diff options
| author | Stefan Eßer <se@FreeBSD.org> | 2019-01-26 20:43:28 +0000 |
|---|---|---|
| committer | Stefan Eßer <se@FreeBSD.org> | 2019-01-26 20:43:28 +0000 |
| commit | 71bc4af6edda147f6272a5c525c213d36ce7d9ec (patch) | |
| tree | 5b16fd0d2361d8921e4ba0fed8249f5babeaeedc /libexec/getty | |
| parent | 030a1f8ba2e2873195454e5fbd4da6123b0b57a0 (diff) | |
| download | src-71bc4af6edda147f6272a5c525c213d36ce7d9ec.tar.gz src-71bc4af6edda147f6272a5c525c213d36ce7d9ec.zip | |
Fix potential buffer overflow and undefined behavior.
The buffer allocated in read_chat() could be 1 element too short, if the
chatstr parameter passed in is 1 or 3 charachters long (e.g. "a" or "a b").
The allocation of the pointer array does not account for the terminating
NULL pointer in that case.
Overlapping source and destination strings are undefined in strcpy().
Instead of moving a string to the left by one character just increment the
char pointer before it is assigned to the results array.
MFC after: 2 weeks
Notes
Notes:
svn path=/head/; revision=343479
Diffstat (limited to 'libexec/getty')
| -rw-r--r-- | libexec/getty/chat.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libexec/getty/chat.c b/libexec/getty/chat.c index a65d9b243efe..0f2def37b028 100644 --- a/libexec/getty/chat.c +++ b/libexec/getty/chat.c @@ -141,7 +141,7 @@ read_chat(char **chatstr) int l; if ((l=strlen(str)) > 0 && (tmp=malloc(l + 1)) != NULL && - (res=malloc((l / 2 + 1) * sizeof(char *))) != NULL) { + (res=malloc(((l + 1) / 2 + 1) * sizeof(char *))) != NULL) { static char ws[] = " \t"; char * p; @@ -216,7 +216,7 @@ read_chat(char **chatstr) q = strrchr(p+1, *p); if (q != NULL && *q == *p && q[1] == '\0') { *q = '\0'; - strcpy(p, p+1); + p++; } } |