RTOS/rtems
1
0
Fork 0
forked from Imagelibrary/rtems
Code Pull Requests Activity

cpukit/telnetd/pty.c: Fix format overflow warning on sprintf()

Browse Source 
cpukit/telnetd/pty.c:436:47: warning: '%X' directive writing between
   1 and 8 bytes into a region of size 3 [-Wformat-overflow=]

The devname area was malloc'ed. Now it is statically allocated and
sufficiently large to account for the potential buffer overflow.
This commit is contained in:
Joel Sherrill
2018-08-21 10:32:48 -05:00
parent cba349cf30
commit 14a218fd20
1 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
cpukit/telnetd/pty.c
View File

@@ -71,7 +71,7 @@ struct pty_tt;
typedef struct pty_tt pty_t; typedef struct pty_tt pty_t;
struct pty_tt { struct pty_tt {
char *devname; char devname[17];
struct rtems_termios_tty *ttyp; struct rtems_termios_tty *ttyp;
tcflag_t c_cflag; tcflag_t c_cflag;
int opened; int opened;
@@ -432,8 +432,8 @@ rtems_device_driver my_pty_initialize(
*/ */
for (ndx=0;ndx<rtems_telnetd_maximum_ptys;ndx++) { for (ndx=0;ndx<rtems_telnetd_maximum_ptys;ndx++) {
telnet_ptys[ndx].devname = (char*)malloc(strlen("/dev/ptyXX")+1); /* devname is included in the structure */
sprintf(telnet_ptys[ndx].devname,"/dev/pty%X",ndx); sprintf(telnet_ptys[ndx].devname,"/dev/pty%02X",ndx);
telnet_ptys[ndx].ttyp = NULL; telnet_ptys[ndx].ttyp = NULL;
telnet_ptys[ndx].c_cflag = CS8|B9600; telnet_ptys[ndx].c_cflag = CS8|B9600;
telnet_ptys[ndx].socket = -1; telnet_ptys[ndx].socket = -1;
@@ -491,8 +491,9 @@ static int pty_do_finalize(void)
status = (rtems_status_code)unlink(telnet_ptys[ndx].devname); status = (rtems_status_code)unlink(telnet_ptys[ndx].devname);
if (status != RTEMS_SUCCESSFUL) if (status != RTEMS_SUCCESSFUL)
perror("removing pty device node from file system"); perror("removing pty device node from file system");
else else {
free(telnet_ptys[ndx].devname); telnet_ptys[ndx].devname[0] = '\0';
}
}; };
free ( telnet_ptys ); free ( telnet_ptys );