(sendcmd): Don't overflow buf[]. The bug was fairly harmless, because
authorMarkus Armbruster <armbru@pond.sub.org>
Fri, 14 Dec 2007 06:01:13 +0000 (06:01 +0000)
committerMarkus Armbruster <armbru@pond.sub.org>
Fri, 14 Dec 2007 06:01:13 +0000 (06:01 +0000)
the overflowing data comes from the local user.

src/client/expect.c

index 5ea380a057dc801829e2efff74c4baf60e0fb010..3d1429ccbc7814d202a25001f654261b6825c634 100644 (file)
@@ -126,11 +126,14 @@ void
 sendcmd(int s, char *cmd, char *arg)
 {
     char buf[128];
-    int cc;
-    int len;
+    int cc, len;
 
-    (void)sprintf(buf, "%s %s\n", cmd, arg != NULL ? arg : "");
-    len = strlen(buf);
+    len = snprintf(buf, sizeof(buf), "%s %s\n",
+                  cmd, arg != NULL ? arg : "");
+    if (len >= (int)sizeof(buf)) {
+       fprintf(stderr, "%s too long\n", cmd);
+       exit(1);
+    }
     cc = write(s, buf, len);
     if (cc < 0) {
        perror("sendcmd: write");