From a5071872642c8a9e22f25c5e95282d2e573da51e Mon Sep 17 00:00:00 2001
From: tjr <tjr@FreeBSD.org>
Date: Sat, 11 Oct 2003 07:35:35 +0000
Subject: Fix a BSS buffer overflow caused by makeargv() writing past the end
 of margv[] when an input line contains 20 or more space-separated words.

---
 usr.sbin/timed/timedc/timedc.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'usr.sbin/timed')

diff --git a/usr.sbin/timed/timedc/timedc.c b/usr.sbin/timed/timedc/timedc.c
index f8138c3..368b460 100644
--- a/usr.sbin/timed/timedc/timedc.c
+++ b/usr.sbin/timed/timedc/timedc.c
@@ -59,7 +59,8 @@ int trace = 0;
 FILE *fd = 0;
 int	margc;
 int	fromatty;
-char	*margv[20];
+#define	MAX_MARGV	20
+char	*margv[MAX_MARGV];
 char	cmdline[200];
 jmp_buf	toplevel;
 static struct cmd *getcmd __P((char *));
@@ -183,7 +184,7 @@ makeargv()
 	register char **argp = margv;
 
 	margc = 0;
-	for (cp = cmdline; *cp;) {
+	for (cp = cmdline; margc < MAX_MARGV - 1 && *cp; ) {
 		while (isspace(*cp))
 			cp++;
 		if (*cp == '\0')
-- 
cgit v1.1