diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2017-08-20 07:03:46 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2017-08-20 07:03:46 +0000 |
| commit | 966c819687e505a05980fa1fd39c79a733d96ee5 (patch) | |
| tree | 0e13f3d42251d917370db5286c2eec07940aabc6 | |
| parent | 829c24d7ee516185f370e33dcd627c88948e54a1 (diff) | |
Check that we haven't yet reached the end of the string before calling
strcspn(3) instead of afterwards. Fixes an out-of-bound read that led
to intermittent crashes experienced by rob in his regression test.
ok rob
| -rw-r--r-- | usr.sbin/snmpd/parse.y | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/usr.sbin/snmpd/parse.y b/usr.sbin/snmpd/parse.y index 26cd6b999fb..af8df2e5149 100644 --- a/usr.sbin/snmpd/parse.y +++ b/usr.sbin/snmpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.44 2017/07/28 13:15:32 florian Exp $ */ +/* $OpenBSD: parse.y,v 1.45 2017/08/20 07:03:45 tb Exp $ */ /* * Copyright (c) 2007, 2008, 2012 Reyk Floeter <reyk@openbsd.org> @@ -525,7 +525,7 @@ socktype : RESTRICTED { $$ = SOCK_TYPE_RESTRICTED; } ; cmd : STRING { - struct trapcmd *cmd; + struct trapcmd *cmd; size_t span, limit; char *pos, **args, **args2; int nargs = 32; /* XXX */ @@ -540,8 +540,8 @@ cmd : STRING { pos = $1; limit = strlen($1); - while ((span = strcspn(pos, " \t")) != 0 && - pos < $1 + limit) { + while (pos < $1 + limit && + (span = strcspn(pos, " \t")) != 0) { pos[span] = '\0'; args[cmd->cmd_argc] = strdup(pos); if (args[cmd->cmd_argc] == NULL) { |