bin/45662: Overlapping buffer in lpd_command.c.

[henning.petersen%t-online.de@localhost]

>Number:         45662
>Category:       bin
>Synopsis:       Overlapping buffer in lpd_command.c.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Nov 27 08:30:01 +0000 2011
>Originator:     Henning Petersen
>Release:        NetBSD-current
>Organization:
>Environment:
>Description:
Overlapping buffer in lpd_command.c with undefined behavior if snprintf is
used.
>How-To-Repeat:

>Fix:
diff -u -p -r1.5 ldp_command.c
--- usr.sbin/ldpd/ldp_command.c 16 Jun 2011 08:27:28 -0000      1.5
+++ usr.sbin/ldpd/ldp_command.c 20 Nov 2011 05:54:33 -0000
@@ -481,6 +481,7 @@ show_labels(int s, char *recvspace)
 {
        struct ldp_peer *p;
        struct label_mapping *lm;
+       size_t len;
 
        SLIST_FOREACH(p, &ldp_peer_head, peers) {
                if (p->state != LDP_PEER_ESTABLISHED)
@@ -488,8 +489,10 @@ show_labels(int s, char *recvspace)
                SLIST_FOREACH(lm, &p->label_mapping_head, mappings) {
                        snprintf(sendspace, MAXSEND, "%s:%d",
                            inet_ntoa(p->ldp_id), lm->label);
-                       snprintf(sendspace, MAXSEND, "%s\t%s/%d\n",
-                           sendspace, inet_ntoa(lm->address), lm->prefix);
+                       len = strlen(sendspace);
+                       snprintf(sendspace + len, MAXSEND - len,
+                               "\t%s/%d\n",
+                           inet_ntoa(lm->address), lm->prefix);
                        writestr(s, sendspace);
                }
        }