Fix a BSS buffer overflow caused by makeargv() writing past the end of

margv[] when an input line contains 20 or more space-separated words.
author: tjr <tjr@FreeBSD.org> 2003-10-11 07:35:35 +0000
committer: tjr <tjr@FreeBSD.org> 2003-10-11 07:35:35 +0000
commit: a5071872642c8a9e22f25c5e95282d2e573da51e (patch)
tree: e712e97540e18e7836749ab7d6e5fc033dce432d /usr.sbin/timed
parent: f7e281890a77e945e794814a1b2501a6e339f208 (diff)
download: FreeBSD-src-a5071872642c8a9e22f25c5e95282d2e573da51e.zip
FreeBSD-src-a5071872642c8a9e22f25c5e95282d2e573da51e.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/usr.sbin/timed/timedc/timedc.c b/usr.sbin/timed/timedc/timedc.c
index f8138c3..368b460 100644
--- a/usr.sbin/timed/timedc/timedc.c
+++ b/usr.sbin/timed/timedc/timedc.c
@@ -59,7 +59,8 @@ int trace = 0;
 FILE *fd = 0;
 int	margc;
 int	fromatty;
-char	*margv[20];
+#define	MAX_MARGV	20
+char	*margv[MAX_MARGV];
 char	cmdline[200];
 jmp_buf	toplevel;
 static struct cmd *getcmd __P((char *));
@@ -183,7 +184,7 @@ makeargv()
 	register char **argp = margv;
 
 	margc = 0;
-	for (cp = cmdline; *cp;) {
+	for (cp = cmdline; margc < MAX_MARGV - 1 && *cp; ) {
 		while (isspace(*cp))
 			cp++;
 		if (*cp == '\0')
author	tjr <tjr@FreeBSD.org>	2003-10-11 07:35:35 +0000
committer	tjr <tjr@FreeBSD.org>	2003-10-11 07:35:35 +0000
commit	a5071872642c8a9e22f25c5e95282d2e573da51e (patch)
tree	e712e97540e18e7836749ab7d6e5fc033dce432d /usr.sbin/timed
parent	f7e281890a77e945e794814a1b2501a6e339f208 (diff)
download	FreeBSD-src-a5071872642c8a9e22f25c5e95282d2e573da51e.zip FreeBSD-src-a5071872642c8a9e22f25c5e95282d2e573da51e.tar.gz