7f63181668f968c36e59 /sbin/restore/interactive.c | |
parent | 01876569b2445fed76ab3d84c1704e73ad519d13 (diff) | |
download | FreeBSD-src-07e783bc3eb2bb61a692e734cf205be502266408.zip FreeBSD-src-07e783bc3eb2bb61a692e734cf205be502266408.tar.gz |
Yet another buffer overflow.
2.2 candidate
(and -stable too actually, who does that?)
Reviewed by: Warner Losh
Diffstat (limited to 'sbin/restore/interactive.c')
-rw-r--r-- | sbin/restore/interactive.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/sbin/restore/interactive.c b/sbin/restore/interactive.c index 1b9616c..d2158e4 100644 --- a/sbin/restore/interactive.c +++ b/sbin/restore/interactive.c @@ -109,7 +109,7 @@ runcmdshell() arglist.glob.gl_closedir = (void *)rst_closedir; arglist.glob.gl_lstat = glob_stat; arglist.glob.gl_stat = glob_stat; - canon("/", curdir); + canon("/", curdir, sizeof(curdir)); loop: if (setjmp(reset) != 0) { if (arglist.freeglob != 0) { @@ -357,7 +357,7 @@ getnext: * If it is an absolute pathname, canonicalize it and return it. */ if (rawname[0] == '/') { - canon(rawname, name); + canon(rawname, name, sizeof(name)); } else { /* * For relative pathnames, prepend the current directory to @@ -366,7 +366,7 @@ getnext: (void) strcpy(output, curdir); (void) strcat(output, "/"); (void) strcat(output, rawname); - canon(output, name); + canon(output, name, sizeof(name)); } if (glob(name, GLOB_ALTDIRFUNC, NULL, &ap->glob) < 0) fprintf(stderr, "%s: out of memory\n", ap->cmd); @@ -438,8 +438,9 @@ copynext(input, output) * remove any imbedded "." and ".." components. */ void -canon(rawname, canonname) +canon(rawname, canonname, len) char *rawname, *canonname; + int len; { register char *cp, *np; @@ -449,6 +450,11 @@ canon(rawname, canonname) (void) strcpy(canonname, "."); else (void) strcpy(canonname, "./"); + if (strlen(canonname) + strlen(rawname) >= len) { + fprintf(stderr, "canonname: not enough bufferspace\n"); + done(1); + } + (void) strcat(canonname, rawname); /* * Eliminate multiple and trailing '/'s |