Fix a buffer overflow due to sending strings >1k in length. This is unlikely

to be a security problem, but it's not totally impossible. OpenBSD take note Reviewed by: imp
svn path=/head/; revision=53686
2024-07-22 10:48:02 +00:00 · 1999-11-25 07:28:54 +00:00 · 1999-11-25 07:28:54 +00:00 · 4e83a8fef4 · 2020-12-20 02:59:44 +00:00
parent dfe43144ff
commit 4e83a8fef4
1 changed files with 9 additions and 7 deletions
--- a/usr.bin/chat/chat.c
+++ b/usr.bin/chat/chat.c
@ -655,7 +655,8 @@ int sending;  /* set to 1 when sending (putting) this string. */
 #define isoctal(chr) (((chr) >= '0') && ((chr) <= '7'))

    s1 = temp;
-    while (*s) {
+    /* Don't overflow buffer, leave room for chars we append later */
+    while (*s && s1 - temp < sizeof(temp) - 2 - add_return) {
 	cur_chr = *s++;
 	if (cur_chr == '^') {
 	    cur_chr = *s++;
@ -1275,6 +1276,13 @@ register char *string;
    char *logged = temp;

    fail_reason = (char *)0;
+
+    if (strlen(string) > STR_LEN) {
+	logf("expect string is too long");
+	exit_code = 1;
+	return 0;
+    }
+
    string = clean(string, 0);
    len = strlen(string);
    minlen = (len > sizeof(fail_buffer)? len: sizeof(fail_buffer)) - 1;
@ -1282,12 +1290,6 @@ register char *string;
    if (verbose)
 	logf("expect (%v)", string);

-    if (len > STR_LEN) {
-	logf("expect string is too long");
-	exit_code = 1;
-	return 0;
-    }
-
    if (len == 0) {
 	if (verbose)
 	    logf("got it");