diff options
| author | Todd C. Miller <millert@cvs.openbsd.org> | 2003-09-25 21:14:47 +0000 |
|---|---|---|
| committer | Todd C. Miller <millert@cvs.openbsd.org> | 2003-09-25 21:14:47 +0000 |
| commit | 2b6a46c98a55f5919879cac49e40af6ce2bd5661 (patch) | |
| tree | 0deae1e653b20dbc0732adec0d1fc74b730571b0 /lib | |
| parent | 670c70981d00419bb46091189ceca1c3b228af0b (diff) | |
Do check for current pointer vs. buffer end before touching any
elements in the buffer. Fixes an out of bounds access.
From aaron@; OK deraadt@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libc/net/ns_ntoa.c | 4 | ||||
| -rw-r--r-- | lib/libc/net/rcmd.c | 10 |
2 files changed, 7 insertions, 7 deletions
diff --git a/lib/libc/net/ns_ntoa.c b/lib/libc/net/ns_ntoa.c index 019e8b0a593..fd67e459da5 100644 --- a/lib/libc/net/ns_ntoa.c +++ b/lib/libc/net/ns_ntoa.c @@ -28,7 +28,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static char rcsid[] = "$OpenBSD: ns_ntoa.c,v 1.12 2003/06/02 20:18:35 millert Exp $"; +static char rcsid[] = "$OpenBSD: ns_ntoa.c,v 1.13 2003/09/25 21:14:46 millert Exp $"; #endif /* LIBC_SCCS and not lint */ #include <sys/param.h> @@ -53,7 +53,7 @@ ns_ntoa(struct ns_addr addr) cp = spectHex(obuf); rem = sizeof(obuf) - (cp - obuf); cp2 = cp + 1; - while (*up==0 && up < uplim) + while (up < uplim && *up==0) up++; if (up == uplim) { if (port) { diff --git a/lib/libc/net/rcmd.c b/lib/libc/net/rcmd.c index f37cb785be6..769e85e0a42 100644 --- a/lib/libc/net/rcmd.c +++ b/lib/libc/net/rcmd.c @@ -29,7 +29,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static char *rcsid = "$OpenBSD: rcmd.c,v 1.47 2003/07/11 22:39:21 deraadt Exp $"; +static char *rcsid = "$OpenBSD: rcmd.c,v 1.48 2003/09/25 21:14:46 millert Exp $"; #endif /* LIBC_SCCS and not lint */ #include <sys/param.h> @@ -485,7 +485,7 @@ __ivaliduser_sa(hostf, raddr, salen, luser, ruser) p = buf; if (*p == '#') continue; - while (*p != '\n' && *p != ' ' && *p != '\t' && p < buf + buflen) { + while (p < buf + buflen && *p != '\n' && *p != ' ' && *p != '\t') { if (!isprint(*p)) goto bail; *p = isupper(*p) ? tolower(*p) : *p; @@ -495,13 +495,13 @@ __ivaliduser_sa(hostf, raddr, salen, luser, ruser) continue; if (*p == ' ' || *p == '\t') { *p++ = '\0'; - while ((*p == ' ' || *p == '\t') && p < buf + buflen) + while (p < buf + buflen && (*p == ' ' || *p == '\t')) p++; if (p >= buf + buflen) continue; user = p; - while (*p != '\n' && *p != ' ' && - *p != '\t' && p < buf + buflen) { + while (p < buf + buflen && *p != '\n' && *p != ' ' && + *p != '\t') { if (!isprint(*p)) goto bail; p++; |