CVS commit: src/usr.sbin/makemandb

Tue, 05 Jul 2016 23:58:40 -0700 

Module Name:    src
Committed By:   abhinav
Date:           Wed Jul  6 06:57:40 UTC 2016

Modified Files:
        src/usr.sbin/makemandb: apropos-utils.c

Log Message:
Fix possible buffer overflow when concatenating strings.
Patch from christos@


To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.27 src/usr.sbin/makemandb/apropos-utils.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/usr.sbin/makemandb/apropos-utils.c
diff -u src/usr.sbin/makemandb/apropos-utils.c:1.26 src/usr.sbin/makemandb/apropos-utils.c:1.27
--- src/usr.sbin/makemandb/apropos-utils.c:1.26	Wed Jun  1 15:59:18 2016
+++ src/usr.sbin/makemandb/apropos-utils.c	Wed Jul  6 06:57:40 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: apropos-utils.c,v 1.26 2016/06/01 15:59:18 abhinav Exp $	*/
+/*	$NetBSD: apropos-utils.c,v 1.27 2016/07/06 06:57:40 abhinav Exp $	*/
 /*-
  * Copyright (c) 2011 Abhinav Upadhyay <[email protected]>
  * All rights reserved.
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: apropos-utils.c,v 1.26 2016/06/01 15:59:18 abhinav Exp $");
+__RCSID("$NetBSD: apropos-utils.c,v 1.27 2016/07/06 06:57:40 abhinav Exp $");
 
 #include <sys/queue.h>
 #include <sys/stat.h>
@@ -109,7 +109,7 @@ concat(char **dst, const char *src)
 void
 concat2(char **dst, const char *src, size_t srclen)
 {
-	size_t total_len, dst_len;
+	size_t totallen, dstlen;
 	assert(src != NULL);
 
 	/*
@@ -117,23 +117,24 @@ concat2(char **dst, const char *src, siz
 	 * strdup the source buffer
 	 */
 	if (*dst == NULL) {
-		*dst = estrdup(src);
+		*dst = estrndup(src, srclen);
 		return;
 	}
 
-	dst_len = strlen(*dst);
+	dstlen = strlen(*dst);
 	/*
 	 * NUL Byte and separator space
 	 */
-	total_len = dst_len + srclen + 2;
+	totallen = dstlen + srclen + 2;
 
-	*dst = erealloc(*dst, total_len);
+	*dst = erealloc(*dst, totallen);
 
 	/* Append a space at the end of dst */
-	(*dst)[dst_len++] = ' ';
+	(*dst)[dstlen++] = ' ';
 
 	/* Now, copy src at the end of dst */
-	memcpy(*dst + dst_len, src, srclen + 1);
+	memcpy(*dst + dstlen, src, srclen);
+	(*dst)[dstlen + srclen + 1] = '\0';
 }
 
 void

Reply via email to