From caca8e2d8a466f4192a1daad8283891ac11a4f2d Mon Sep 17 00:00:00 2001
From: emax <emax@FreeBSD.org>
Date: Fri, 19 Dec 2003 18:15:56 +0000
Subject: Fix uncontrolled access to the buffer in rfcomm_sppd(1). Fix typo in
 hcsecd(8) man page.

Submitted by: Guido Falsi <mad@madpilot.net>
Reviewed by: imp (mentor)
Approved by: imp (mentor)
---
 usr.bin/bluetooth/rfcomm_sppd/rfcomm_sppd.c | 25 +++++++++++++++++++++----
 usr.sbin/bluetooth/hcsecd/hcsecd.8          |  4 ++--
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/usr.bin/bluetooth/rfcomm_sppd/rfcomm_sppd.c b/usr.bin/bluetooth/rfcomm_sppd/rfcomm_sppd.c
index ee689be..15709ed 100644
--- a/usr.bin/bluetooth/rfcomm_sppd/rfcomm_sppd.c
+++ b/usr.bin/bluetooth/rfcomm_sppd/rfcomm_sppd.c
@@ -36,6 +36,7 @@
 #include <fcntl.h>
 #include <grp.h>
 #include <limits.h>
+#include <paths.h>
 #include <sdp.h>
 #include <signal.h>
 #include <stdarg.h>
@@ -99,7 +100,10 @@ main(int argc, char *argv[])
 			break;
 
 		case 't': /* Slave TTY name */
-			tty = optarg;
+			if (optarg[0] != '/')
+				asprintf(&tty, "%s%s", _PATH_DEV, optarg);
+			else
+				tty = optarg;
 			break;
 
 		case 'h':
@@ -255,18 +259,31 @@ main(int argc, char *argv[])
 static int
 sppd_ttys_open(char const *tty, int *amaster, int *aslave)
 {
-	char		 pty[PATH_MAX];
+	char		 pty[PATH_MAX], *slash = NULL;
 	struct group	*gr = NULL;
 	gid_t		 ttygid;
 	struct termios	 tio;
 
 	/*
-	 * Master PTY
+	 * Construct master PTY name. The slave tty name must be less then
+	 * PATH_MAX characters in length, must contain '/' character and 
+	 * must not end with '/'.
 	 */
 
+	if (strlen(tty) >= sizeof(pty)) {
+		syslog(LOG_ERR, "Slave tty name is too long");
+		return (-1);
+	}
+
 	strlcpy(pty, tty, sizeof(pty));
-	pty[5] = 'p';
+	slash = strrchr(pty, '/');
+	if (slash == NULL || slash[1] == 0) {
+		syslog(LOG_ERR, "Invalid slave tty name (%s)", tty);
+		return (-1);
+	}
 
+	slash[1] = 'p';
+	
 	if (strcmp(pty, tty) == 0) {
 		syslog(LOG_ERR, "Master and slave tty are the same (%s)", tty);
 		return (-1);
diff --git a/usr.sbin/bluetooth/hcsecd/hcsecd.8 b/usr.sbin/bluetooth/hcsecd/hcsecd.8
index 1a3bb09..b7c2322 100644
--- a/usr.sbin/bluetooth/hcsecd/hcsecd.8
+++ b/usr.sbin/bluetooth/hcsecd/hcsecd.8
@@ -115,8 +115,8 @@ PIN codes.
 .Sh FILES
 .Bl -tag -width ".Pa /etc/bluetooth/hcsecd.conf" -compact
 .It Pa /etc/bluetooth/hcsecd.conf
-.It Pa /var/db/hcsecd.pid
-.It Pa /var/run/hcsecd.keys
+.It Pa /var/db/hcsecd.keys
+.It Pa /var/run/hcsecd.pid
 .El
 .Sh SEE ALSO
 .Xr ng_btsocket 4 ,
-- 
cgit v1.1