Fix two buffer overflows caused by off-by-one errors: avoid writing a null

character 1 byte past the end of cmdline[] when libedit is being used for input, and avoid writing a null pointer 1 element past the end of margv[]. Reviewed by: gad
author: tjr <tjr@FreeBSD.org> 2003-10-13 07:24:22 +0000
committer: tjr <tjr@FreeBSD.org> 2003-10-13 07:24:22 +0000
commit: 9da9583b7fe94bf2e7812dc8c5c4e622e0d0ae5f (patch)
tree: 70a199e4f89f0234dc5331fbd241122c3b25be39 /usr.sbin/lpr/lpc/lpc.c
parent: 47ef5b092f3bf8a5a36fe7b20a91b882852c255d (diff)
download: FreeBSD-src-9da9583b7fe94bf2e7812dc8c5c4e622e0d0ae5f.zip
FreeBSD-src-9da9583b7fe94bf2e7812dc8c5c4e622e0d0ae5f.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.sbin/lpr/lpc/lpc.c b/usr.sbin/lpr/lpc/lpc.c
index a559e0a..e58911c 100644
--- a/usr.sbin/lpr/lpc/lpc.c
+++ b/usr.sbin/lpr/lpc/lpc.c
@@ -186,7 +186,7 @@ cmdscanner(void)
 			if ((bp = el_gets(el, &num)) == NULL || num == 0)
 				quit(0, NULL);
 
-			len = (num > MAX_CMDLINE) ? MAX_CMDLINE : num;
+			len = (num > MAX_CMDLINE - 1) ? MAX_CMDLINE - 1 : num;
 			memcpy(cmdline, bp, len);
 			cmdline[len] = 0; 
 			history(hist, &he, H_ENTER, bp);
@@ -274,7 +274,7 @@ makeargv(void)
 
 	margc = 0;
 	for (cp = cmdline; *cp && (size_t)(cp - cmdline) < sizeof(cmdline) &&
-	    n < MAX_MARGV; n++) {
+	    n < MAX_MARGV - 1; n++) {
 		while (isspace(*cp))
 			cp++;
 		if (*cp == '\0')
author	tjr <tjr@FreeBSD.org>	2003-10-13 07:24:22 +0000
committer	tjr <tjr@FreeBSD.org>	2003-10-13 07:24:22 +0000
commit	9da9583b7fe94bf2e7812dc8c5c4e622e0d0ae5f (patch)
tree	70a199e4f89f0234dc5331fbd241122c3b25be39 /usr.sbin/lpr/lpc/lpc.c
parent	47ef5b092f3bf8a5a36fe7b20a91b882852c255d (diff)
download	FreeBSD-src-9da9583b7fe94bf2e7812dc8c5c4e622e0d0ae5f.zip FreeBSD-src-9da9583b7fe94bf2e7812dc8c5c4e622e0d0ae5f.tar.gz