diff options
author | Maksim Yevmenkin <emax@FreeBSD.org> | 2003-12-19 18:15:56 +0000 |
---|---|---|
committer | Maksim Yevmenkin <emax@FreeBSD.org> | 2003-12-19 18:15:56 +0000 |
commit | 4b1493e53d0d9523d328bf598b768d2add197f73 (patch) | |
tree | 9e41c208f01caa9304e9886adcb35abc47dd1e5d /usr.bin/bluetooth | |
parent | 913fd65e920b951dd4e53b4a00b89f1103e1308d (diff) | |
download | src-4b1493e53d0d9523d328bf598b768d2add197f73.tar.gz src-4b1493e53d0d9523d328bf598b768d2add197f73.zip |
Fix uncontrolled access to the buffer in rfcomm_sppd(1).
Fix typo in hcsecd(8) man page.
Submitted by: Guido Falsi <mad@madpilot.net>
Reviewed by: imp (mentor)
Approved by: imp (mentor)
Notes
Notes:
svn path=/head/; revision=123676
Diffstat (limited to 'usr.bin/bluetooth')
-rw-r--r-- | usr.bin/bluetooth/rfcomm_sppd/rfcomm_sppd.c | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/usr.bin/bluetooth/rfcomm_sppd/rfcomm_sppd.c b/usr.bin/bluetooth/rfcomm_sppd/rfcomm_sppd.c index ee689beaf7f5..15709ede8504 100644 --- a/usr.bin/bluetooth/rfcomm_sppd/rfcomm_sppd.c +++ b/usr.bin/bluetooth/rfcomm_sppd/rfcomm_sppd.c @@ -36,6 +36,7 @@ #include <fcntl.h> #include <grp.h> #include <limits.h> +#include <paths.h> #include <sdp.h> #include <signal.h> #include <stdarg.h> @@ -99,7 +100,10 @@ main(int argc, char *argv[]) break; case 't': /* Slave TTY name */ - tty = optarg; + if (optarg[0] != '/') + asprintf(&tty, "%s%s", _PATH_DEV, optarg); + else + tty = optarg; break; case 'h': @@ -255,18 +259,31 @@ main(int argc, char *argv[]) static int sppd_ttys_open(char const *tty, int *amaster, int *aslave) { - char pty[PATH_MAX]; + char pty[PATH_MAX], *slash = NULL; struct group *gr = NULL; gid_t ttygid; struct termios tio; /* - * Master PTY + * Construct master PTY name. The slave tty name must be less then + * PATH_MAX characters in length, must contain '/' character and + * must not end with '/'. */ + if (strlen(tty) >= sizeof(pty)) { + syslog(LOG_ERR, "Slave tty name is too long"); + return (-1); + } + strlcpy(pty, tty, sizeof(pty)); - pty[5] = 'p'; + slash = strrchr(pty, '/'); + if (slash == NULL || slash[1] == 0) { + syslog(LOG_ERR, "Invalid slave tty name (%s)", tty); + return (-1); + } + slash[1] = 'p'; + if (strcmp(pty, tty) == 0) { syslog(LOG_ERR, "Master and slave tty are the same (%s)", tty); return (-1); |