From 9e7ecc41d56148866725e26c872909823d515963 Mon Sep 17 00:00:00 2001
From: cinap_lenrek <cinap_lenrek@gmx.de>
Date: Mon, 1 Oct 2012 02:52:05 +0200
Subject: devproc buffer overflow, strncpy

in devproc status read handler the p->status, p->text and p->user
could overflow the local statbuf buffer as they where copied into
it with code like: memmove(statbuf+someoff, p->text, strlen(p->text)).
now using readstr() which will truncate if the string is too long.

make strncpy() usage consistent, make sure results are always null
terminated.
---
 sys/src/9/port/devbridge.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'sys/src/9/port/devbridge.c')

diff --git a/sys/src/9/port/devbridge.c b/sys/src/9/port/devbridge.c
index 32971fc95..fd0b7a45e 100644
--- a/sys/src/9/port/devbridge.c
+++ b/sys/src/9/port/devbridge.c
@@ -524,14 +524,14 @@ portbind(Bridge *b, int argc, char *argv[])
 		if(argc != 4)
 			error(usage);
 		type = Tether;
-		strncpy(name, argv[1], KNAMELEN);
+		strncpy(name, argv[1], KNAMELEN-1);
 		name[KNAMELEN-1] = 0;
 //		parseaddr(addr, argv[1], Eaddrlen);
 	} else if(strcmp(argv[0], "tunnel") == 0) {
 		if(argc != 5)
 			error(usage);
 		type = Ttun;
-		strncpy(name, argv[1], KNAMELEN);
+		strncpy(name, argv[1], KNAMELEN-1);
 		name[KNAMELEN-1] = 0;
 //		parseip(addr, argv[1]);
 		dev2 = argv[4];
@@ -632,12 +632,12 @@ portunbind(Bridge *b, int argc, char *argv[])
 		error(usage);
 	if(strcmp(argv[0], "ether") == 0) {
 		type = Tether;
-		strncpy(name, argv[1], KNAMELEN);
+		strncpy(name, argv[1], KNAMELEN-1);
 		name[KNAMELEN-1] = 0;
 //		parseaddr(addr, argv[1], Eaddrlen);
 	} else if(strcmp(argv[0], "tunnel") == 0) {
 		type = Ttun;
-		strncpy(name, argv[1], KNAMELEN);
+		strncpy(name, argv[1], KNAMELEN-1);
 		name[KNAMELEN-1] = 0;
 //		parseip(addr, argv[1]);
 	} else
-- 
cgit v1.2.3