proc/devname.c: Prevent off-by-one overflow in dev_to_tty().

author Qualys Security Advisory <qsa@qualys.com>

Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)

committer Craig Small <csmall@enc.com.au>

Fri, 18 May 2018 21:32:21 +0000 (07:32 +1000)
author Qualys Security Advisory <qsa@qualys.com>
Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)
committer Craig Small <csmall@enc.com.au>
Fri, 18 May 2018 21:32:21 +0000 (07:32 +1000)
diff --git a/proc/devname.c b/proc/devname.c

index 742907913ef7724ee8942ff7d8068e81973faae6..f673a417d38ec2b9811b9d73c70103d559596d77 100644 (file)
--- a/proc/devname.c
+++ b/proc/devname.c
@@ -348,7 +348,7 @@ abbrev:
    if((flags&ABBREV_TTY) && !strncmp(tmp,"tty",  3) && tmp[3]) tmp += 3;
    if((flags&ABBREV_PTS) && !strncmp(tmp,"pts/", 4) && tmp[4]) tmp += 4;
    /* gotta check before we chop or we may chop someone else's memory */
-  if(chop + (unsigned long)(tmp-buf) <= sizeof buf)
+  if(chop + (unsigned long)(tmp-buf) < sizeof buf)
      tmp[chop] = '\0';
    /* replace non-ASCII characters with '?' and return the number of chars */
    for(;;){
author	Qualys Security Advisory <qsa@qualys.com>
	Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)
committer	Craig Small <csmall@enc.com.au>
	Fri, 18 May 2018 21:32:21 +0000 (07:32 +1000)