From owner-svn-src-all@freebsd.org Sat Feb 9 14:21:30 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BEABD14E2DB4; Sat, 9 Feb 2019 14:21:30 +0000 (UTC) (envelope-from se@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 569426D9DA; Sat, 9 Feb 2019 14:21:30 +0000 (UTC) (envelope-from se@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 46D981E06; Sat, 9 Feb 2019 14:21:30 +0000 (UTC) (envelope-from se@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x19ELUNc071261; Sat, 9 Feb 2019 14:21:30 GMT (envelope-from se@FreeBSD.org) Received: (from se@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x19ELUAd071260; Sat, 9 Feb 2019 14:21:30 GMT (envelope-from se@FreeBSD.org) Message-Id: <201902091421.x19ELUAd071260@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: se set sender to se@FreeBSD.org using -f From: Stefan Esser Date: Sat, 9 Feb 2019 14:21:30 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r343939 - stable/12/libexec/getty X-SVN-Group: stable-12 X-SVN-Commit-Author: se X-SVN-Commit-Paths: stable/12/libexec/getty X-SVN-Commit-Revision: 343939 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 569426D9DA X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.95 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-0.99)[-0.995,0]; NEURAL_HAM_SHORT(-0.96)[-0.956,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Feb 2019 14:21:30 -0000 Author: se Date: Sat Feb 9 14:21:29 2019 New Revision: 343939 URL: https://svnweb.freebsd.org/changeset/base/343939 Log: MFC r343479: Fix potential buffer overflow and undefined behavior. The buffer allocated in read_chat() could be 1 element too short, if the chatstr parameter passed in is 1 or 3 charachters long (e.g. "a" or "a b"). The allocation of the pointer array does not account for the terminating NULL pointer in that case. Overlapping source and destination strings are undefined in strcpy(). Instead of moving a string to the left by one character just increment the char pointer before it is assigned to the results array. Modified: stable/12/libexec/getty/chat.c Modified: stable/12/libexec/getty/chat.c ============================================================================== --- stable/12/libexec/getty/chat.c Sat Feb 9 14:19:09 2019 (r343938) +++ stable/12/libexec/getty/chat.c Sat Feb 9 14:21:29 2019 (r343939) @@ -141,7 +141,7 @@ read_chat(char **chatstr) int l; if ((l=strlen(str)) > 0 && (tmp=malloc(l + 1)) != NULL && - (res=malloc((l / 2 + 1) * sizeof(char *))) != NULL) { + (res=malloc(((l + 1) / 2 + 1) * sizeof(char *))) != NULL) { static char ws[] = " \t"; char * p; @@ -216,7 +216,7 @@ read_chat(char **chatstr) q = strrchr(p+1, *p); if (q != NULL && *q == *p && q[1] == '\0') { *q = '\0'; - strcpy(p, p+1); + p++; } }