aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKris Kennaway <kris@FreeBSD.org>2001-08-30 09:46:44 +0000
committerKris Kennaway <kris@FreeBSD.org>2001-08-30 09:46:44 +0000
commit3b0158c4b4aad8d75ac32c3e91d5fc5a03c2bedf (patch)
treed7f4a1de045fb0a151ddffac7db7f13cccfe93d1
parent44362a47a51a5ae1cbabd68a80c494d1d2e1df12 (diff)
downloadsrc-3b0158c4b4aad8d75ac32c3e91d5fc5a03c2bedf.tar.gz
src-3b0158c4b4aad8d75ac32c3e91d5fc5a03c2bedf.zip
MFC: Fix buffer overflow in queue file handling
Notes
Notes: svn path=/stable/3/; revision=82559
-rw-r--r--usr.sbin/lpr/common_source/displayq.c20
1 files changed, 13 insertions, 7 deletions
diff --git a/usr.sbin/lpr/common_source/displayq.c b/usr.sbin/lpr/common_source/displayq.c
index 88f90a60e5cf..d372516d1972 100644
--- a/usr.sbin/lpr/common_source/displayq.c
+++ b/usr.sbin/lpr/common_source/displayq.c
@@ -73,8 +73,8 @@ static const char rcsid[] =
extern uid_t uid, euid;
static int col; /* column on screen */
-static char current[40]; /* current file being printed */
-static char file[132]; /* print file name */
+static char current[MAXNAMLEN+1]; /* current file being printed */
+static char file[MAXNAMLEN+1]; /* print file name */
static int first; /* first file in ``files'' column? */
static int garbage; /* # of garbage cf files */
static int lflag; /* long output option */
@@ -97,7 +97,7 @@ displayq(pp, format)
{
register struct queue *q;
register int i, nitems, fd, ret;
- register char *cp;
+ char *cp, *endp;
struct queue **queue;
struct stat statb;
FILE *fp;
@@ -158,8 +158,11 @@ displayq(pp, format)
else {
/* get daemon pid */
cp = current;
- while ((i = getc(fp)) != EOF && i != '\n')
- *cp++ = i;
+ endp = cp + sizeof(current) - 1;
+ while ((i = getc(fp)) != EOF && i != '\n') {
+ if (cp < endp)
+ *cp++ = i;
+ }
*cp = '\0';
i = atoi(current);
if (i <= 0) {
@@ -174,8 +177,11 @@ displayq(pp, format)
} else {
/* read current file name */
cp = current;
- while ((i = getc(fp)) != EOF && i != '\n')
- *cp++ = i;
+ endp = cp + sizeof(current) - 1;
+ while ((i = getc(fp)) != EOF && i != '\n') {
+ if (cp < endp)
+ *cp++ = i;
+ }
*cp = '\0';
/*
* Print the status file.