Date: Thu, 14 Feb 2019 15:41:06 +0000 (UTC) From: Stefan Esser <se@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r344126 - stable/11/libexec/getty Message-ID: <201902141541.x1EFf6Ig029694@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: se Date: Thu Feb 14 15:41:05 2019 New Revision: 344126 URL: https://svnweb.freebsd.org/changeset/base/344126 Log: MFC r343479: Fix potential buffer overflow and undefined behavior. The buffer allocated in read_chat() could be 1 element too short, if the chatstr parameter passed in is 1 or 3 charachters long (e.g. "a" or "a b"). The allocation of the pointer array does not account for the terminating NULL pointer in that case. Overlapping source and destination strings are undefined in strcpy(). Instead of moving a string to the left by one character just increment the char pointer before it is assigned to the results array. Modified: stable/11/libexec/getty/chat.c Directory Properties: stable/11/ (props changed) Modified: stable/11/libexec/getty/chat.c ============================================================================== --- stable/11/libexec/getty/chat.c Thu Feb 14 15:39:17 2019 (r344125) +++ stable/11/libexec/getty/chat.c Thu Feb 14 15:41:05 2019 (r344126) @@ -141,7 +141,7 @@ read_chat(char **chatstr) int l; if ((l=strlen(str)) > 0 && (tmp=malloc(l + 1)) != NULL && - (res=malloc((l / 2 + 1) * sizeof(char *))) != NULL) { + (res=malloc(((l + 1) / 2 + 1) * sizeof(char *))) != NULL) { static char ws[] = " \t"; char * p; @@ -216,7 +216,7 @@ read_chat(char **chatstr) q = strrchr(p+1, *p); if (q != NULL && *q == *p && q[1] == '\0') { *q = '\0'; - strcpy(p, p+1); + p++; } }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201902141541.x1EFf6Ig029694>