diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 1996-06-19 10:03:44 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 1996-06-19 10:03:44 +0000 |
commit | a6b7a98425f17460635347cb76351f42ae626ed5 (patch) | |
tree | 0bedefe2daa8a430dbb13aec6aac7bc8500b54d7 | |
parent | 6105ef566bcff4c293f661bec213a299207359ac (diff) |
do not overflow term buffer, noted initially by darren reed. my own fix
-rw-r--r-- | usr.bin/rlogin/rlogin.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/usr.bin/rlogin/rlogin.c b/usr.bin/rlogin/rlogin.c index c1bb31ee08e..5f05baff7af 100644 --- a/usr.bin/rlogin/rlogin.c +++ b/usr.bin/rlogin/rlogin.c @@ -256,10 +256,20 @@ main(argc, argv) exit(1); } - (void)strcpy(term, (p = getenv("TERM")) ? p : "network"); + (void)strncpy(term, (p = getenv("TERM")) ? p : "network", + sizeof(term) - 1); + term[sizeof(term) - 1] = '\0'; + + /* + * Add "/baud" only if there is room left; ie. do not send "/19" + * for 19200 baud with a particularily long $TERM + */ if (tcgetattr(0, &tty) == 0) { - (void)strcat(term, "/"); - (void)sprintf(term + strlen(term), "%d", cfgetospeed(&tty)); + char baud[20]; /* more than enough.. */ + + (void)sprintf(baud, "/%d", cfgetospeed(&tty)); + if (strlen(term) + strlen(baud) < sizeof(term) - 1) + (void)strcat(term, baud); } (void)get_window_size(0, &winsize); |