From 98328065bf61d1e2406cd4eb27154dfb2743fd9b Mon Sep 17 00:00:00 2001
From: joe <joe@FreeBSD.org>
Date: Sun, 30 Apr 2000 20:53:54 +0000
Subject: Fixes a potential buffer overflow with the command line arguments.

Submitted by:   Mike Heffner <spock@techfour.net>
Submitted on:   audit@freebsd.org
---
 sbin/natd/natd.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

(limited to 'sbin/natd')

diff --git a/sbin/natd/natd.c b/sbin/natd/natd.c
index 2714a15..c03a7ae 100644
--- a/sbin/natd/natd.c
+++ b/sbin/natd/natd.c
@@ -421,9 +421,9 @@ static void DaemonMode ()
 static void ParseArgs (int argc, char** argv)
 {
 	int		arg;
-	char*		parm;
 	char*		opt;
 	char		parmBuf[256];
+	int		len; /* bounds checking */
 
 	for (arg = 1; arg < argc; arg++) {
 
@@ -434,23 +434,27 @@ static void ParseArgs (int argc, char** argv)
 			Usage ();
 		}
 
-		parm = NULL;
 		parmBuf[0] = '\0';
+		len = 0;
 
 		while (arg < argc - 1) {
 
 			if (argv[arg + 1][0] == '-')
 				break;
 
-			if (parm)
-				strcat (parmBuf, " ");
+		if (len) {
+				strncat (parmBuf, " ", sizeof(parmBuf) - (len + 1));
+				len += strlen(parmBuf + len);
+			}
 
 			++arg;
-			parm = parmBuf;
-			strcat (parmBuf, argv[arg]);
+			strncat (parmBuf, argv[arg], sizeof(parmBuf) - (len + 1));
+			len += strlen(parmBuf + len);
+
 		}
 
-		ParseOption (opt + 1, parm, 1);
+		ParseOption (opt + 1, (len ? parmBuf : NULL), 1);
+
 	}
 }
 
-- 
cgit v1.1