diff options
author | kris <kris@FreeBSD.org> | 1999-11-25 07:28:54 +0000 |
---|---|---|
committer | kris <kris@FreeBSD.org> | 1999-11-25 07:28:54 +0000 |
commit | 9aee982353e83b863fc3e5da7c23bef69bcfad0f (patch) | |
tree | 4d222a3114ccdcc8408165eb1628c56f3cec9615 /usr.bin | |
parent | bc55786850e1729c2766de25bd91b77aa746a313 (diff) | |
download | FreeBSD-src-9aee982353e83b863fc3e5da7c23bef69bcfad0f.zip FreeBSD-src-9aee982353e83b863fc3e5da7c23bef69bcfad0f.tar.gz |
Fix a buffer overflow due to sending strings >1k in length. This is unlikely
to be a security problem, but it's not totally impossible. OpenBSD take note
Reviewed by: imp
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/chat/chat.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/usr.bin/chat/chat.c b/usr.bin/chat/chat.c index 217dc30..fd71405 100644 --- a/usr.bin/chat/chat.c +++ b/usr.bin/chat/chat.c @@ -655,7 +655,8 @@ int sending; /* set to 1 when sending (putting) this string. */ #define isoctal(chr) (((chr) >= '0') && ((chr) <= '7')) s1 = temp; - while (*s) { + /* Don't overflow buffer, leave room for chars we append later */ + while (*s && s1 - temp < sizeof(temp) - 2 - add_return) { cur_chr = *s++; if (cur_chr == '^') { cur_chr = *s++; @@ -1275,6 +1276,13 @@ register char *string; char *logged = temp; fail_reason = (char *)0; + + if (strlen(string) > STR_LEN) { + logf("expect string is too long"); + exit_code = 1; + return 0; + } + string = clean(string, 0); len = strlen(string); minlen = (len > sizeof(fail_buffer)? len: sizeof(fail_buffer)) - 1; @@ -1282,12 +1290,6 @@ register char *string; if (verbose) logf("expect (%v)", string); - if (len > STR_LEN) { - logf("expect string is too long"); - exit_code = 1; - return 0; - } - if (len == 0) { if (verbose) logf("got it"); |