CVS commit: src/usr.sbin/bootp/bootpd

Sat, 29 Mar 2014 11:23:28 -0700 

Module Name:    src
Committed By:   apb
Date:           Sat Mar 29 18:23:00 UTC 2014

Modified Files:
        src/usr.sbin/bootp/bootpd: bootpd.c

Log Message:
sizeof(pointer) is not a good buffer length to pass to strlcat.
Introduce a new variable, clntpathmaxlen, to hold the correct
buffer length, and pass that to strlcat.

The incorrect buffer length would have caused <filename>.<hostname>
lookups to fail.


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 src/usr.sbin/bootp/bootpd/bootpd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/usr.sbin/bootp/bootpd/bootpd.c
diff -u src/usr.sbin/bootp/bootpd/bootpd.c:1.24 src/usr.sbin/bootp/bootpd/bootpd.c:1.25
--- src/usr.sbin/bootp/bootpd/bootpd.c:1.24	Mon Aug 29 20:38:54 2011
+++ src/usr.sbin/bootp/bootpd/bootpd.c	Sat Mar 29 18:23:00 2014
@@ -22,7 +22,7 @@ SOFTWARE.
 
 #include <sys/cdefs.h>
 #ifndef lint
-__RCSID("$NetBSD: bootpd.c,v 1.24 2011/08/29 20:38:54 joerg Exp $");
+__RCSID("$NetBSD: bootpd.c,v 1.25 2014/03/29 18:23:00 apb Exp $");
 #endif
 
 /*
@@ -599,6 +599,7 @@ handle_request(void)
 	int32 dest;
 	char lrealpath[1024];
 	char *clntpath;
+	size_t clntpathmaxlen;
 	char *homedir, *bootfile;
 	int n;
 
@@ -811,9 +812,11 @@ HW addr type is IEEE 802.  convert to %s
 	if (hp->flags.tftpdir) {
 		strlcpy(lrealpath, hp->tftpdir->string, sizeof(lrealpath));
 		clntpath = &lrealpath[strlen(lrealpath)];
+		clntpathmaxlen = sizeof(lrealpath) + lrealpath - clntpath;
 	} else {
 		lrealpath[0] = '\0';
 		clntpath = lrealpath;
+		clntpathmaxlen = sizeof(lrealpath)
 	}
 
 	/*
@@ -883,8 +886,8 @@ HW addr type is IEEE 802.  convert to %s
 	 * First try to find the file with a ".host" suffix
 	 */
 	n = strlen(clntpath);
-	strlcat(clntpath, ".", sizeof(clntpath));
-	strlcat(clntpath, hp->hostname->string, sizeof(clntpath));
+	strlcat(clntpath, ".", clntpathmaxlen);
+	strlcat(clntpath, hp->hostname->string, clntpathmaxlen);
 	if (chk_access(lrealpath, &bootsize) < 0) {
 		clntpath[n] = 0;			/* Try it without the suffix */
 		if (chk_access(lrealpath, &bootsize) < 0) {

Reply via email to