Mercurial > illumos > illumos-gate

changeset 2932:9882da59a45c onnv_51

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
6452250 Unsafe code in more(1) utility can lead to segmentation faults
author as145665
date Mon, 16 Oct 2006 17:04:12 -0700
parents 6348b43829d4
children b83c1115488b
files usr/src/cmd/more/more.c
diffstat 1 files changed, 16 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- a/usr/src/cmd/more/more.c	Mon Oct 16 17:00:43 2006 -0700
+++ b/usr/src/cmd/more/more.c	Mon Oct 16 17:04:12 2006 -0700
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -956,7 +955,7 @@
 static int lastcmd, lastp;
 static off_t lastarg;
 static int lastcolon;
-char shell_line[132];
+char shell_line[PATH_MAX];
 
 /*
 ** Read a command and do it. A command consists of an optional integer
@@ -1671,11 +1670,11 @@
 static int
 expand(char *outbuf, char *inbuf)
 {
-    register char *in_str;
-    register char *out_str;
-    register char ch;
-    char temp[200];
-    int changed = 0;
+	char *in_str;
+	char *out_str;
+	char ch;
+	char temp[PATH_MAX];
+	int changed = 0;
 
     in_str = inbuf;
     out_str = temp;
@@ -1683,7 +1682,9 @@
         switch (ch) {
         case '%':
             if (!no_intty) {
-                strcpy (out_str, fnames[fnum]);
+		if (strlcpy(out_str, fnames[fnum], sizeof (temp))
+		    >= sizeof (temp))
+			error(gettext("Command too long"));
                 out_str += strlen (fnames[fnum]);
                 changed++;
             }
@@ -1693,7 +1694,8 @@
         case '!':
             if (!shellp)
                 error (gettext("No previous command to substitute for"));
-            strcpy (out_str, shell_line);
+	    if (strlcpy(out_str, shell_line, sizeof (temp)) >= sizeof (temp))
+		error(gettext("Command too long"));
             out_str += strlen (shell_line);
             changed++;
             break;
@@ -1706,7 +1708,8 @@
             *out_str++ = ch;
         }
     *out_str++ = '\0';
-    strcpy (outbuf, temp);
+	if (strlcpy(outbuf, temp, sizeof (shell_line)) >= sizeof (shell_line))
+		error(gettext("Command too long"));
     return (changed);
 }