From 3f887cad1865ee8dec6cab8a9150f0a801493497 Mon Sep 17 00:00:00 2001 From: pfg Date: Tue, 4 Aug 2015 03:06:23 +0000 Subject: [PATCH] MFC r286102: Buffer overflow in wall(1). This affected syslogd, wall and talkd. Detected by FORTIFY_SOURCE GSoC (with clang). Submitted by: Oliver Pinter Differential Revision: https://reviews.freebsd.org/D3254 Reviewed by: delphij, jmg git-svn-id: svn://svn.freebsd.org/base/stable/10@286269 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- usr.bin/wall/ttymsg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.bin/wall/ttymsg.c b/usr.bin/wall/ttymsg.c index 37b09e9e9..1317a4b0c 100644 --- a/usr.bin/wall/ttymsg.c +++ b/usr.bin/wall/ttymsg.c @@ -62,7 +62,7 @@ ttymsg(struct iovec *iov, int iovcnt, const char *line, int tmout) struct iovec localiov[7]; ssize_t left, wret; int cnt, fd; - static char device[MAXNAMLEN] = _PATH_DEV; + char device[MAXNAMLEN] = _PATH_DEV; static char errbuf[1024]; char *p; int forked; @@ -71,8 +71,8 @@ ttymsg(struct iovec *iov, int iovcnt, const char *line, int tmout) if (iovcnt > (int)(sizeof(localiov) / sizeof(localiov[0]))) return ("too many iov's (change code in wall/ttymsg.c)"); + strlcat(device, line, sizeof(device)); p = device + sizeof(_PATH_DEV) - 1; - strlcpy(p, line, sizeof(device)); if (strncmp(p, "pts/", 4) == 0) p += 4; if (strchr(p, '/') != NULL) { -- 2.45.0