summaryrefslogtreecommitdiff
path: root/xinit.c
diff options
context:
space:
mode:
authorTobias Stoeckmann <tobias@stoeckmann.org>2019-02-07 20:54:37 +0100
committerWalter Harms <wharms@bfs.de>2019-02-09 18:26:57 +0100
commitb3dc751212e5f2f6b5d263e009cc2b85e56bfdbf (patch)
tree6a3303f0eaf33011bf3abe9835ba85d88464bd89 /xinit.c
parentf727023c1a75dcc467dd99a3db69a5834a0718f0 (diff)
Buffer overflow with many arguments.
Command line arguments are copied into clientargv and serverargv without verifying that enough space is available. A high amount of arguments can therefore trigger a buffer overflow like this: $ xinit $(seq 1 500) Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> Reviewed-by: Walter Harms wharms@bfs,de
Diffstat (limited to 'xinit.c')
-rw-r--r--xinit.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/xinit.c b/xinit.c
index f826b7a..06c92b2 100644
--- a/xinit.c
+++ b/xinit.c
@@ -151,7 +151,6 @@ main(int argc, char *argv[])
register char **ptr;
pid_t pid;
int client_given = 0, server_given = 0;
- int client_args_given = 0, server_args_given = 0;
int start_of_client_args, start_of_server_args;
struct sigaction sa, si;
#ifdef __APPLE__
@@ -174,7 +173,8 @@ main(int argc, char *argv[])
}
start_of_client_args = (cptr - client);
while (argc && strcmp(*argv, "--")) {
- client_args_given++;
+ if (cptr > clientargv + sizeof(clientargv) / sizeof(*clientargv) - 2)
+ Fatalx("too many client arguments");
*cptr++ = *argv++;
argc--;
}
@@ -202,7 +202,8 @@ main(int argc, char *argv[])
start_of_server_args = (sptr - server);
while (--argc >= 0) {
- server_args_given++;
+ if (sptr > serverargv + sizeof(serverargv) / sizeof(*serverargv) - 2)
+ Fatalx("too many server arguments");
*sptr++ = *argv++;
}
*sptr = NULL;