Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/usr.sbin/bootp/bootpd sizeof(pointer) is not a good buffer l...

details:   https://anonhg.NetBSD.org/src/rev/b11f483073ce
branches:  trunk
changeset: 328218:b11f483073ce
user:      apb <apb%NetBSD.org@localhost>
date:      Sat Mar 29 18:23:00 2014 +0000

description:
sizeof(pointer) is not a good buffer length to pass to strlcat.
Introduce a new variable, clntpathmaxlen, to hold the correct
buffer length, and pass that to strlcat.

The incorrect buffer length would have caused <filename>.<hostname>
lookups to fail.

diffstat:

 usr.sbin/bootp/bootpd/bootpd.c |  9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

diffs (43 lines):

diff -r b339486c71f8 -r b11f483073ce usr.sbin/bootp/bootpd/bootpd.c
--- a/usr.sbin/bootp/bootpd/bootpd.c    Sat Mar 29 16:46:19 2014 +0000
+++ b/usr.sbin/bootp/bootpd/bootpd.c    Sat Mar 29 18:23:00 2014 +0000
@@ -22,7 +22,7 @@
 
 #include <sys/cdefs.h>
 #ifndef lint
-__RCSID("$NetBSD: bootpd.c,v 1.24 2011/08/29 20:38:54 joerg Exp $");
+__RCSID("$NetBSD: bootpd.c,v 1.25 2014/03/29 18:23:00 apb Exp $");
 #endif
 
 /*
@@ -599,6 +599,7 @@
        int32 dest;
        char lrealpath[1024];
        char *clntpath;
+       size_t clntpathmaxlen;
        char *homedir, *bootfile;
        int n;
 
@@ -811,9 +812,11 @@
        if (hp->flags.tftpdir) {
                strlcpy(lrealpath, hp->tftpdir->string, sizeof(lrealpath));
                clntpath = &lrealpath[strlen(lrealpath)];
+               clntpathmaxlen = sizeof(lrealpath) + lrealpath - clntpath;
        } else {
                lrealpath[0] = '\0';
                clntpath = lrealpath;
+               clntpathmaxlen = sizeof(lrealpath)
        }
 
        /*
@@ -883,8 +886,8 @@
         * First try to find the file with a ".host" suffix
         */
        n = strlen(clntpath);
-       strlcat(clntpath, ".", sizeof(clntpath));
-       strlcat(clntpath, hp->hostname->string, sizeof(clntpath));
+       strlcat(clntpath, ".", clntpathmaxlen);
+       strlcat(clntpath, hp->hostname->string, clntpathmaxlen);
        if (chk_access(lrealpath, &bootsize) < 0) {
                clntpath[n] = 0;                        /* Try it without the suffix */
                if (chk_access(lrealpath, &bootsize) < 0) {
Home | Main Index | Thread Index | Old Index