From 40a67da9ff19d948efed9b50a548595322cc9e14 Mon Sep 17 00:00:00 2001
From: brooks <brooks@FreeBSD.org>
Date: Mon, 24 Apr 2017 22:37:54 +0000
Subject: MFC r316768:

Fix an out-of-bounds write when a zero-length buffer is passed.

Found with ttyname_test and CHERI bounds checking.

Reviewed by:	emaste
Obtained from:	CheriBSD
Sponsored by:	DARPA, AFRL
---
 lib/libc/gen/ttyname.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'lib/libc')

diff --git a/lib/libc/gen/ttyname.c b/lib/libc/gen/ttyname.c
index 02aa158..6628e3b 100644
--- a/lib/libc/gen/ttyname.c
+++ b/lib/libc/gen/ttyname.c
@@ -61,6 +61,10 @@ ttyname_r(int fd, char *buf, size_t len)
 {
 	size_t used;
 
+	/* Don't write off the end of a zero-length buffer. */
+	if (len < 1)
+		return (ERANGE);
+
 	*buf = '\0';
 
 	/* Must be a terminal. */
-- 
cgit v1.1