Fix buffer overflow in queue file handling.

Submitted by:	millert@openbsd.org, gad
Reported by:	X-Force <xforce@iss.net>

1 files changed, 13 insertions, 7 deletions

diff --git a/usr.sbin/lpr/common_source/displayq.c b/usr.sbin/lpr/common_source/displayq.c
index 7727306..f7e61d8 100644
--- a/usr.sbin/lpr/common_source/displayq.c
+++ b/usr.sbin/lpr/common_source/displayq.c
@@ -73,8 +73,8 @@ static const char rcsid[] =
 extern uid_t	uid, euid;
 
 static int	col;		/* column on screen */
-static char	current[40];	/* current file being printed */
-static char	file[132];	/* print file name */
+static char	current[MAXNAMLEN+1];	/* current file being printed */
+static char	file[MAXNAMLEN+1];	/* print file name */
 static int	first;		/* first file in ``files'' column? */
 static int	garbage;	/* # of garbage cf files */
 static int	lflag;		/* long output option */
@@ -95,7 +95,7 @@ displayq(struct printer *pp, int format)
 {
 	register struct jobqueue *q;
 	register int i, nitems, fd, ret;
-	register char	*cp;
+	char *cp, *endp;
 	struct jobqueue **queue;
 	struct stat statb;
 	FILE *fp;
@@ -156,8 +156,11 @@ displayq(struct printer *pp, int format)
 		else {
 			/* get daemon pid */
 			cp = current;
-			while ((i = getc(fp)) != EOF && i != '\n')
-				*cp++ = i;
+			endp = cp + sizeof(current) - 1;
+			while ((i = getc(fp)) != EOF && i != '\n') {
+				if (cp < endp)
+					*cp++ = i;
+			}
 			*cp = '\0';
 			i = atoi(current);
 			if (i <= 0) {
@@ -172,8 +175,11 @@ displayq(struct printer *pp, int format)
 			} else {
 				/* read current file name */
 				cp = current;
-				while ((i = getc(fp)) != EOF && i != '\n')
-					*cp++ = i;
+				endp = cp + sizeof(current) - 1;
+				while ((i = getc(fp)) != EOF && i != '\n') {
+					if (cp < endp)
+						*cp++ = i;
+				}
 				*cp = '\0';
 				/*
 				 * Print the status file.