Summary: Fix command-line overflow in example. Contributor: Decklin Foster <decklin@red-bean.com> Index: netcat-1.10/data/rservice.c =================================================================== --- netcat-1.10.orig/data/rservice.c 2007-03-29 13:26:22.000000000 -0400 +++ netcat-1.10/data/rservice.c 2007-03-29 13:36:12.000000000 -0400 @@ -14,7 +14,7 @@ /* change if you like; "id" is a good one for figuring out if you won too */ static char cmd[] = "pwd"; -static char buf [256]; +static char buf [4096]; main(argc, argv) int argc; @@ -26,37 +26,40 @@ char * q; p = buf; - memset (buf, 0, 256); + memset (buf, 0, sizeof (buf)); p++; /* first null */ y = 1; if (! argv[1]) goto wrong; - x = strlen (argv[1]); - memcpy (p, argv[1], x); /* first arg plus another null */ - x++; + strncpy (p, argv[1], sizeof (buf) - y); /* first arg plus another null */ + x = strlen (argv[1]) + 1; p += x; y += x; + if (y >= sizeof (buf)) + goto over; if (! argv[2]) goto wrong; - x = strlen (argv[2]); - memcpy (p, argv[2], x); /* second arg plus null */ - x++; + strncpy (p, argv[2], sizeof (buf) - y); /* second arg plus null */ + x = strlen (argv[2]) + 1; p += x; y += x; + if (y >= sizeof (buf)) + goto over; q = cmd; if (argv[3]) q = argv[3]; - x = strlen (q); /* not checked -- bfd */ - memcpy (p, q, x); /* the command, plus final null */ - x++; + strncpy (p, q, sizeof (buf) - y); /* the command, plus final null */ + x = strlen (q) + 1; p += x; y += x; + if (y >= sizeof (buf)) + goto over; - memcpy (p, "\n", 1); /* and a newline, so it goes */ + strncpy (p, "\n", sizeof (buf) - y); /* and a newline, so it goes */ y++; write (1, buf, y); /* zot! */ @@ -65,4 +68,8 @@ wrong: fprintf (stderr, "wrong! needs 2 or more args.\n"); exit (1); + +over: + fprintf (stderr, "out of memory!\n"); + exit (1); }