From b7b6056081e4cf600d844ac0447b7ae3bd7a4e23 Mon Sep 17 00:00:00 2001 From: itojun Date: Tue, 21 Nov 2000 13:50:25 +0000 Subject: [PATCH] make sure we do not overrun packet buffer when we set error message string. --- libexec/tftpd/tftpd.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/libexec/tftpd/tftpd.c b/libexec/tftpd/tftpd.c index f1e5f745eca5..cab21bd3a7e6 100644 --- a/libexec/tftpd/tftpd.c +++ b/libexec/tftpd/tftpd.c @@ -1,4 +1,4 @@ -/* $NetBSD: tftpd.c,v 1.20 2000/11/21 13:39:07 itojun Exp $ */ +/* $NetBSD: tftpd.c,v 1.21 2000/11/21 13:50:25 itojun Exp $ */ /* * Copyright (c) 1983, 1993 @@ -40,7 +40,7 @@ __COPYRIGHT("@(#) Copyright (c) 1983, 1993\n\ #if 0 static char sccsid[] = "@(#)tftpd.c 8.1 (Berkeley) 6/4/93"; #else -__RCSID("$NetBSD: tftpd.c,v 1.20 2000/11/21 13:39:07 itojun Exp $"); +__RCSID("$NetBSD: tftpd.c,v 1.21 2000/11/21 13:50:25 itojun Exp $"); #endif #endif /* not lint */ @@ -774,23 +774,24 @@ nak(error) struct tftphdr *tp; int length; const struct errmsg *pe; + size_t msglen; tp = (struct tftphdr *)buf; tp->th_opcode = htons((u_short)ERROR); + msglen = sizeof(buf) - (&tp->th_msg[0] - buf); for (pe = errmsgs; pe->e_code >= 0; pe++) if (pe->e_code == error) break; if (pe->e_code < 0) { tp->th_code = EUNDEF; /* set 'undef' errorcode */ - strcpy(tp->th_msg, strerror(error - 100)); + strlcpy(tp->th_msg, strerror(error - 100), msglen); } else { tp->th_code = htons((u_short)error); - strcpy(tp->th_msg, pe->e_msg); + strlcpy(tp->th_msg, pe->e_msg, msglen); } - length = strlen(pe->e_msg); - tp->th_msg[length] = '\0'; - length += 5; - if (send(peer, buf, length, 0) != length) + length = strlen(tp->th_msg); + msglen = &tp->th_msg[length + 1] - buf; + if (send(peer, buf, msglen, 0) != msglen) syslog(LOG_ERR, "nak: %m"); }