From d00a8d1e94456d45abbb7c94cd846661735277ab Mon Sep 17 00:00:00 2001
From: dholland <dholland@NetBSD.org>
Date: Mon, 29 Jun 2009 23:05:33 +0000
Subject: Fix two serious string-handling bugs (one exploitable, one probably
 exploitable) and also add proper checking/paranoia in several other places.

---
 hack/hack.main.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

(limited to 'hack/hack.main.c')

diff --git a/hack/hack.main.c b/hack/hack.main.c
index 28eec738..05bd88f9 100644
--- a/hack/hack.main.c
+++ b/hack/hack.main.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: hack.main.c,v 1.12 2009/06/07 20:13:18 dholland Exp $	*/
+/*	$NetBSD: hack.main.c,v 1.13 2009/06/29 23:05:33 dholland Exp $	*/
 
 /*
  * Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@@ -63,7 +63,7 @@
 
 #include <sys/cdefs.h>
 #ifndef lint
-__RCSID("$NetBSD: hack.main.c,v 1.12 2009/06/07 20:13:18 dholland Exp $");
+__RCSID("$NetBSD: hack.main.c,v 1.13 2009/06/29 23:05:33 dholland Exp $");
 #endif				/* not lint */
 
 #include <signal.h>
@@ -300,7 +300,8 @@ main(int argc, char *argv[])
 				}
 				*gp = 0;
 			} else
-				(void) strcpy(genocided, sfoo);
+				(void) strlcpy(genocided, sfoo,
+						sizeof(genocided));
 			(void) strcpy(fut_geno, genocided);
 		}
 	}
@@ -478,12 +479,12 @@ void
 glo(int foo)
 {
 	/* construct the string  xlock.n  */
-	char           *tf;
+	size_t pos;
 
-	tf = lock;
-	while (*tf && *tf != '.')
-		tf++;
-	(void) sprintf(tf, ".%d", foo);
+	pos = 0;
+	while (lock[pos] && lock[pos] != '.')
+		pos++;
+	(void) snprintf(lock + pos, sizeof(lock) - pos, ".%d", foo);
 }
 
 /*
-- 
cgit v1.2.3