fix buffer overflow, as sizeof(paths) won't fit inside the array.

from Stefan Kempf

"looks right to me" matthieu@

1 files changed, 5 insertions, 4 deletions

diff --git a/app/cwm/kbfunc.c b/app/cwm/kbfunc.c
index adb4d8261..ca2e13ba5 100644
--- a/app/cwm/kbfunc.c
+++ b/app/cwm/kbfunc.c
@@ -4,7 +4,7 @@
  *  Copyright (c) 2004 Martin Murray <mmurray@monkey.org>
  *  All rights reserved.
  *
- * $Id: kbfunc.c,v 1.6 2007/06/27 13:28:22 todd Exp $
+ * $Id: kbfunc.c,v 1.7 2007/09/06 06:01:14 jasper Exp $
  */
 
 #include <paths.h>
@@ -170,7 +170,8 @@ kbfunc_lock(struct client_ctx *cc, void *arg)
 void
 kbfunc_exec(struct client_ctx *scratch, void *arg)
 {
-	char **ap, *paths[256], *path, tpath[MAXPATHLEN];
+#define NPATHS 256
+	char **ap, *paths[NPATHS], *path, tpath[MAXPATHLEN];
 	int l, i, j, ngroups;
 	gid_t mygroups[NGROUPS_MAX];
 	uid_t ruid, euid, suid;
@@ -188,13 +189,13 @@ kbfunc_exec(struct client_ctx *scratch, void *arg)
 	TAILQ_INIT(&menuq);
 	/* just use default path until we have config to set this */
 	path = xstrdup(_PATH_DEFPATH);
-	for (ap = paths; ap < &paths[sizeof(paths) - 1] &&
+	for (ap = paths; ap < &paths[NPATHS - 1] &&
 	    (*ap = strsep(&path, ":")) != NULL;) {
 		if (**ap != '\0')
 			ap++;
 	}
 	*ap = NULL;
-	for (i = 0; i < sizeof(paths) && paths[i] != NULL; i++) {
+	for (i = 0; i < NPATHS && paths[i] != NULL; i++) {
 		if ((dirp = opendir(paths[i])) == NULL)
 			continue;