buffer overflow in readline(;) from espie@

1 files changed, 15 insertions, 12 deletions

diff --git a/sys/stand/boot/cmd.c b/sys/stand/boot/cmd.c
index 45adfca2be7..a575fee3645 100644
--- a/sys/stand/boot/cmd.c
+++ b/sys/stand/boot/cmd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cmd.c,v 1.45 2000/01/12 19:50:25 mickey Exp $	*/
+/*	$OpenBSD: cmd.c,v 1.46 2000/01/20 19:56:48 mickey Exp $	*/
 
 /*
  * Copyright (c) 1997-1999 Michael Shalayeff
@@ -73,7 +73,7 @@ const struct cmd_table cmd_table[] = {
 };
 
 static void ls __P((char *, register struct stat *));
-static int readline __P((register char *, int));
+static int readline __P((register char *, size_t, int));
 char *nextword __P((register char *));
 static char *whatcmd
 	__P((register const struct cmd_table **ct, register char *));
@@ -87,7 +87,7 @@ getcmd()
 {
 	cmd.cmd = NULL;
 
-	if (!readline(cmd_buf, cmd.timeout))
+	if (!readline(cmd_buf, sizeof(cmd_buf), cmd.timeout))
 		cmd.cmd = cmd_table;
 
 	return docmd();
@@ -215,14 +215,15 @@ whatcmd(ct, p)
 }
 
 static int
-readline(buf, to)
+readline(buf, n, to)
 	register char *buf;
+	size_t n;
 	int	to;
 {
 #ifdef DEBUG
 	extern int debug;
 #endif
-	register char *p = buf, *pe = buf, ch;
+	register char *p = buf, ch;
 
 	/* Only do timeout if greater than 0 */
 	if (to > 0) {
@@ -249,31 +250,33 @@ readline(buf, to)
 	while (1) {
 		switch ((ch = getchar())) {
 		case CTRL('u'):
-			while (pe-- > buf)
+			while (p-- > buf)
 				putchar('\177');
-			p = pe = buf;
 			continue;
 		case '\n':
 		case '\r':
-			pe[1] = *pe = '\0';
+			p[1] = *p = '\0';
 			break;
 		case '\b':
 		case '\177':
 			if (p > buf) {
 				putchar('\177');
 				p--;
-				pe--;
 			}
 			continue;
 		default:
-			pe++;
-			*p++ = ch;
+			if (p - buf < n-1)
+				*p++ = ch;
+			else {
+				putchar('\007');
+				putchar('\177');
+			}
 			continue;
 		}
 		break;
 	}
 
-	return pe - buf;
+	return p - buf;
 }
 
 /*