When copying command line arguments to out new argument vector,

don't go past the end of the buffer.  Not a security issue since
root controls the fingerd arguments.  Noticed by Brian Poole.

1 files changed, 12 insertions, 8 deletions

diff --git a/libexec/fingerd/fingerd.c b/libexec/fingerd/fingerd.c
index f5630c6ab29..0a38e6b1eb5 100644
--- a/libexec/fingerd/fingerd.c
+++ b/libexec/fingerd/fingerd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: fingerd.c,v 1.22 2001/08/18 18:31:21 deraadt Exp $	*/
+/*	$OpenBSD: fingerd.c,v 1.23 2001/11/27 17:10:26 millert Exp $	*/
 
 /*
  * Copyright (c) 1983, 1993
@@ -43,7 +43,7 @@ static char copyright[] =
 #if 0
 static char sccsid[] = "from: @(#)fingerd.c	8.1 (Berkeley) 6/4/93";
 #else
-static char rcsid[] = "$OpenBSD: fingerd.c,v 1.22 2001/08/18 18:31:21 deraadt Exp $";
+static char rcsid[] = "$OpenBSD: fingerd.c,v 1.23 2001/11/27 17:10:26 millert Exp $";
 #endif
 #endif /* not lint */
 
@@ -105,19 +105,23 @@ main(argc, argv)
 			user_required = 1;
 			break;
 		case 'S':
-			short_list = 1;
-			av[ac++] = "-s";
+			if (ac < ENTRIES) {
+				short_list = 1;
+				av[ac++] = "-s";
+			}
 			break;
 		case 'm':
-			av[ac++] = "-m";
+			if (ac < ENTRIES)
+				av[ac++] = "-m";
 			break;
 		case 'M':
-			av[ac++] = "-M";
+			if (ac < ENTRIES)
+				av[ac++] = "-M";
 			break;
 		case 'p':
-			av[ac++] = "-p";
+			if (ac < ENTRIES)
+				av[ac++] = "-p";
 			break;
-		case '?':
 		default:
 			usage();
 		}