(sendcmd): Don't overflow buf[]. The bug was fairly harmless, because

the overflowing data comes from the local user.

diff --git a/src/client/expect.c b/src/client/expect.c
index 5ea380a057dc801829e2efff74c4baf60e0fb010..3d1429ccbc7814d202a25001f654261b6825c634 100644 (file)
--- a/src/client/expect.c
+++ b/src/client/expect.c
@@ -126,11 +126,14 @@ void
 sendcmd(int s, char *cmd, char *arg)
 {
     char buf[128];
 sendcmd(int s, char *cmd, char *arg)
 {
     char buf[128];

-    int cc;
-    int len;
+    int cc, len;

 
 

-    (void)sprintf(buf, "%s %s\n", cmd, arg != NULL ? arg : "");
-    len = strlen(buf);
+    len = snprintf(buf, sizeof(buf), "%s %s\n",
+                  cmd, arg != NULL ? arg : "");
+    if (len >= (int)sizeof(buf)) {
+       fprintf(stderr, "%s too long\n", cmd);
+       exit(1);
+    }

     cc = write(s, buf, len);
     if (cc < 0) {
        perror("sendcmd: write");
     cc = write(s, buf, len);
     if (cc < 0) {
        perror("sendcmd: write");