[src/trunk]: src/usr.sbin/lpr/common_source security fix from openbsd:

[itojun <itojun%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/e9378876594c
branches:  trunk
changeset: 514326:e9378876594c
user:      itojun <itojun%NetBSD.org@localhost>
date:      Thu Aug 30 00:51:50 2001 +0000

description:
security fix from openbsd:

Fix buffer oflow reading from queue file.  While we are at it, crank
the size of buffers that can hold filenames to MAXPATHLEN.

diffstat:

 usr.sbin/lpr/common_source/displayq.c |  24 +++++++++++++++---------
 1 files changed, 15 insertions(+), 9 deletions(-)

diffs (66 lines):

diff -r ed18b0890ad9 -r e9378876594c usr.sbin/lpr/common_source/displayq.c
--- a/usr.sbin/lpr/common_source/displayq.c     Wed Aug 29 23:32:21 2001 +0000
+++ b/usr.sbin/lpr/common_source/displayq.c     Thu Aug 30 00:51:50 2001 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: displayq.c,v 1.20 2001/06/25 11:04:52 mrg Exp $        */
+/*     $NetBSD: displayq.c,v 1.21 2001/08/30 00:51:50 itojun Exp $     */
 
 /*
  * Copyright (c) 1983, 1993
@@ -38,7 +38,7 @@
 #if 0
 static char sccsid[] = "@(#)displayq.c 8.4 (Berkeley) 4/28/95";
 #else
-__RCSID("$NetBSD: displayq.c,v 1.20 2001/06/25 11:04:52 mrg Exp $");
+__RCSID("$NetBSD: displayq.c,v 1.21 2001/08/30 00:51:50 itojun Exp $");
 #endif
 #endif /* not lint */
 
@@ -76,8 +76,8 @@
 extern uid_t   uid, euid;
 
 static int     col;            /* column on screen */
-static char    current[40];    /* current file being printed */
-static char    file[132];      /* print file name */
+static char    current[MAXPATHLEN]; /* current file being printed */
+static char    file[MAXPATHLEN]; /* print file name */
 static int     first;          /* first file in ``files'' column? */
 static int     garbage;        /* # of garbage cf files */
 static int     lflag;          /* long output option */
@@ -100,7 +100,7 @@
 {
        struct queue *q;
        int i, nitems, fd, ret;
-       char *cp;
+       char *cp, *ecp;
        struct queue **queue;
        struct stat statb;
        FILE *fp;
@@ -173,8 +173,11 @@
                else {
                        /* get daemon pid */
                        cp = current;
-                       while ((i = getc(fp)) != EOF && i != '\n')
-                               *cp++ = i;
+                       ecp = cp + sizeof(current) - 1;
+                       while ((i = getc(fp)) != EOF && i != '\n') {
+                               if (cp < ecp)
+                                       *cp++ = i;
+                       }
                        *cp = '\0';
                        i = atoi(current);
                        if (i <= 0) {
@@ -189,8 +192,11 @@
                        } else {
                                /* read current file name */
                                cp = current;
-                               while ((i = getc(fp)) != EOF && i != '\n')
-                                       *cp++ = i;
+                               ecp = cp + sizeof(current) - 1;
+                               while ((i = getc(fp)) != EOF && i != '\n') {
+                                       if (cp < ecp)
+                                               *cp++ = i;
+                               }
                                *cp = '\0';
                                /*
                                 * Print the status file.